堆栈内存溢出
  简体   繁体   English

C#-带Websphere MQ版本7.0.1的SSL

[英]C# - SSL with Websphere MQ version 7.0.1

 原文  2010-12-09 15:52:47       c#/ ssl/ ibm-mq

问题描述

When connecting to an SSL enabled queue manager using C#, what values do I need to set to get the queues to work? 使用C#连接到启用SSL的队列管理器时,我需要设置哪些值才能使队列工作?

I currently get this error: Reason Code: 2393 MQRC_SSL_INITIALIZATION_ERROR 我目前收到此错误:原因代码:2393 MQRC_SSL_INITIALIZATION_ERROR

In my code I am setting the MQEnvironment.SSLKeyRepository and MQEnvironment.SSLCipherSpec 在我的代码中,我设置了MQEnvironment.SSLKeyRepository和MQEnvironment.SSLCipherSpec

Is there something else I need to set with C# to make this work? 为了使此功能有效,我还需要使用C#进行设置吗? I have seen some Java examples that set keystore passwords and types and things. 我已经看到了一些设置密钥库密码,类型和事物的Java示例。

I have also seen examples setting system environment variables too, but that hasn't seemed to make any difference either. 我也看到了设置系统环境变量的示例,但这似乎也没有任何区别。

1 个解决方案

解决方案1
 1 已采纳  2010-12-10 13:54:15

The general pattern for debugging WMQ SSL is as follows... 调试WMQ SSL的一般模式如下...

  1. Get the application to connect using no SSL. 使应用程序不使用SSL进行连接。 This eliminates problems with connectivity, wrong queue or queue manager names, etc. 这消除了连接问题,错误的队列或队列管理器名称等问题。
  2. Get SSL working with server-only authentication. 使SSL与仅服务器身份验证一起使用。 This means setting SSLCAUTH(OPTIONAL) on the SVRCONN channel. 这意味着在SVRCONN通道上设置SSLCAUTH(OPTIONAL)。 The QMgr will present a certificate that the application must trust but the application does not need to authenticate back to the server. QMgr将提供一个应用程序必须信任的证书,但是该应用程序不需要向服务器进行身份验证。 This validates that both the application and the QMgr can access their keystores and that the QMgr's certificate or CA chain are properly loaded in the app's keystore. 这验证了应用程序和QMgr都可以访问其密钥库,并且已将QMgr的证书或CA链正确加载到应用程序的密钥库中。
  3. Finally, set SSLCAUTH(REQUIRED) in the SVRCONN channel so that the application authenticates back to the QMgr. 最后,在SVRCONN通道中设置SSLCAUTH(REQUIRED),以便应用程序向QMgr进行身份验证。 At this point the only possible problems are that the QMgr doesn't trust the app's cert or CA. 此时,唯一可能的问题是QMgr不信任该应用程序的证书或CA。

If the connection attempt is refused by the QMgr, the errors at the client will purposely be cryptic. 如果QMgr拒绝了连接尝试,则客户端上的错误将有目的地是隐秘的。 The detailed messages will be found in the QMgr's AMQERR??.LOG files. 详细消息将在QMgr的AMQERR ??。LOG文件中找到。 If the failure is at the client, these messages will be found in the client's error logs or you can enable trace. 如果失败是在客户端,则这些消息将在客户端的错误日志中找到,或者您可以启用跟踪。

Enable trace using the strmqtrc command and stop it with endmqtrc . 使用strmqtrc命令启用跟踪,并使用endmqtrc停止跟踪 The WMQ Clients manual has a section describing where client trace files end up and another section dedicated to tracing on Windows in general. WMQ客户端手册的一节描述了客户端跟踪文件的最终存放位置,而另一部分则专门描述了Windows上的常规跟踪。 This can be very useful in determining client-side configuration problems such as failing to find a private key, failing to find a keystore, etc. 这对于确定客户端配置问题(例如找不到私钥,找不到密钥库等)非常有用。

In your case, the 2393 indicates that something in the client configuration is failing. 在您的情况下,2393指示客户端配置中的某些操作失败。 Since you are no longer getting the error with the keystore password, I'm guessing it may be having problems finding a private key or not trusting the cert provided by the QMgr. 由于您不再遇到密钥库密码错误,我想这可能是查找私钥或不信任QMgr提供的证书时遇到的问题。 In the first case, setting SSLCAUTH(OPTIONAL) will work because the client' won't need it's private key. 在第一种情况下,设置SSLCAUTH(OPTIONAL)将起作用,因为客户端不需要私钥。 However if the problem is trusting the QMgr or other configuration issues, SSLCAUTH(OPTIONAL) won't help but tracing should sort that out. 但是,如果问题是由于QMgr或其他配置问题引起的,则SSLCAUTH(OPTIONAL)将无济于事,但跟踪应将其解决。

Incidentally, the need to trace and diagnose on the client side is why IBM does not support client installations where the jars or libs were copied over rather than running the full client install. 顺便说一句,需要在客户端进行跟踪和诊断是为什么IBM不支持将jar或libs复制到其上的客户端安装,而不是运行完整的客户端安装。 Although you can get the client to run by copying a few lib files and classes, this does not provide all the facilities for tracing and diagnostics. 尽管您可以通过复制一些lib文件和类来使客户端运行,但这并不能提供跟踪和诊断的所有功能。 If you have not performed a full client install, some of what I've described here will not be possible. 如果您尚未执行完整的客户端安装,则将无法进行此处介绍的某些操作。 If that is the case, download and install the client from SupportPac MQC7 . 如果是这种情况,请从SupportPac MQC7下载并安装客户端。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Websphere MQ 7.0.1 C#XMS连接导致10054(X'2746')tcp错误 - Websphere MQ 7.0.1 C# XMS connection causing 10054 (X'2746') tcp Error C#中的Websphere MQ:在代码中设置SSL密钥库密码的位置? - Websphere MQ in C#: Where in the code to set SSL Keystore Password? C#中的WebSphere MQ侦听器 - WebSphere MQ listener in C# MQ在C#中使用SSL连接 - MQ connecting with SSL in C# MQ Websphere(C#)在初始化MQQueueManager时抛出异常 - MQ Websphere (C#) throws exception when initializing MQQueueManager 查找有关如何在WebSphere MQ中使用Syncpoints的C#代码示例 - Looking for C# code samples on how to use Syncpoints in WebSphere MQ 如何在C#中仅获取具有特定优先级的Websphere MQ消息? - How to get only Websphere MQ messages with a particular priority in C#? 连接到Websphere-MQ几个主题C# - Connect to websphere-MQ to few topics C# Websphere MQ和C#消息类型URI和格式 - Websphere MQ and C# message type URI and format 在Websphere MQ中创建新的队列管理器和队列(使用C#) - Creating a new Queue Manager and Queue in Websphere MQ (using C#)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM