堆栈内存溢出
  简体   繁体   English

为什么我需要为与IBM MQ的SSL连接同时提供密钥存储和信任存储

[英]Why I need to provide both key store and trust store for an SSL connection to IBM MQ

 原文  2019-03-08 13:48:30       java/ ssl/ keystore/ truststore

问题描述

I've created a light application that is connecting to IBM MQ using SSL. 我创建了一个轻量级应用程序,该应用程序使用SSL连接到IBM MQ。

If I setup both javax.net.ssl.trustStore and javax.net.ssl.keyStore everything works as expected. 如果同时设置了javax.net.ssl.trustStorejavax.net.ssl.keyStore一切都会按预期进行。

The keystore (jks) contains in it two entries: 密钥库(jks)包含两个条目:

  1. TrustedCertEntry TrustedCertEntry

  2. PrivateKeyEntry PrivateKeyEntry

I had the feeling that given the fact that I am the client for this connection, and MQ is the server, only trustStore should be used, but this is not the case since application is not working if I setup only the trustStore. 考虑到我是该连接的客户端,而MQ是服务器,我有一种感觉,应该仅使用trustStore,但事实并非如此,因为如果仅设置trustStore,应用程序将无法运行。

Can anyone explain me why both are required? 谁能解释我为什么都需要?

1 个解决方案

解决方案1
 1 已采纳  2019-03-08 13:55:10

As per SSL configuration of the Websphere MQ Java/JMS client guide, point 2. Create keyStore you are most likely using certificates for client authentication. 根据Websphere MQ Java / JMS客户端指南的SSL配置 ,指向第2。创建keyStore您最有可能使用证书进行客户端身份验证。 This authentication setup requires a keyStore: 此身份验证设置需要一个keyStore:

Complete this section only if you wish to have client authentication when a connection is made to a Queue Manager. 仅当与队列管理器建立连接时希望进行客户端身份验证时,才完成本节。 If client authentication has not been specified on the channel, you do not need to complete this section. 如果尚未在通道上指定客户端身份验证,则无需完成本节。

The keyStore is essentially the same as a trustStore, except that it holds the client's personal certificate, and the JSSE requires a password for access. 除了存储客户端的个人证书,并且JSSE要求密码才能访问之外,keyStore本质上与trustStore相同。 You can in fact add your personal certificate to the trustStore created earlier and it will act as both trustStore and keyStore, but the password that was not required before will now need to be passed to the JSSE in order for it to access your personal certificate. 实际上,您可以将您的个人证书添加到之前创建的trustStore中,它将同时充当trustStore和keyStore,但是现在不需要将以前不需要的密码传递给JSSE,以便它可以访问您的个人证书。

You can verify this on the server as shown in the Using self-signed certificates for mutual authentication of a client and queue manager guide by running: 您可以通过运行以下命令在服务器上进行验证,如《 使用客户端和队列管理器的自签名证书进行相互身份验证》指南中所示: 

DISPLAY CHSTATUS(<your channel name>) SSLPEER SSLCERTI

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何提供信任库文件的路径? - How to provide the path of trust store file? Trust Store 与 Key Store - 使用 keytool 创建 - Trust Store vs Key Store - creating with keytool 如何在jTDS连接URL中指定信任库和信任库密码? - how to specify trust store and trust store password in jTDS connection url? 在建立与网站的连接时,如何确保域级 SSL 证书存在于信任库中? - How to make sure the domain level SSL certificate is present in trust store while establishing the connection to a website? 信任库中的根证书是否足以建立连接? - Is root certificate in the trust store enough to establish a connection? 为什么 Java 运行时在 SSL 信任存储的工作方式以及我们如何处理它方面有如此大的不同? - Why does Java runtime differ so much in how SSL trust store works and how do we deal with it? IBM MQ 云连接 - IBM MQ CLOUD CONNECTION 如何将密钥库或信任库更改为 .pem 文件 - How to change Key store or trust store to .pem file 将 PEM 文件转换为 .JKS Key Store 和 Trust Store 文件 - Converting a PEM file to a .JKS Key Store and Trust Store files 与IBM MQ V8 jars的JAVA MQ SSL \\ TLS连接无法正常工作 - JAVA MQ SSL\TLS connection with IBM MQ V8 jars not working
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM