堆栈内存溢出
  简体   繁体   English

在Websphere App Server和Websphere MQ之间配置SSL

[英]Configure SSL between Websphere App Server and Websphere MQ

 原文  2013-05-13 11:03:30       java/ spring/ ssl/ websphere/ ibm-mq

问题描述

I try connect to WMQ from a simple web service launched on WebSphere app server. 我尝试从WebSphere应用服务器上启动的简单Web服务连接到WMQ。

On WMQ I have channel with SSL. 在WMQ上我有SSL通道。 I use self-signed certificates for now. 我现在使用自签名证书。

In the case of glassfish I just add this cert to key store in domain and all works well(off cause I configure my MQQueueConnectionFactory). 在glassfish的情况下,我只是将此证书添加到域中的密钥存储区,并且一切正常(因为我配置了我的MQQueueConnectionFactory)。

But on WebSphere this trick don't work: 但是在WebSphere上,这个技巧不起作用: 

[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O %% Invalidated:  [Session-94, SSL_RSA_EXPORT_WITH_RC4_40_MD5]
[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O jmsContainer-1, SEND SSLv3 ALERT:  fatal, description = certificate_unknown
[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O jmsContainer-1, WRITE: SSLv3 Alert, length = 2
[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O [Raw write]: length = 7
[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O 0000: 15 03 00 00 02 02 2e                               .......

[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O jmsContainer-1, called closeSocket()
[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O jmsContainer-1, handling exception: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
[5/13/13 14:00:25:058 FET] 00000060 DefaultMessag E org.springframework.jms.listener.DefaultMessageListenerContainer refreshConnectionUntilSuccessful Could not refresh JMS Connection for destination 'fromESB' - retrying in 5000 ms. Cause: JMSWMQ0018: Failed to connect to queue manager 'qm1' with connection mode 'Client' and host name '192.168.56.101(1414)'.; nested exception is com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR').

How do I configure WebSphere app server to use ssl(how to add server(WMQ) certificate to trust store? or where is the trust store?)? 如何配置WebSphere应用服务器以使用ssl(如何将服务器(WMQ)证书添加到信任存储?或信任存储在哪里?)?

1 个解决方案

解决方案1
 3 已采纳  2013-05-30 09:28:18

Ok. 好。 I solve this by myself. 我自己解决这个问题。

Configure WMQ: 配置WMQ:

  1. Create keystore 创建密钥库

    runmqckm -keydb -create -db "c:\\dev\\sslqm001\\sslqm001.kdb" -pw serverpass -type cms -expire 365 -stash runmqckm -keydb -create -db“c:\\ dev \\ sslqm001 \\ sslqm001.kdb”-pw serverpass -type cms -expire 365 -stash

  2. Create certificate and add it to keystore 创建证书并将其添加到密钥库

    runmqckm -cert -create -db "c:\\dev\\sslqm001\\sslqm001.kdb" -pw serverpass -label ibmwebspheremqssl_qm001 -dn "CN=SSL_QM001,OU=IT,O=SomeCompany,L=Minsk,ST=Belarus,C= BY" -expire 365 runmqckm -cert -create -db“c:\\ dev \\ sslqm001 \\ sslqm001.kdb”-pw serverpass -label ibmwebspheremqssl_qm001 -dn“CN = SSL_QM001,OU = IT,O = SomeCompany,L = Minsk,ST = Belarus,C =通过“-expire 365

  3. Export this certificate from keystore to file. 将此证书从密钥库导出到文件。

    runmqckm -cert -extract -db "c:\\dev\\sslqm001\\sslqm001.kdb" -pw serverpass -label ibmwebspheremqssl_qm001 -target SSL_QM001.crt -format ascii runmqckm -cert -extract -db“c:\\ dev \\ sslqm001 \\ sslqm001.kdb”-pw serverpass -label ibmwebspheremqssl_qm001 -target SSL_QM001.crt -format ascii

  4. In Queue Manager settings, tab "SSL" set path to keystore without .kdb and FIPS to No: 在队列管理器设置中,选项卡“SSL”将路径设置为不包含.kdb的密钥库,将FIPS设置为否:

    ALTER QMGR SSLKEYR('c:\\dev\\sslqm001\\sslqm001') ALTER QMGR SSLFIPS(NO) ALTER QMGR SSLKEYR('c:\\ dev \\ sslqm001 \\ sslqm001')ALTER QMGR SSLFIPS(NO)

  5. Create new channel 创建新频道

  6. In channel settings, tab "SSL" set cipher to some value(with works for me: DES_SHA_EXPORT), and auth to optional 在通道设置中,选项卡“SSL”将密码设置为某个值(对我有效:DES_SHA_EXPORT),并将auth设置为可选

    DEFINE CHANNEL('SSL_CHANNEL') CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCIPH(DES_SHA_EXPORT) SSLCAUTH(OPTIONAL) REPLACE DEFINE CHANNEL('SSL_CHANNEL')CHLTYPE(SVRCONN)TRPTYPE(TCP)SSLCIPH(DES_SHA_EXPORT)SSLCAUTH(可选)替换

  7. In Queue Manager refresh SSL: 在队列管理器中刷新SSL:

    REFRESH SECURITY TYPE(SSL) 刷新安全类型(SSL)

Change your appcontex: 更改你的appcontex: 

<bean id="mqConnectionFactory" class="com.ibm.mq.jms.MQQueueConnectionFactory">
    <property name="hostName" value="${queue_hostname}"/>
    <property name="port" value="${queue_port}"/>
    <property name="queueManager" value="${queue_manager}"/>
    <property name="transportType" value="1"/>
    <property name="SSLCipherSuite" value="SSL_RSA_EXPORT_WITH_RC4_40_MD5"/>
    <property name="channel" value="ssl_channel"/>
</bean>

Setup SSL on WAS 在WAS上设置SSL

  1. Go To: 去:

    Security → SSL certificate and key management → SSL configurations → NodeDefaultSSLSettings → Key stores and certificates → NameOfStore → Signer certificates 安全性→SSL证书和密钥管理→SSL配置→NodeDefaultSSLSettings→密钥库和证书→NameOfStore→签名者证书

  2. Add your certificate, that we export in step 3 添加我们在步骤3中导出的证书

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 SSL与WebSphere MQ 7 - SSL with WebSphere MQ 7 如何使用启用了Websphere SSL的MQ配置JBOSS连接? - How to configure JBOSS connectivity with Websphere SSL enabled MQ? Websphere Application Server中需要Websphere MQ类 - Websphere MQ classes needed in Websphere Application Server 使用Java的Websphere MQ SSL连接 - Websphere MQ SSL connection using java 使用匿名SSL连接到WebSphere MQ - Connecting to WebSphere MQ using anonymous SSL 为即将进行的SSL呼叫配置WebSphere服务器的正确方法 - Correct way to configure a WebSphere server for an outcoming SSL call Java客户端监听WebSphere MQ Server? - Java client listening to WebSphere MQ Server? 独立Java JMS应用程序未连接到WebSphere MQ - Standalone Java JMS app not connecting to WebSphere MQ 如何为 Websphere MQ 客户端启用带有客户端证书的 SSL? - How to enable SSL with client certificate for Websphere MQ client? 使用JMS通过SSL连接到WebSphere MQ 7.0 - Connecting to WebSphere MQ 7.0 using JMS through SSL
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM