[英]Configure SSL between Websphere App Server and Websphere MQ
I try connect to WMQ from a simple web service launched on WebSphere app server. 我尝试从WebSphere应用服务器上启动的简单Web服务连接到WMQ。
On WMQ I have channel with SSL. 在WMQ上我有SSL通道。 I use self-signed certificates for now.
我现在使用自签名证书。
In the case of glassfish I just add this cert to key store in domain and all works well(off cause I configure my MQQueueConnectionFactory). 在glassfish的情况下,我只是将此证书添加到域中的密钥存储区,并且一切正常(因为我配置了我的MQQueueConnectionFactory)。
But on WebSphere this trick don't work: 但是在WebSphere上,这个技巧不起作用:
[5/13/13 14:00:25:058 FET] 00000060 SystemOut O %% Invalidated: [Session-94, SSL_RSA_EXPORT_WITH_RC4_40_MD5]
[5/13/13 14:00:25:058 FET] 00000060 SystemOut O jmsContainer-1, SEND SSLv3 ALERT: fatal, description = certificate_unknown
[5/13/13 14:00:25:058 FET] 00000060 SystemOut O jmsContainer-1, WRITE: SSLv3 Alert, length = 2
[5/13/13 14:00:25:058 FET] 00000060 SystemOut O [Raw write]: length = 7
[5/13/13 14:00:25:058 FET] 00000060 SystemOut O 0000: 15 03 00 00 02 02 2e .......
[5/13/13 14:00:25:058 FET] 00000060 SystemOut O jmsContainer-1, called closeSocket()
[5/13/13 14:00:25:058 FET] 00000060 SystemOut O jmsContainer-1, handling exception: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
[5/13/13 14:00:25:058 FET] 00000060 DefaultMessag E org.springframework.jms.listener.DefaultMessageListenerContainer refreshConnectionUntilSuccessful Could not refresh JMS Connection for destination 'fromESB' - retrying in 5000 ms. Cause: JMSWMQ0018: Failed to connect to queue manager 'qm1' with connection mode 'Client' and host name '192.168.56.101(1414)'.; nested exception is com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR').
How do I configure WebSphere app server to use ssl(how to add server(WMQ) certificate to trust store? or where is the trust store?)? 如何配置WebSphere应用服务器以使用ssl(如何将服务器(WMQ)证书添加到信任存储?或信任存储在哪里?)?
Ok. 好。 I solve this by myself.
我自己解决这个问题。
Configure WMQ: 配置WMQ:
Create keystore 创建密钥库
runmqckm -keydb -create -db "c:\\dev\\sslqm001\\sslqm001.kdb" -pw serverpass -type cms -expire 365 -stash runmqckm -keydb -create -db“c:\\ dev \\ sslqm001 \\ sslqm001.kdb”-pw serverpass -type cms -expire 365 -stash
Create certificate and add it to keystore 创建证书并将其添加到密钥库
runmqckm -cert -create -db "c:\\dev\\sslqm001\\sslqm001.kdb" -pw serverpass -label ibmwebspheremqssl_qm001 -dn "CN=SSL_QM001,OU=IT,O=SomeCompany,L=Minsk,ST=Belarus,C= BY" -expire 365 runmqckm -cert -create -db“c:\\ dev \\ sslqm001 \\ sslqm001.kdb”-pw serverpass -label ibmwebspheremqssl_qm001 -dn“CN = SSL_QM001,OU = IT,O = SomeCompany,L = Minsk,ST = Belarus,C =通过“-expire 365
Export this certificate from keystore to file. 将此证书从密钥库导出到文件。
runmqckm -cert -extract -db "c:\\dev\\sslqm001\\sslqm001.kdb" -pw serverpass -label ibmwebspheremqssl_qm001 -target SSL_QM001.crt -format ascii runmqckm -cert -extract -db“c:\\ dev \\ sslqm001 \\ sslqm001.kdb”-pw serverpass -label ibmwebspheremqssl_qm001 -target SSL_QM001.crt -format ascii
In Queue Manager settings, tab "SSL" set path to keystore without .kdb and FIPS to No: 在队列管理器设置中,选项卡“SSL”将路径设置为不包含.kdb的密钥库,将FIPS设置为否:
ALTER QMGR SSLKEYR('c:\\dev\\sslqm001\\sslqm001') ALTER QMGR SSLFIPS(NO) ALTER QMGR SSLKEYR('c:\\ dev \\ sslqm001 \\ sslqm001')ALTER QMGR SSLFIPS(NO)
Create new channel 创建新频道
In channel settings, tab "SSL" set cipher to some value(with works for me: DES_SHA_EXPORT), and auth to optional 在通道设置中,选项卡“SSL”将密码设置为某个值(对我有效:DES_SHA_EXPORT),并将auth设置为可选
DEFINE CHANNEL('SSL_CHANNEL') CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCIPH(DES_SHA_EXPORT) SSLCAUTH(OPTIONAL) REPLACE DEFINE CHANNEL('SSL_CHANNEL')CHLTYPE(SVRCONN)TRPTYPE(TCP)SSLCIPH(DES_SHA_EXPORT)SSLCAUTH(可选)替换
In Queue Manager refresh SSL: 在队列管理器中刷新SSL:
REFRESH SECURITY TYPE(SSL) 刷新安全类型(SSL)
Change your appcontex: 更改你的appcontex:
<bean id="mqConnectionFactory" class="com.ibm.mq.jms.MQQueueConnectionFactory">
<property name="hostName" value="${queue_hostname}"/>
<property name="port" value="${queue_port}"/>
<property name="queueManager" value="${queue_manager}"/>
<property name="transportType" value="1"/>
<property name="SSLCipherSuite" value="SSL_RSA_EXPORT_WITH_RC4_40_MD5"/>
<property name="channel" value="ssl_channel"/>
</bean>
Setup SSL on WAS 在WAS上设置SSL
Go To: 去:
Security → SSL certificate and key management → SSL configurations → NodeDefaultSSLSettings → Key stores and certificates → NameOfStore → Signer certificates 安全性→SSL证书和密钥管理→SSL配置→NodeDefaultSSLSettings→密钥库和证书→NameOfStore→签名者证书
Add your certificate, that we export in step 3 添加我们在步骤3中导出的证书
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.