IBM MQ XMS.NET - 連接時出現 2059 錯誤

Question

我正在更新一個應用程序以通過 TLS 連接到 IBM MQ。 我看到的當前錯誤是 2059 原因碼。 跟蹤日志似乎沒有包含更多信息。 有人對檢查什么有建議嗎？

我已經做了以下事情：

• 建立已導入客戶端和服務器的簽名證書和自簽名證書

• 啟用 Windows 組策略，如本博客所述 - SSL 密碼套件訂單

• 添加了屬性以在應用程序代碼中指定密碼規范：

   factory.SetStringProperty(XMSC.WMQ_CHANNEL, channel); factory.SetIntProperty(XMSC.WMQ_CONNECTION_MODE, connectionMode); factory.SetStringProperty(XMSC.WMQ_QUEUE_MANAGER, ""); factory.SetIntProperty(XMSC.WMQ_BROKER_VERSION, brokerVersion); factory.SetIntProperty(XMSC.WMQ_CLIENT_RECONNECT_OPTIONS, XMSC.WMQ_CLIENT_RECONNECT); factory.SetStringProperty(XMSC.WMQ_SSL_KEY_REPOSITORY, "*SYSTEM"); factory.SetStringProperty(XMSC.WMQ_SSL_CIPHER_SPEC, "TLS_RSA_WITH_AES_256_CBC_SHA256"); factory.SetBooleanProperty(XMSC.WMQ_SSL_CERT_REVOCATION_CHECK, false);

有關詳細信息，請參閱鏈接的異常。

at IBM.XMS.Client.WMQ.Factories.WmqConnectionFactory.CreateV7ProviderConnection(XmsPropertyContext connectionProps)
at IBM.XMS.Client.WMQ.Factories.WmqConnectionFactory.CreateProviderConnection(XmsPropertyContext connectionProps)

Linked Exception : CompCode: 2, Reason: 2059
[23/02/2021 22:52:18:792930 Pacific Standard Time] 00000006 < UOW= source=IBM.XMS.Client.WMQ.Factories.WmqConnectionFactory method=CreateProviderConnection(XmsPropertyContext) [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[23/02/2021 22:52:18:792930 Pacific Standard Time] 00000006 < UOW= source=IBM.XMS.Client.Impl.XmsConnectionFactoryImpl method=CreateConnection(Stirng,String) [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[23/02/2021 22:52:18:792930 Pacific Standard Time] 00000006 < UOW= source=IBM.XMS.Client.Impl.XmsConnectionFactoryImpl method=CreateConnection() [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[2/23/2021 10:52:18 PM ] [                 ] Error       : IBM.XMS.XMSException: CWSMQ0006E: An exception was received during the call to the method ConnectionFactory.CreateConnection: CompCode: 2, Reason: 2059.
During execution of the specified method an exception was thrown by another component.
See the linked exception for more information.
   at IBM.XMS.Client.WMQ.Factories.WmqConnectionFactory.CreateProviderConnection(XmsPropertyContext connectionProps)
   at IBM.XMS.Client.Impl.XmsConnectionFactoryImpl.CreateConnection(String userID, String password)
   at IBM.XMS.Client.Impl.XmsConnectionFactoryImpl.CreateConnection()

顯示 SSL 身份驗證的跟蹤：

[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
TLS12 supported - True
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
Setting SslProtol as Tls12
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
Starting SSL Authentication
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 > UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
entry
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
Client callback has been invoked to find client certificate
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 < UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 > UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
entry
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
Client callback has been invoked to find client certificate
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 < UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 > UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
entry
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
Client did not specify a SSLPEERNAME, hence SSLPeerNameMatching not done
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 < UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) rc=OK [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
SSL Authentication completed

服務器日志

AMQ9631E: The CipherSpec negotiated during the SSL handshake does not match the
required CipherSpec for channel 'MQEXPLORER.CHL'.

EXPLANATION:
There is a mismatch between the CipherSpecs on the local and remote ends of
channel 'MQEXPLORER.CHL'. The channel will not run until this mismatch is
resolved. The CipherSpec required in the local channel definition is
'TLS_RSA_WITH_AES_256_CBC_SHA256'. The name of the CipherSpec negotiated during
the SSL handshake is 'TLS_RSA_WITH_AES_128_CBC_SHA256'. A code is displayed if
the name of the negotiated CipherSpec cannot be determined.
ACTION:
Change the channel definitions for 'MQEXPLORER.CHL' so the two ends have
matching CipherSpecs and restart the channel. If the certificate in use by one
end of the channel is a Global Server Certificate, then the negotiated
CipherSpec may not match that specified on either end of the channel. This is
because the SSL protocol allows a Global Server Certificate to automatically
negotiate a higher level of encryption. In these cases specify a CipherSpec
which meets the requirements of the Global Server Certificate.
enter code here

更新從 Windows 策略中刪除 AES_128 有助於解決最后一個錯誤，但我仍然看到 2059 原因代碼。 服務器說未指定證書，但客戶端跟蹤另有說明。

客戶跟蹤

[03/03/2021 09:23:51:063098 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
SSL Authentication completed
[03/03/2021 09:23:51:063098 Pacific Standard Time] 00000006 < UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=MakeSecuredConnection() rc=OK [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[03/03/2021 09:23:51:063098 Pacific Standard Time] 00000006 < UOW= source=IBM.WMQ.MQTCPConnection method=ConnectSocket(string,string,MQLONG) rc=OK [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[03/03/2021 09:23:51:063098 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.MQTCPConnection org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
Protocol connected..for this connection request.

....

[03/03/2021 09:23:51:078705 Pacific Standard Time] 00000006 X UOW= source=IBM.WMQ.MQFAP org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
CompCode: 2, Reason: 2059
[03/03/2021 09:23:51:078705 Pacific Standard Time] 00000006 d UOW= source= org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
New MQException CompCode: 2 Reason: 2059
[03/03/2021 09:23:51:078705 Pacific Standard Time] 00000006 d UOW= source= org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
New NmqiException CompCode: 2 Reason: 2059

服務器日志

AMQ9637E: During handshake, the remote partner sent no certificate.

EXPLANATION:
The conversation cannot begin because a certificate has not been supplied by
the remote partner.

The channel name is 'TST.CHL'.

If this error message is written on the receiving side of the channel, then the
channel attributes 'SSLCAUTH' caused the check to be made.
ACTION:
Look at the key repository on the remote side of this channel, and make sure
the appropriate certificates are present, with correct labels.
----- amqccisa.c : 8146 -------------------------------------------------------
03/03/21 09:23:51 - Process(140687.1923660) User(mqsystem) Program(amqrmppa)

AMQ9999E: Channel 'TST.CHL' to <host> ended abnormally.

EXPLANATION:
The channel program running under process ID 140687 for channel 'TST.CHL' ended
abnormally. The host name is '<>; in some cases the host name cannot
be determined and so is shown as '????'.

Answer 1

我假設您正在嘗試使用獨立客戶端以托管連接模式進行連接。

如果是這樣，我能夠通過 TLS 使用 IBM MQ 的唯一方法是將 SSLKey 存儲庫和密碼規范設置為環境變量，而不是連接配置。

還要確保您的證書具有正確的 label 集

See docs for ref: https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.1.0/com.ibm.mq.dev.doc/q120700_.html https://www.ibm.com/support/knowledgecenter/ SSFKSJ_9.1.0/com.ibm.mq.pro.doc/q014220_.html

Answer 2

您是否嘗試在 MQ 文檔中搜索錯誤代碼？ 快速谷歌搜索“ibm mq error 2059”給了我： https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.tro.doc/q041290_.ZFC35FDC70D5FC69D269883A822EZ5A