通过HermesJMS连接到MQ时证书错误
[英]Certificate error while connecting to MQ through HermesJMS
问题描述
I am not very much familiar with HermesJMS. 
我对HermesJMS不太熟悉。
I have HermesJMS configured to connect some MQs sometime back and it was working fine. 我将HermesJMS配置为有时可以连接一些MQ,并且工作正常。 then I stopped using it. 然后我停止使用它。 Now I am trying to connect to the same set of MQs, I am getting below error. 现在,我尝试连接到同一组MQ,但出现错误。
com.ibm.mq.MQException: MQJE001: Completion Code 2, Reason 2397
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:282)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:301)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:323)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:84)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:173)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:795)
at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:709)
at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:664)
at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:160)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:554)
at com.ibm.mq.MQSPIQueueManager.<init>(MQSPIQueueManager.java:62)
at com.ibm.mq.jms.MQConnection.createQM(MQConnection.java:2513)
at com.ibm.mq.jms.MQConnection.createQMNonXA(MQConnection.java:1936)
at com.ibm.mq.jms.MQQueueConnection.<init>(MQQueueConnection.java:161)
at com.ibm.mq.jms.MQQueueConnectionFactory.createQueueConnection(MQQueueConnectionFactory.java:222)
at com.ibm.mq.jms.MQQueueConnectionFactory.createConnection(MQQueueConnectionFactory.java:1077)
at hermes.impl.jms.ConnectionManagerSupport.createConnection(ConnectionManagerSupport.java:126)
at hermes.impl.jms.ConnectionSharedManager.reconnect(ConnectionSharedManager.java:77)
at hermes.impl.jms.ThreadLocalSessionManager.reconnect(ThreadLocalSessionManager.java:148)
at hermes.impl.DefaultHermesImpl.reconnect(DefaultHermesImpl.java:130)
at hermes.impl.DefaultHermesImpl.getDestination(DefaultHermesImpl.java:364)
at hermes.browser.tasks.BrowseDestinationTask.invoke(BrowseDestinationTask.java:141)
at hermes.browser.tasks.TaskSupport.run(TaskSupport.java:175)
at hermes.browser.tasks.ThreadPool.run(ThreadPool.java:170)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.ibm.mq.SSLHelper.configureSSLSocket(SSLHelper.java:768)
at com.ibm.mq.SSLHelper.createSSLSocket(SSLHelper.java:154)
at com.ibm.mq.MQInternalCommunications.createSocketConnection(MQInternalCommunications.java:2335)
at com.ibm.mq.MQv6InternalCommunications$1.run(MQv6InternalCommunications.java:169)
at java.security.AccessController.doPrivileged(Native Method)
at com.ibm.mq.MQv6InternalCommunications.initialize(MQv6InternalCommunications.java:166)
at com.ibm.mq.MQv6InternalCommunications.<init>(MQv6InternalCommunications.java:114)
at com.ibm.mq.MQSESSIONClient.MQCONNX(MQSESSIONClient.java:1458)
at com.ibm.mq.MQSESSIONClient.spiConnect(MQSESSIONClient.java:4610)
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:246)
... 24 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 42 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 48 more
I know this is something to do with the certificate as it is giving SSLHandshakeException, but I am not pretty sure where I should be checking the configuration. 我知道这与证书有关,因为它提供了SSLHandshakeException,但是我不确定应该在哪里检查配置。 As per my knowledge there is no change in the configuration. 据我所知,配置没有变化。 (I can't be sure about it as MQs are managed by a different team and they don't bother to communicate the changes to rest of the world). (我不确定这一点,因为MQ由不同的团队管理,他们不会费心将更改传达给世界其他地方)。
How can I verify and confirm if it is the certificate issue and no other configuration problem. 如何验证和确认是否是证书问题,而没有其他配置问题。
1 个解决方案
解决方案1
0 2016-03-18 09:08:46
If you doesn't change nothing in your configuration the most probably thing is that the service endpoint change or renew its server domain certificate and due this it's not a trusted certificate for your configuration anymore. 如果您在配置中没有进行任何更改,最有可能的事就是服务端点更改或续订了它的服务器域证书,因此,它不再是您配置的受信任证书。
To solve the problem you need to add the certificate authority in your truststore (or directly the server domain certificate for a selfsigned certs). 要解决此问题,您需要在信任库中添加证书颁发机构 (或直接为自签名证书添加服务器域证书)。
SOAPUI it's Java based, and Java comes with its own truststore . SOAPUI是基于Java的,Java带有自己的truststore 。 The good practice is to add the CA certificates to your truststore (however it's possible to only add the server certificate). 好的做法是将CA证书添加到您的信任库中 (但是,可以仅添加服务器证书)。 You can add it using keytool with the follow command: 您可以使用keytool通过以下命令添加它:
keytool -import -alias <someAlias> -file <certificatePath> -keystore <trustStorePath>
Depends on your SOAPUI installation the truststore location can differs, if you have a JRE bundled inside SOAPUI then your truststore are in SOAPUI_HOME/jre/lib/security/cacerts if not, then is in your Java installation which runs SOAPUI in $JAVA_HOME/JRE/Security/cacerts (default password for both are changeit ). 取决于您的SOAPUI安装, 信任库位置可能有所不同,如果您在SOAPUI中绑定了JRE,则信任库位于SOAPUI_HOME/jre/lib/security/cacerts如果没有),则位于Java安装中,该Java运行在$JAVA_HOME/JRE/Security/cacerts SOAPUI $JAVA_HOME/JRE/Security/cacerts (两者的默认密码均为changeit )。
Hope it helps, 希望能帮助到你,
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.