如何为 Websphere MQ 客户端启用带有客户端证书的 SSL?
[英]How to enable SSL with client certificate for Websphere MQ client?
问题描述
We are one application in a larger environment and a client for some data interface, using Websphere MQ 8.x.
我们是更大环境中的一个应用程序,也是某些数据接口的客户端,使用 Websphere MQ 8.x。 Our application is a Java EE application running on a WildFly 9 which uses a resource adaptor ( wmq.jmsra.rar ) which is deployed together with the EAR file in the same AS.我们的应用程序是一个运行在 WildFly 9 上的 Java EE 应用程序,它使用一个资源适配器 ( wmq.jmsra.rar ),它与 EAR 文件一起部署在同一个 AS 中。 We interact with the MQ Server in both directions.我们在两个方向上都与 MQ 服务器交互。 So we have on the one hand some MDBs (which are due to historical origins still in EJB 2.x format without annotations) listining to some queues and which are configured by the ejb-jar.xml deployment descriptor, containing the activation config properties destinationType, channel, queueManager, hostName, username, password .因此,一方面,我们有一些 MDB(由于历史渊源,仍然采用 EJB 2.x 格式,没有注释)列出了一些队列,它们由ejb-jar.xml部署描述符配置,包含激活配置属性destinationType, channel, queueManager, hostName, username, password 。 On the other hand we have a sender which lookups a queue connection factory and a queue via JNDI and creates a connection.另一方面,我们有一个发送者,它通过 JNDI 查找队列连接工厂和队列并创建连接。
Now we have the requirement with a newly established MQ server to communicate via SSL and a client certificate.现在我们需要新建立的 MQ 服务器通过 SSL 和客户端证书进行通信。 We got such a certificate from the server people for our machine.我们从服务器人员那里为我们的机器获得了这样的证书。 So my questions are:所以我的问题是:
- What has to be done to make it work with the setup described above?必须做些什么才能使其与上述设置一起工作?
- Is this possible purely by configuration and thus transparent for the application or has the application to specifically use SSL, present the certificate or something similar?这是否可能纯粹通过配置并因此对应用程序透明,或者让应用程序专门使用 SSL、提供证书或类似的东西?
- Does this conflict with any other keystore already used by some other part of the application?这是否与应用程序的其他部分已经使用的任何其他密钥库冲突?
- Is some additional IBM MQ software needed to make it work?是否需要一些额外的 IBM MQ 软件才能使其工作? (Our client is just the RAR, no software is installed and no MQ server on our side should be established.) (我们的客户端只是RAR,没有安装任何软件,也没有在我们这边建立MQ服务器。)
Update: I went for setting the global JSSE properties for the VM as it solved my problem as a start.更新:我开始为 VM 设置全局 JSSE 属性,因为它首先解决了我的问题。
It was necessary to set the following parameters:有必要设置以下参数:
-Djavax.net.ssl.trustStore=<location of trustStore>
-Djavax.net.ssl.keyStore=<location of keyStore>
-Djavax.net.ssl.keyStorePassword=<password>
Additionally, since I am using non-IBM VM, there was the following paramter to set:此外,由于我使用的是非 IBM VM,因此需要设置以下参数:
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
Then, it was necessary to set the cipher suite property on the RAR configuration in standalone-full.xml together with the other connection parameters of my WildFly installation:然后,有必要在standalone-full.xml的 RAR 配置上设置密码套件属性以及我的 WildFly 安装的其他连接参数:
<resource-adapter id="wmq.jms.rar">
...
<connection-definitions>
<connection definition ...>
<config-property name="sslCipherSuite">xxx</config-property>
...
</resource-adapter">
And finally, the MDBs listining on the queues also had to be configured to use the cipher suite, so in my case I had to add that in the ejb-jar.xml by adding for each MDB:最后,队列中列出的 MDB 也必须配置为使用密码套件,因此在我的情况下,我必须通过为每个 MDB 添加来将其添加到 ejb-jar.xml 中:
<activation-config-property>
<activation-config-property-name>sslCipherSuite</activation-config-property-name>
<activation-config-property-value>xxx</activation-config-property-value>
<activation-config-property>
1 个解决方案
解决方案1
3 已采纳 2017-11-05 06:33:32
OP stated in the comments that they use OpenJDK 8 and are using the IBM MQ v9.0.0.1 resource adapter, both of the following known problems are fixed in that release, but putting this information here for the benefit of others who may not yet be at a release where these are fixed: OP 在评论中表示他们使用 OpenJDK 8 并使用 IBM MQ v9.0.0.1 资源适配器,该版本中修复了以下两个已知问题,但将这些信息放在这里是为了其他人的利益在这些已修复的版本中:
APAR IV66840 : TLS cipherspecs in non-IBM JREs were not supported until 8.0.0.2.
APAR IV66840 :直到 8.0.0.2 才支持非 IBM JRE 中的 TLS 密码规范。APAR IT10837 : WildFly 9 may hit another issue if using a non-IBM JRE in finding the KeyStore that contains the client cert, this is fixed in 8.0.0.5.
APAR IT10837 :如果使用非 IBM JRE 查找包含客户端证书的 KeyStore,WildFly 9 可能会遇到另一个问题,此问题已在 8.0.0.5 中修复。
The resource adapter includes the MQ functionality to support TLS but uses the underlying JSSE for the actual encryption.资源适配器包括支持 TLS 的 MQ 功能,但使用底层 JSSE 进行实际加密。
Based on RFC 5246 it suggests that the TLS Client should only return a cert that is suitable based on the the server sending " A list of the distinguished names [X501] of acceptable certificate_authorities, represented in DER-encoded format. ", this would mean that if the certs in your keyStore for the different uses (ex: existing non-MQ certs and MQ certs) are not signed by the same CA chain, and the various TLS servers you connect to do not accept certs from the CA of other certs in your key store (ex: existing non-MQ certs and MQ certs) then JSSE will return the appropriate cert to each.基于 RFC 5246,它建议 TLS 客户端应该只返回一个适合基于服务器发送的证书“可接受的证书颁发机构的专有名称 [X501] 列表,以 DER 编码格式表示。 ”,这意味着如果您的 keyStore 中用于不同用途的证书(例如:现有的非 MQ 证书和 MQ 证书)不是由同一 CA 链签名,并且您连接的各种 TLS 服务器不接受来自其他证书的 CA 的证书在您的密钥库中(例如:现有的非 MQ 证书和 MQ 证书),那么 JSSE 将向每个证书返回适当的证书。
For example if existing non-MQ certs are signed by a Internal CA and the MQ cert is signed by another company's CA, it is highly unlikely that the MQ company would trust your internal CA certs, conversely it is unlikely that your other non-MQ TLS servers you connect to would trust the other company's CA.例如,如果现有的非 MQ 证书由内部 CA 签署,而 MQ 证书由另一家公司的 CA 签署,则 MQ 公司不太可能信任您的内部 CA 证书,相反,您的其他非 MQ 证书也不太可能信任您连接的 TLS 服务器将信任其他公司的 CA。 Since JSSE would return only a cert that was trusted by the remote server they should not impact each other.由于 JSSE 将只返回远程服务器信任的证书,因此它们不应相互影响。 You would just need to add the MQ cert to your existing key store.您只需将 MQ 证书添加到您现有的密钥库中。
Quotes from the relevant sections of RFC 5246 are at the bottom of this post.来自 RFC 5246 相关部分的引用位于本文底部。
@a_cornish_pasty answer to your question " Use specific keystore for JMS " is also an alternative as it would allow you to specify a separate key store from what the rest of Wildfly uses, this key store could have ONLY the MQ cert, so no chance of causing an issue with the existing key store and certs. @a_cornish_pasty 对您的问题“ 为 JMS 使用特定密钥库”的回答也是一种替代方法,因为它允许您指定一个与 Wildfly 其余部分使用的密钥库不同的密钥库,此密钥库可能只有 MQ 证书,因此没有机会导致现有密钥库和证书出现问题。
RFC 5246 Section 7.4.4 states the following: RFC 5246 第 7.4.4 节规定如下:
7.4.4.
When this message will be sent:
A non-anonymous server can optionally request a certificate from the client , if appropriate for the selected cipher suite.
It then goes on to state:然后继续声明:
certificate_authorities
A list of the distinguished names [X501] of acceptable certificate_authorities , represented in DER-encoded format.
RFC 5246 Section 7.4.6 states the following: RFC 5246 第 7.4.6 节规定如下:
7.4.6.
When this message will be sent:
This is the first message the client can send after receiving a ServerHelloDone message.
It then goes on to state:然后继续声明:
- If the certificate_authorities list in the certificate request message was non-empty, one of the certificates in the certificate chain SHOULD be issued by one of the listed CAs.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.