问题描述
我正在使用IBM WebSphere MQ 8.0版本.
我已使用"TLS_RSA_WITH_AES_256_CBC_SHA256" Cipher Spec加密配置了我的一个频道,并安装了有效证书并将其正确映射到密钥存储路径.
我的.NET客户端代码无法与此安全通道连接.它连续给出2538错误.我配置了另一个未加密的通道(不安全).客户端代码可以连接到此通道,而不会出现任何错误.
这是我的.NET客户端代码:
Hashtable queueProperties = new Hashtable();
queueProperties[MQC.HOST_NAME_PROPERTY] = host; // IP address
queueProperties[MQC.PORT_PROPERTY] = 1541
queueProperties[MQC.CHANNEL_PROPERTY] = channel; // channel name
queueProperties[MQC.TRANSPORT_PROPERTY] = MQC.TRANSPORT_MQSERIES_MANAGED;
queueProperties[MQC.SSL_CERT_STORE_PROPERTY] = "*USER";
queueProperties[MQC.SSL_CIPHER_SPEC_PROPERTY] = "TLS_RSA_WITH_AES_256_CBC_SHA256";
queueProperties[MQC.SSL_PEER_NAME_PROPERTY] = "CN=FXCMTST1,O=IBM,C=US";
queueProperties["CertificateLabel"] = "ibmwebspheremqfxcmtst1";
queueProperties[MQC.KEY_RESET_COUNT] = 0;
MQEnvironment.SSLCertRevocationCheck = true;
queueProperties[MQC.USER_ID_PROPERTY] = user; // variable
queueProperties[MQC.PASSWORD_PROPERTY] = pwd; // variable
try
{
// Attempt the connection
queueManager = new MQQueueManager(qmgr, queueProperties);
strReturn = "Connected Successfully";
}
我还将MCA用户设置为具有所有必需访问权限的有效用户.
当我删除这些行并将通道名称替换为不安全的通道名称时,上面的代码对于不安全的通道可以正常工作.
queueProperties[MQC.TRANSPORT_PROPERTY] = MQC.TRANSPORT_MQSERIES_MANAGED;
queueProperties[MQC.SSL_CERT_STORE_PROPERTY] = "*USER";
queueProperties[MQC.SSL_CIPHER_SPEC_PROPERTY] = "TLS_RSA_WITH_AES_256_CBC_SHA256";
queueProperties[MQC.SSL_PEER_NAME_PROPERTY] = "CN=FXCMTST1,O=IBM,C=US";
queueProperties["CertificateLabel"] = "ibmwebspheremqfxcmtst1";
queueProperties[MQC.KEY_RESET_COUNT] = 0;
MQEnvironment.SSLCertRevocationCheck = true;
我在代码或MQ配置中缺少任何内容吗?
更新1:我发现该错误是由于密钥数据库的路径不正确引起的.我提到了放置证书的文件夹名称之前的路径.但是,它应该是文件夹名称,后跟无扩展名的kdb文件名.
进行此更改后,2538错误消失了.但是现在我在日志中收到2059错误和以下错误消息.
在SSL握手期间协商的CipherSpec与通道所需的CipherSpec不匹配..."
我的频道"配置为具有"MQ Explorer"中设置的"TLS_RSA_WITH_AES_256_CBC_SHA256".客户端代码也发送相同的密码规范.仍然会给出2059错误.
更新2:如@JoshMc所建议,我设置了组策略,并解决了以上错误.然后我开始收到错误消息频道缺少证书".
更新3:将SSLCAUTH更改为OPTIONAL后,此错误消失了.先前将其设置为必需".感谢@JoshMc指出.
最初在您的问题中,您具有以下代码行:
queueProperties[MQC.SSL_PEER_NAME_PROPERTY] = "ibmwebspheremqtestqueue";
我建议:SSL_PEER_NAME_PROPERTY用于验证队列管理器证书的DN值的部分或全部,因此它的格式应类似于CN=x.domain.com,OU=Y,O=Company Inc,即看起来像证书标签. /p>
如果队列管理器AMQERR01.LOG上有任何错误,您能看到生成了什么错误吗?本地客户端AMQERR01.LOG呢?
您以队列管理器中的错误响应:
AMQ9660: SSL key repository: password stash file absent or unusable.
您在每次更新时都发现了错误:
现在,您继续遇到以下错误:
The CipherSpec negotiated during the SSL handshake does not match the required CipherSpec for channel...
我建议:托管.net不要使用您指定的从Windows策略中提取的密码.此问题和答案应有助于" IBM MQ.Net CertificateLabel,CipherSpec .
您建议您修复组策略,然后在SVRCONN通道上设置SSLCAUTH(REQUIRED)时继续出现以下错误:
channel is lacking a certificate
SSLCAUTH(REQUIRED)告诉队列管理器您要求客户机具有证书.无论将SSLCAUTH设置为什么,客户端都将始终要求队列管理器具有证书.
假设已将队列管理器配置为执行CONNAUTH来验证要发送的用户和密码,并且已在CONNAUTH的AUTHINFO对象上设置了ADOPTCTX(YES),则使SSLCAUTH(OPTIONAL)为合理的设置,因为这意味着客户端和队列管理器之间的所有数据都将被加密,并且连接将通过id/pw进行身份验证.即使您具有SSLCAUTH(REQUIRED),除非您还通过通道的SSLPEER属性或CHLAUTH TYPE(SSLPEERMAP)规则的SSLPEER属性将SVRCONN配置为与特定的DN值匹配,否则它不会提供任何形式的身份验证.
I am using IBM WebSphere MQ 8.0 version.
I have configured one of my channels with "TLS_RSA_WITH_AES_256_CBC_SHA256" Cipher Spec encryption along with valid certificates installed and mapped to key store path correctly.
My .NET client code is not able to connect with this secured channel. It gives 2538 error continuously.I have another channel configured without encryption (unsecured). The client code can connect to this channel without any errors.
This is my .NET client code:
Hashtable queueProperties = new Hashtable();
queueProperties[MQC.HOST_NAME_PROPERTY] = host; // IP address
queueProperties[MQC.PORT_PROPERTY] = 1541
queueProperties[MQC.CHANNEL_PROPERTY] = channel; // channel name
queueProperties[MQC.TRANSPORT_PROPERTY] = MQC.TRANSPORT_MQSERIES_MANAGED;
queueProperties[MQC.SSL_CERT_STORE_PROPERTY] = "*USER";
queueProperties[MQC.SSL_CIPHER_SPEC_PROPERTY] = "TLS_RSA_WITH_AES_256_CBC_SHA256";
queueProperties[MQC.SSL_PEER_NAME_PROPERTY] = "CN=FXCMTST1,O=IBM,C=US";
queueProperties["CertificateLabel"] = "ibmwebspheremqfxcmtst1";
queueProperties[MQC.KEY_RESET_COUNT] = 0;
MQEnvironment.SSLCertRevocationCheck = true;
queueProperties[MQC.USER_ID_PROPERTY] = user; // variable
queueProperties[MQC.PASSWORD_PROPERTY] = pwd; // variable
try
{
// Attempt the connection
queueManager = new MQQueueManager(qmgr, queueProperties);
strReturn = "Connected Successfully";
}
I have also set the MCA User to the valid user with all required access rights.
The above code works fine for the unsecured channel when I remove these lines and replace the channel name with that of unsecured one.
queueProperties[MQC.TRANSPORT_PROPERTY] = MQC.TRANSPORT_MQSERIES_MANAGED;
queueProperties[MQC.SSL_CERT_STORE_PROPERTY] = "*USER";
queueProperties[MQC.SSL_CIPHER_SPEC_PROPERTY] = "TLS_RSA_WITH_AES_256_CBC_SHA256";
queueProperties[MQC.SSL_PEER_NAME_PROPERTY] = "CN=FXCMTST1,O=IBM,C=US";
queueProperties["CertificateLabel"] = "ibmwebspheremqfxcmtst1";
queueProperties[MQC.KEY_RESET_COUNT] = 0;
MQEnvironment.SSLCertRevocationCheck = true;
Am I missing anything in the code or MQ configuration?
UPDATE 1:I found that the error was due to incorrect path to key database. I had mentioned the path till folder name where the certificates were placed. However it was expected to be the folder name followed by the name of kdb file without extention.
After doing this change, the 2538 error is gone. But now I am getting 2059 error with below error message in log.
"The CipherSpec negotiated during the SSL handshake does not match the required CipherSpec for channel..."
My Channel is configured to have"TLS_RSA_WITH_AES_256_CBC_SHA256" as I have set in the MQ Explorer. The client code is also sending the same cipher spec. Still it gives 2059 error.
UPDATE 2: As suggested by @JoshMc, I set the group policy and it resolved above error. Then I started getting error "Channel is lacking certificate".
UPDATE 3: This error is gone after I changed the SSLCAUTH to OPTIONAL. Earlier it was set to REQUIRED. Thanks to @JoshMc for pointing out.
Originally in your question you had the following line of code:
queueProperties[MQC.SSL_PEER_NAME_PROPERTY] = "ibmwebspheremqtestqueue";
I advised: The SSL_PEER_NAME_PROPERTY is meant to validate a portion or all of the DN value of the queue manager cert, so it would be in a format like CN=x.domain.com,OU=Y,O=Company Inc, what you have looks like a cert label.
Can you see what errors are generated if any on the queue managers AMQERR01.LOG? What about in the local client AMQERR01.LOG?
You responded with an error from the queue manager:
AMQ9660: SSL key repository: password stash file absent or unusable.
And you found the error per your update:
Now you moved on to getting the following error:
The CipherSpec negotiated during the SSL handshake does not match the required CipherSpec for channel...
I advised: Managed .net does not use the cipher you specify it is picked up from a Windows policy. This question and answer should help "IBM MQ.Net CertificateLabel, CipherSpec".
You advised you fixed the group policy and then moved on to getting the following error when you set SSLCAUTH(REQUIRED) on the SVRCONN channel:
channel is lacking a certificate
SSLCAUTH(REQUIRED) tells the queue manager that you are requiring the client to have a certificate. The client will always require the queue manager to have a certificate no matter what SSLCAUTH is set to.
Assuming you have the queue manager configured to perform CONNAUTH to validate the user and password you are sending and you have set ADOPTCTX(YES) on the CONNAUTH's AUTHINFO object, then having SSLCAUTH(OPTIONAL) is a reasonable setting as this means all the data between the client and queue manager will be encrypted and the connection is authenticated by the id/pw. Even if you have SSLCAUTH(REQUIRED), unless you also configure the SVRCONN to match on a specific DN value via either the channel's SSLPEER property or a CHLAUTH TYPE(SSLPEERMAP) rule's SSLPEER property it is not providing any form of authentication.
这篇关于用于SSL通道连接的MQ上的2538错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!