WebSphere MQ 8和IBM MQ 9的TLS WebConfiguration

Question

我在队列管理器上设置tls时遇到问题。 这是我在Windows 10上用来创建和设置队列管理器以及通道和密钥库的命令。

"C:\Program Files\IBM\MQ\bin64\crtmqm.exe" QMTLS
"C:\Program Files\IBM\MQ\bin64\strmqm.exe" QMTLS

"C:\Program Files\IBM\MQ\bin64\runmqsc.exe" QMTLS
DEF LISTENER(TCP.1416) TRPTYPE(TCP) CONTROL(QMGR) PORT(1416) REPLACE

START LISTENER(TCP.1416)

DEF CHL(CONNECTION.TLS) CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCIPH('TLS_RSA_WITH_AES_128_CBC_SHA256') SSLCAUTH(REQUIRED) DESCR('Channel with tls support')

DEFINE CHANNEL (CONNECTION.TLS) CHLTYPE (CLNTCONN) TRPTYPE (TCP) CONNAME (127.0.0.1) QMNAME (QMTLS) SSLCIPH('TLS_RSA_WITH_AES_128_CBC_SHA256') MAXMSGL (104857600) DESCR ('Client connection to Server')
exit

cd C:\ProgramData\IBM\MQ\qmgrs\QMTLS\ssl

"C:\Program Files\IBM\MQ\bin64\runmqakm.exe" -keydb -create -db key.kdb -pw passw0rd -stash

"C:\Program Files\IBM\MQ\bin64\runmqakm.exe" -cert -create -db key.kdb -label ibmwebspheremqqmtls -stashed -size 2048 -sigalg SHA256WithRSA -dn CN=QMTLS -fips -ca false

"C:\Program Files\IBM\MQ\bin64\runmqakm.exe" -cert -extract -db key.kdb -label ibmwebspheremqqmtls -target qmtls.arm -stashed

mkdir jks
cd jks

"C:\Program Files\IBM\MQ\java\jre\bin\keytool.exe" -genkey -alias ibmwebspheremquser -keyalg RSA -sigalg SHA256withRSA -dname "cn=user@example.com,C=US" -keystore userkey.jks -storetype jks -storepass passw0rd -keypass passw0rd -validity 365 -keysize 2048

"C:\Program Files\IBM\MQ\java\jre\bin\keytool.exe" -export -keystore userkey.jks -alias ibmwebspheremquser -storepass passw0rd -file userkey.arm -rfc

cd ..
copy jks\userkey.arm userkey.arm

"C:\Program Files\IBM\MQ\bin64\runmqakm.exe" -cert -add -db key.kdb -stashed -file userkey.arm -label userkey -trust enable -fips

copy qmtls.arm jks\qmtls.arm
cd jks

"C:\Program Files\IBM\MQ\java\jre\bin\keytool.exe" -import -alias QMTLS -file qmtls.arm -storepass passw0rd -keystore userkey.jks

"C:\Program Files\IBM\MQ\bin64\runmqsc.exe" QMTLS

SET CHLAUTH('CONNECTION.TLS') TYPE(BLOCKUSER) USERLIST('*NOACCESS') DESCR('allow access to tls') WARN(NO) ACTION(ADD) 

refresh security type(ssl)

exit

当我尝试通过通道CONNECTION.TLS和userkey.jks密钥库直接连接到队列管理器时，出现错误AMQ4199，并显示以下消息：

Queue manager QMTLS is not available for client connection due to an SSL configuration error. (AMQ4199)
Queue manager QMTLS is not available for client connection due to an SSL configuration error. (AMQ4199)
Severity: 30 (Severe Error)
Explanation: The user is trying to connect to a remote queue manager using a secure connection.
Response: Check the SSL configuration of the target queue manager and the local SSL trust store.