IBM MQ8.0 - AMQ9503通道协商失败

本文介绍了IBM MQ8.0 - AMQ9503通道协商失败的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

在客户端通道（SVRCONN）启用SSL时，从Java客户端连接到IBM MQ8.0时遇到问题。当通道禁用SSL（SSLAUTH为OPTIONAL）时，流程正常。

I have problem connecting to IBM MQ8.0 from Java client when SSL enabled at client channel(SVRCONN). When SSL is disabled(SSLAUTH to OPTIONAL) at channel, the flow is working fine.

客户端是带有JRE1.7的java。 MQ服务器版本是IBM MQ8.0

Client is java with JRE1.7. MQ server version is IBM MQ8.0

创建自签名证书并根据MQ设置引用正确交换。

Created self-signed certificates and exchanged properly as per MQ setup references.

javax.net.debug = ssl选项cofirms在日志中证书交换和SSL握手成功。

javax.net.debug=ssl option cofirms in the log that certificate exchange and SSL handshake is successful.

但是当java客户端代码试图获取MQManager对象时，抛出MQ异常后。

But when java client code is trying to get MQManager object, following MQ Exception thrown.

com.ibm.mq.MQException: MQJE001: Completion code '2', reason '2059' ...

caused by: com.ibm.jmqi.JmqiException: CC=2;RC=2059;AMQ9204: Connection to host '1.2.3.4(1414)' rejected. [1=com.ibm.jmqi.JmqiException[CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=CHANNEL.SVRCONN.SSL]],3=1.2.3.4(1414), 5=RemoteConnection.analyseSegment] ...

caused by: com.ibm.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=CHANNEL.SVRCONN.SSL]

我已配置为在客户端使用TLS_RSA_WITH_AES_256_CBC_SHA256作为cipherspec和MQ客户端通道（SVRCONN）。

尝试使用其他密码类，如TLS_RSA_WITH_AES_128_CBC_SHA，错误保持不变。

I have configured to use TLS_RSA_WITH_AES_256_CBC_SHA256 as cipherspec in both client side and MQ client channel(SVRCONN).
Tried with other cipherspecs like TLS_RSA_WITH_AES_128_CBC_SHA, error remains same.

MQ server error log has AMQ9665: SSL connection closed by remote end of channel '????'

Explanation: The SSL or TLS connection was closed by the remote host '5.6.7.8' during the secure socket handshake. The channel is '????', in some cases its name can not be determined and so is shown as '????'. The chanel didn't start.

ACTION: Check the remote end of for SSL and TLS errors. Fix them and restart the channel.

但是远程方面，我只有使用MQ库连接到MQ服务器的java客户端。

But remote side, I have only java client which is uses MQ libraries to connect to MQ server.

无法从服务器获取数据，因此从SSL日志中添加了最后2页的图像。

Not able to get data from server, so added image of last 2 pages from SSL logs.

上面已经给出了MQ服务器端日志。除此之外还有一个默认日志AMQ9999：通道'????'到主机1.2.3.4异常结束。
重复记录相同的错误。没有找到任何其他日志。

MQ server side logs are already given above. Along with there is a default log AMQ9999: Channel '????' to host 1.2.3.4 ended abnormally.The same error is getting logged repeatedly with . Didn't find any other logs.

下面的MQ客户端代码片段。

MQ client code snippet below.

void connect2MQ()
{
    MQEnvironment.hostname=1.2.3.4
    MQEnvironment.port=1414
    MQEnvironment.channel=CLIENT.SVRCONN.SSL
    if(SSLEnabled.equals("Y") // It is set to 'Y' in main method
    {
        MQEnvironment.sslCipherSuit="TLS_RSA_WITH_AES_128_CBC_SHA";
        System.setProperty("javax.net.ssl.truststore","trustStoreCertFilePath");
        System.setProperty("javax.net.ssl.keyStore","keyStoreCertFilePath");
        System.setProperty("javax.net.ssl.trustStorePassword","Pass");
        System.setProperty("javax.net.ssl.keyStorePassword","Pass");
        System.setProperty("javax.net.ssl.trustStoreType","JKS");
        System.setProperty("javax.net.ssl.keyStoreType","JKS");
    }

    try {
        MQQueueManager qmgr = new MQQueueManager("QMGR.TEST.SSL"); // Exception is thrown from here
        ...
    }

推荐答案

您似乎遇到了APAR 。这已在8.0.0.5及更高版本的MQ Classes for Java和MQ Classes for JMS客户端jar文件中修复，我建议移至8.0.0.7这是最新的v8版本。

It appears you are hitting the issue described in APAR IT10837. This is fixed in the 8.0.0.5 and later MQ Classes for Java and MQ Classes for JMS client jar files, I would suggest moving to 8.0.0.7 which is the latest v8 version.

错误消息不匹配，但其症状与 SSLCAUTH（可选）一起使用，而不使用 SSLCAUTH（REQUIRED）与你没有修复的版本匹配。

The error messages don't match but the symptoms of it working with SSLCAUTH(OPTIONAL) and not working with SSLCAUTH(REQUIRED) matches up as does the version you are running not having the fix.

有一个IBM developerWorks Tom Leend的MQdev博客标题为描述了如果您没有达到具有此修复程序的MQ级别的解决方法。

There is a IBM developerWorks MQdev Blog by Tom Leend titled "MQ Java, TLS Ciphers, Non-IBM JREs & APARs IT06775, IV66840, IT09423, IT10837 -- HELP ME PLEASE! which describes a work around if you are not at a level of MQ that has the fix.

---- Code Snippet Start ----
KeyStore keyStore = KeyStore.getInstance("JKS");
java.io.FileInputStream keyStoreInputStream = new java.io.FileInputStream("/home/tom/myKeyStore.jks");
keyStore.load (keyStoreInputStream, password_char_array);

KeyStore trustStore trustStore = KeyStore.getInstance ("JKS");
java.io.FileInputStream trustStoreInputStream = new java.io.FileInputStream("/home/tom/myTrustStore.jks");
trustStore.load (trustStoreInputStream, password_char_array);

keyStoreInputStream.close();
trustStoreInputStream.close();

KeyManagerFactory keyManagerFactory =
  KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
TrustManagerFactory trustManagerFactory =
  TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore,password);
trustManagerFactory.init(trustStore);

SSLContext sslContext = SSLContext.getInstance("TLSv1");
sslContext.init(keyManagerFactory.getKeyManagers(),
  trustManagerFactory.getTrustManagers(),
  null);
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();

// classes for JMS
//myJmsConnectionFactory.setObjectProperty(
//  WMQConstants.WMQ_SSL_SOCKET_FACTORY, sslSocketFactory);

// classes for Java
MQEnvironment.sslSocketFactory = sslSocketFactory;
---- Code Snippet End ----

这篇关于IBM MQ8.0 - AMQ9503通道协商失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！