堆栈内存溢出
  简体   繁体   English

使用 Java 客户端连接到 MQ 通道:CERTLABL 错误

[英]Connecting to MQ channel using Java client :CERTLABL error

 原文  2018-08-10 13:40:16       java/ ssl/ ssl-certificate/ ibm-mq

问题描述

I'm working on a microservice in Java to connect to an IBM Websphere MQ V8.0 through SSL.我正在使用 Java 开发一个微服务,以通过 SSL 连接到 IBM Websphere MQ V8.0。 However, I am seeing this error in the logs:但是,我在日志中看到此错误:

JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2059' ('MQRC_Q_MGR_NOT_AVAILABLE') JMSCMQ0001:IBM MQ 调用失败,compcode '2'('MQCC_FAILED')原因'2059'('MQRC_Q_MGR_NOT_AVAILABLE')

At the MQ end the error is CSQX673E and the reason is:在 MQ 端,错误是CSQX673E ,原因是:

The SSL or TLS channel's channel-name is configured to use certificate label: cert-label. SSL 或 TLS 通道的通道名称配置为使用证书标签:cert-label。 However, the remote peer did not send the necessary information to allow the local channel to use the correct certificate.但是,远程对等方没有发送必要的信息来允许本地通道使用正确的证书。 The remote host is conn-id.远程主机是 conn-id。

Can somebody please let me know how to pass this parameter, using Java.有人可以让我知道如何使用 Java 传递这个参数。

As per my understanding, CERTLABL is not a part of the certificate.根据我的理解, CERTLABL不是证书的一部分。

1 个解决方案

解决方案1
 0 已采纳  2018-08-12 22:08:26

Note the information below is documented the same in MQ v8.0.0, v9.0.0, and v9.1.0 knowledge centers.请注意,MQ v8.0.0、v9.0.0 和 v9.1.0 知识中心中记录的以下信息相同。

IBM Documents that in the IBM MQ 8.0.0 Knowledge center page IBM MQ>Security>Security overview>IBM MQ security mechanisms>Security protocols in IBM MQ>The SSL or TLS key repository>Digital certificate labels, understanding the requirements the following: IBM MQ 8.0.0 知识中心页面IBM MQ>安全>安全概述>IBM MQ 安全机制>IBM MQ 中的安全协议>SSL 或TLS 密钥存储库>数字证书标签中的IBM 文档,了解以下要求

IBM MQ Version 8.0 supports the use of multiple certificates on the same queue manager, using a per-channel certificate label attribute. IBM MQ 版本 8.0 支持在同一个队列管理器上使用多个证书,使用每个通道的证书标签属性。 Inbound channels to the queue manager (for example, server connection or receiver) rely on detecting the channel name using TLS Server Name Indication (SNI), in order to present the correct certificate from the queue manager.队列管理器的入站通道(例如,服务器连接或接收器)依赖于使用 TLS 服务器名称指示 (SNI) 检测通道名称,以便提供来自队列管理器的正确证书。

The same page also documents this:同一页面还记录了这一点:

Note that inbound channels (including receiver, cluster-receiver, unqualified server, and server-connection channels) only send the configured certificate if the IBM MQ version of the remote peer fully supports certificate label configuration, and the channel is using a TLS CipherSpec.请注意,入站通道(包括接收器、集群接收器、非限定服务器和服务器连接通道)仅在远程对等方的 IBM MQ 版本完全支持证书标签配置并且该通道使用 TLS CipherSpec 时才发送配置的证书。

In all other cases, the queue manager CERTLABL parameter determines the certificate sent.在所有其他情况下,队列管理器 CERTLBL 参数确定发送的证书。 In particular, the following only ever receive the certificate configured by the CERTLABL parameter of the queue manager, regardless of the channel-specific label setting:特别是,以下只接收由队列管理器的 CERTLBL 参数配置的证书,而不管特定于通道的标签设置如何:

  • All current Java and JMS clients.所有当前的 Java 和 JMS 客户端。
  • Versions of IBM MQ prior to Version 8.0. IBM MQ 8.0 之前的版本。

IBM also documents the similar information in the IBM MQ 8.0.0 Knowledge center page IBM MQ>Reference>Configuration reference>Channel attributes>Channel attributes in alphabetical order>Certificate label (CERTLABL) : IBM 还在 IBM MQ 8.0.0 知识中心页面IBM MQ>参考>配置参考>通道属性>按字母顺序排列的通道属性>证书标签 (CERTLABL) 中记录了类似信息:

Inbound channels (including RCVR, CLUSRCVR, unqualified SERVER, and SVRCONN channels) will only send the configured certificate if the IBM® MQ version of the remote peer fully supports certificate label configuration and the channel is using a TLS CipherSpec.入站通道(包括 RCVR、CLUSRCVR、不合格的 SERVER 和 SVRCONN 通道)仅在远程对等方的 IBM® MQ 版本完全支持证书标签配置并且通道使用 TLS CipherSpec 时才会发送配置的证书。 If that is not the case, the queue manager CERTLABL attribute determines the certificate sent.如果不是这种情况,队列管理器 CERTLBL 属性将确定发送的证书。 This restriction is because the certificate label selection mechanism for inbound channels depends upon a TLS protocol extension that is not supported in all cases.此限制是因为入站通道的证书标签选择机制取决于并非在所有情况下都支持的 TLS 协议扩展。 In particular, Java™ clients, JMS clients , and all versions of IBM MQ prior to Version 8.0 do not support the required protocol extension and will only ever receive the certificate configured by the queue manager CERTLABL attribute, regardless of the channel-specific label setting.特别是, Java™ 客户端、JMS 客户端和 8.0 版之前的所有 IBM MQ 版本都不支持所需的协议扩展,并且只会接收由队列管理器 CERTLABL 属性配置的证书,而不管特定于通道的标签设置如何.

As you stated Java 8 does support SNI, but apparently IBM has not yet implemented the feature in the IBM MQ Classes for Java or IBM MQ Classes for JMS.正如您所说,Java 8 确实支持 SNI,但显然 IBM 尚未在 IBM MQ Classes for Java 或 IBM MQ Classes for JMS 中实现该功能。

One possible solution I can think of is that you could figure out which underlying function MQ calls to create the TLS session and override this to set the SNI attribute to a value that MQ will recognize on the queue manger with code like the following:我能想到的一种可能的解决方案是,您可以找出 MQ 调用哪个底层函数来创建 TLS 会话并覆盖它以将 SNI 属性设置为 MQ 将在队列管理器上识别的值,代码如下:

SSLParameters params = sslSocket.getSSLParameters();
params.setServerNames(serverNames);
sslSocket.setSSLParameters(params);

IBM has documented the format that the channel name is passed in the SNI in the Technote " IBM WebSphere MQ: How does MQ provide multiple certificates (CERTLABL) capability ": IBM 在技术说明“ IBM WebSphere MQ:MQ 如何提供多个证书 (CERTLABL) 功能”中记录了在 SNI 中传递通道名称的格式:

The SNI address used by MQ is based upon the channel name that is being requested, followed by a suffix of ".chl.mq.ibm.com". MQ 使用的 SNI 地址基于所请求的通道名称,后跟“.chl.mq.ibm.com”后缀。

MQ channel names are mapped to be valid SNI names as follows: MQ 通道名称映射为有效的 SNI 名称,如下所示:

  • Upper case letters AZ are folded to lower case大写字母 AZ 被折叠成小写
  • Digits 0 through 9 are left unchanged数字 0 到 9 保持不变
  • All other characters including lower-case letters az are converted into their 2-digit hexadecimal ASCII character code followed by a hyphen.包括小写字母 az 在内的所有其他字符都将转换为其后跟连字符的 2 位十六进制 ASCII 字符代码。
  • lower case letters a through z map to "61-" through "7a-" respectively小写字母 a 到 z 分别映射到“61-”到“7a-”
  • percent (%) maps to "25-"百分比 (%) 映射到“25-”
  • hyphen (-) maps to "2d-"连字符 (-) 映射到“2d-”
  • dot (.) maps to "2e-"点 (.) 映射到“2e-”
  • forward slash (/) maps to "2f-"正斜杠 (/) 映射到“2f-”
  • underscore (_) maps to "5f-"下划线 (_) 映射到“5f-”

On EBCDIC platforms, the channel name is converted to ASCII before this mapping is applied.在 EBCDIC 平台上,通道名称在应用此映射之前转换为 ASCII。 As an example, channel name "TO.QMGR1" maps to an SNI address of "to2e-qmgr1.chl.mq.ibm.com".例如,通道名称“TO.QMGR1”映射到“to2e-qmgr1.chl.mq.ibm.com”的 SNI 地址。

By contrast, the lower case channel name "to.qmgr1" maps onto SNI address of "74-6f-2e-71-6d-67-72-1.chl.mq.ibm.com".相比之下,小写的通道名称“to.qmgr1”映射到“74-6f-2e-71-6d-67-72-1.chl.mq.ibm.com”的SNI地址。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用JMS的Java客户端连接到IBM MQ Channel的TCP / IP抛出错误 - Java client using JMS for connecting to IBM MQ Channel of TCP/IP throwing error 将Java客户端(JMS)连接到IBM MQ时出现问题 - Problem Connecting a Java Client (JMS) to a IBM MQ 使用Java连接到IBM MQ 7.5的问题 - Issues with connecting to ibm mq 7.5 using java 在大型机中使用JMS从Java连接到MQ - Connecting to MQ from java using JMS in Mainframe 使用 JAVA 和 SSL 连接 MQ 版本 9 - Connecting MQ version 9 using JAVA with SSL 从 Java 客户端获取连接到 IBM MQ 的 JMSException - Getting JMSException connecting to IBM MQ from Java client 使用MQClient Java和MQExplorer错误将JMS连接到MQ JMSWMQ2013 - Connecting JMS to MQ using MQClient java and MQExplorer error JMSWMQ2013 连接到IBM MQ时出错 - Error connecting to IBM MQ 使用java通过SSL连接MQ7.X - Connecting MQ7.X over SSL using java 使用Java连接到ESB时出现不真实的客户端错误 - Inauthentic client error while connecting to ESB using java
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM