启用S​​SL时出现MQ错误

启用S​​SL时出现MQ错误

本文介绍了启用S​​SL时出现MQ错误的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧! 问题描述 29岁程序员,3月因学历无情被辞! 我们在 启用了SSL 1. MQ版本'7.1.0.7' 2.操作系统 - >'Linux 2.6.32-642.11.1.el6.x86_64' 3.两个月前[aug-2016]及其在SSL启用和禁用模式下正常工作 Java客户端使用 1. jdk1.7.0_21 2.工作密码/套件 - > SSL_RSA_WITH_RC4_128_SHA<> RC4_SHA_US 当我尝试连接到MQ v7.1.0.7队列管理器时,应用程序抛出以下错误: com.ibm.mq.MQException:MQJE001:完成代码'2',原因'2397'。 at com.ibm.mq.MQManagedConnectionJ11。< init>(MQManagedConnectionJ11.java:228) at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553) at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593) at com.ibm.mq.StoredManagedConnection。< init>(StoredManagedConnection.java:95) at com.ibm.mq .MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198)com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager($ MQ $ b code> 在队列管理器错误日志中 AMQERR01.LOG 我看到了: AMQ9616:服务器上未启用建议的CipherSpec。 说明:通道服务器端的SSL或TLS子系统的配置方式是拒绝SSL或TLS客户端提议的CipherSpec 。这种拒绝发生在安全套接字握手期间(即它发生在建议的 CipherSpec与服务器通道定义中的CipherSpec进行比较之前)。 我们有一个 MQ v6.0.2.12 队列管理器,这是工作正常。 有人可以提供帮助系统出错的问题,这在以前有效吗? 通过在qm.ini文件中添加以下行来解决 SSL: AllowSSLV3 = Y AllowWeakCipherSpec = Y 更新(2017年) / 01/27)还有其他问题: 工作在 TLSv1 下面 TLS_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA TLSv1 TRUE TLS_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLSv1 TRUE TLSv1.2失败 TLS_RSA_WITH_RC4_128_SHA256 SSL_RSA_WITH_RC4_128_SHA TLSv1.2 FALSE 我试过这些设置: SSLContext sslContext = SSLContext .getInstance(TLSv1); -Dcom.ibm.mq.cfg.preferTLS = true -Dcom.ibm.mq.cfg.useIBMCipherMappings = false 错误是 com.ibm.mq.MQException:MQJE001:完成代码'2',原因'2397' 在 AMQERR01.LOG 通道'TEST.CH'的本地和远程端$ c $ b上的CipherSpec之间不匹配。在此不匹配为已解决之前,通道将不会运行。本地通道定义中所需的CipherSpec为'TLS_RSA_WITH_RC4_128_SHA256'。在SSL握手期间协商的CipherSpec的名称是'RC4_SHA_US'。如果无法确定协商的CipherSpec的名称,则会显示代码 更新(2017/01/29)并提出其他问题: SSLContext sslContext = SSLContext.getInstance(TLSv1.2); MQEnvironment.sslFipsRequired = true; MQEnvironment.sslCipherSuite =SSL_RSA_WITH_AES_256_CBC_SHA256; ALTER CHANNEL(TEST.CH)CHLTYPE(SVRCONN)SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256) REFRESH SECURITY TYPE(SSL) 6.Client执行 /apps/java/jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS = true - Dcom.ibm.mq.cfg.useIBMCipherMappings = false -classpath。:/ tmp / mqssl / com.ibm.mq.jmqi.jar:/tmp/mqssl/com.ibm.mq.jar:com.ibm.ws.webservices .thinclient_8.5.0.jar MQProducerSSL 获取MQJE001错误:完成代码'2',原因'2400' MQRC_UNSUPPORTED_CIPHER_SUITE( 2400) 已更新(2017/01/30)以及其他问题: 仍然是同样的错误,但在我的客户端java prg启用了 System.setProperty(javax.net.debug,all); 在执行客户端时查看所有活动。其打印 TLS_RSA_WITH_AES_256_CBC_SHA256 为忽略不可用的密码套件,如下所示 忽略不可用的密码套件:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 忽略不可用的加密套件:TLS_DHE_RSA_WITH_AES_256_CBC_SHA点击忽略不可用的加密套件:TLS_ECDH_RSA_WITH_AES_256_CBC_SHA点击忽略不可用的加密套件:TLS_DHE_DSS_WITH_AES_256_CBC_SHA256点击忽略不可用的加密套件:TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 忽略不可用的加密套件:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384点击忽略不可用的加密套件:TLS_ECDH_anon_WITH_AES_256_CBC_SHA点击忽略不可用的加密套件:TLS_DH_anon_WITH_AES_256_CBC_SHA点击忽略不可用的加密套件:TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 忽略不可用的密码套件:TLS_DH_anon_WITH_AES_256_CBC_SHA256 忽略不可用的密码套件:TLS_R SA_WITH_AES_256_CBC_SHA256 忽略不可用的密码套件:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 忽略不可用的密码套件:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 忽略不可用的密码套件:TLS_DHE_DSS_WITH_AES_256_CBC_SHA 忽略不可用的密码套件:TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 忽略不可用的密码套件:TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 忽略不可用的密码套件: TLS_RSA_WITH_AES_256_CBC_SHA结果 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256点击 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256点击 TLS_RSA_WITH_AES_128_CBC_SHA256点击 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256点击 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256点击 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA _WITH_AES_128_CBC_SHA 致电之前 MQJE001:完成代码'2',原因'2400'。 MQJE001:完成代码'2',原因'2400'。 使用IBM-JDK-71测试相同异常 SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA<><> ECDHE_ECDSA_3DES_EDE_CBC_SHA256 SSL_ECDHE_RSA_WITH_NULL_SHA<><> ECDHE_RSA_NULL_SHA256 更新(2017/01/31)还有其他问题: com.ibm.mq.jar 规范 - 版本:7.1.0.1 规范 - 供应商:IBM公司实现 - 标题:Java的WebSphere MQ类实现 - 版本:7.1 .0.1 - k710-001-120424 com.ibm.mq.jmqi.jar 规范 - 版本:7.1.0.1 规范 - 供应商:IBM公司实施 - 标题:用于Java的WebSphere MQ接口实现版本:7.1.0.1 - k710-001-120424 更新(2017/0 1/31 A)还有其他问题: 由于MQ和客户端在同一台机器上运行,因此规范-Version:7.1.0.7 jars 通过更改类路径完成2个场景的测试 没有 -Dcom.ibm.mq.cfg.useIBMCipherMappings = false jdk1.7.0_21 / bin / java -Dcom.ibm.mq.cfg.preferTLS = true -classpath。:/ opt / mqm / java / lib /com.ibm.mq.jmqi.jar:/opt/mqm/java/lib/com.ibm.mq.jar MQProducerSSL 异常 MQJE001:完成代码'2',原因'2400' 使用 -Dcom.ibm.mq.cfg.useIBMCipherMappings = false /apps/hostlink/java/jdk1.7.0_21/jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS = true -Dcom.ibm.mq.cfg .useIBMCipherMappings = true -classpath。:/ opt / mqm / java / lib / com.ibm.mq。 jmqi.jar:/opt/mqm/java/lib/com.ibm.mq.jar MQProducerSSL 异常 MQJE001:完成代码'2',原因'2393' com.ibm.mq.MQException:MQJE001:完成代码'2',原因'2393'。 at com.ibm.mq.MQManagedConnectionJ11。< init>(MQManagedConnectionJ11.java:232) at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553) at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593) at com.ibm.mq.StoredManagedConnection。< init>(StoredManagedConnection.java:96) at com.ibm.mq .MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198) at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893) at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java) :780) at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729) at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177) at com.ibm.mq.MQQueueManager。< init>(MQQueueManager.java:674)在MQProd ucerSSL.main(MQProducerSSL.java:89)引起:com.ibm.mq.jmqi.JmqiException:CC = 2; RC = 2393; AMQ9204:拒绝主机'localhost(2017)'的连接。 [1 = com.ibm.mq.jmqi.JmqiException [CC = 2; RC = 2393; AMQ9771:SSL握手失败。 [1 = java.lang.IllegalArgumentException [无法支持当前安装的提供程序的TLS_RSA_WITH_AES_256_CBC_SHA256],3 = localhost / 127.0.0.1:2017(localhost),4 = SSLSocket.createSocket,5 = default]],3 = localhost(2017), 5 = RemoteTCPConnection.makeSocketSecure] 更新(2017/01) / 31 B)还有其他问题: MQEnvironment.sslFipsRequired = false; MQEnvironment.sslCipherSuite =TLS_RSA_WITH_AES_128_CBC_SHA256; ALTER CHANNEL(TEST.CH)CHLTYPE(SVRCONN)SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) /apps/hostlink/java/jdk1.7.0_21/jdk1.7.0_21/bin/java -Dcom.ibm.mq。 cfg.preferTLS = true -Dcom.ibm.mq.cfg.useIBMCipherMappings = false -classpath。:/ opt / mqm / java / lib / com.ibm.mq.jmqi.jar:/ opt / mqm / java / lib / com .ibm.mq.jar MQProducerSSL MQJE001:完成代码'2',原因'2397 '。 MQJE001:完成代码'2',原因'2397'。 com.ibm.mq.MQException:MQJE001:完成代码'2',原因'2397'。 at com.ibm.mq.MQManagedConnectionJ11。< init>(MQManagedConnectionJ11.java:232) at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553) at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593) at com.ibm.mq.StoredManagedConnection。< init>(StoredManagedConnection.java:96) at com.ibm.mq .MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198) at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893) at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java) :780) at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729) at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177) at com.ibm.mq.MQQueue经理。< init>(MQQueueManager.java:674)在MQProducerSSL.main(MQProducerSSL.java:89) 工作在TLSv1以下 ----规格---- TLS_RSA_WITH_DES_CBC_SHA ---套件---- SSL_RSA_WITH_DES_CBC_SHA TLSv1 TRUE 不工作,当给出以下参数时,抛出** MQJE001:完成代码'2',原因'2400'** -Dcom。 ibm.mq.cfg.useIBMCipherMappings = false -Dcom.ibm.mq.cfg.preferTLS = true 怀疑TLSv1,如果TLSv1在没有上述参数的情况下工作,为什么需要为TLSv2提供-Dcom.ibm.mq.cfg.preferTLS = true? 使用IBM-JDK 7.1也TLSv2无法正常工作,可能会出现什么问题? 需要尝试使用MQ8吗? 更新(2017/02/01)并提出其他问题: 完成例外情况nsole MQJE001:完成代码'2',原因'2397'。 com.ibm.mq.MQException:MQJE001:完成代码'2',原因'2397'。 at com.ibm.mq.MQManagedConnectionJ11。< init>(MQManagedConnectionJ11.java:232) at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553) at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593) at com.ibm.mq.StoredManagedConnection。< init>(StoredManagedConnection.java:96) at com.ibm.mq .MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198) at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893) at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java) :780) at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729) at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177) at com.ibm.mq.MQQueue Manager。< init>(MQQueueManager.java:674)在MQProducerSSL.main(MQProducerSSL.java:89)引起:com.ibm.mq.jmqi.JmqiException:CC = 2; RC = 2397; AMQ9204:拒绝主机'localhost(2017)'的连接。 [1 = com.ibm.mq.jmqi.JmqiException [CC = 2; RC = 2397; AMQ9771:SSL握手失败。 [1 = javax.net.ssl.SSLHandshakeException [错误签名证书验证],3 = localhost / 127.0.0.1:2017(localhost),4 = SSLSocket.startHandshake,5 =默认]],3 = localhost(2017),5 = RemoteTCPConnection.protocolConnect] at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2098) at com.ibm.mq.jmqi.remote.api.RemoteFAP .jmqiConnect(RemoteFAP.java:1347) at com.ibm.mq.MQSESSION.MQCONNX_j(MQSESSION.java:924) at com.ibm.mq.MQManagedConnectionJ11。< init>(MQManagedConnectionJ11。 java:221) ... 10更多引起:com.ibm.mq.jmqi.JmqiException:CC = 2; RC = 2397; AMQ9771:SSL握手失败。 [1 = javax.net.ssl.SSLHandshakeException [错误签名证书验证],3 = localhost / 127.0.0.1:2017(localhost),4 = SSLSocket.startHandshake,5 =默认值] at com.ibm.mq .jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1310) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:714) at com .ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:356) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:265) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:144) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java: 1709) ... 13更多引起:javax.net.ssl.SSLHandshakeException:签署证书时出错验证 at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) at sun.security .ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:987) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:285) at sun.security.ssl.Handshaker.processLoop(Handshaker .java:868) at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) at sun.security.ssl。 SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection $ 6.run(RemoteTCPConnection.java:1280) at com.ibm.mq.jmqi .remote.impl.RemoteTC PConnection $ 6.run(RemoteTCPConnection.java:1273) at java.security.AccessController.doPrivileged(Native Method) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection。 java:1271) ... 18更多引起:java.security.NoSuchAlgorithmException:SHA224withRSA签名不可用 at java.security.Signature.getInstance(Signature.java:224) at sun.security.ssl.JsseJce.getSignature(JsseJce.java:241) at sun.security.ssl.HandshakeMessage $ CertificateVerify。< init>(HandshakeMessage.java:1552) at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:982) ... 29更多 $ b来自AMQERR01.LOG的$ b ----- amqrmrsa.c:930 -------------------------------------------------- ------ 01/31/2017 08:45:00 PM - 流程(14444.328)用户(mqm)计划(amqrmppa)主机(testvm)安装(安装1) VRMF(7.1.0.7)QMgr(TLSTEST.QM) AMQ9665:通道'????'的远程端关闭SSL连接。 说明:在安全套接字握手期间,远程主机'localhost(127.0.0.1)'关闭了SSL或TLS连接。频道是'????';在某些情况下,它的名称无法确定,因此显示为????。频道没有开始。 操作:检查通道的远程端是否存在SSL和TLS错误。修复它们并重新启动频道。 ----- amqccisa.c:6478 ------------------------------------ ------------------- 01/31/2017 08:45:00 PM - 流程(14444.328)用户(mqm)计划(amqrmppa)主机(testvm)安装(Installation1) VRMF(7.1.0.7)QMgr(TLSTEST.QM) AMQ9492:TCP / IP响应程序遇到错误。 说明:响应程序已启动但检测到错误。 主机名是'localhost(127.0.0.1)';在某些情况下,主机名不能确定,因此显示为'????'。 操作:查看错误文件中的先前错误消息,以确定响应程序遇到的错误。 ----- amqrmrsa.c:930 ------------------------------------ -------------------- 从类路径中删除旧的jar,但仍然是相同的异常 控制台输出的下面的行打印为算法 匹配别名:ibmwebspheremqtlstest.qm ***证书链 chain [0] = [ [ 版本:V3 签名算法:SHA1withRSA, 在客户端,传递key.jks文件,它是在MQ级别使用'runmqckm'创建的?是否需要为TLSv2创建不同的算法? TLSV2使用JDK8和ibm / java-x86_64-71 SSLContext sslContext = SSLContext.getInstance(TLSv1.2); ** Oracle JDK8 ** MQEnvironment.sslFipsRequired = false; MQEnvironment.sslCipherSuite =TLS_RSA_WITH_AES_128_CBC_SHA256; ALTER CHANNEL(TEST.CH)CHLTYPE(SVRCONN)SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) ** IBM-JDK 7.1 ** MQEnvironment.sslFipsRequired = false; MQEnvironment.sslCipherSuite =SSL_RSA_WITH_NULL_SHA256; ALTER CHANNEL(TEST.CH)CHLTYPE(SVRCONN)SSLCIPH(TLS_RSA_WITH_NULL_SHA256) 但是问题如何使用较低版本的Oracle java而不是8来处理任何TLSv2密码? 解决/解决问题:将逐一尝试 1)使用IBM JVM 2)使用Oracle Java v8进行测试 3)尝试MQ v8 4)设置SSLCAUTH = OPTIONAL和其他选项不需要客户端证书。 尝试使用JDK8和MQ8 现在尝试安装JDK8 + MQ8,MQServer8和MQSeriesGSKit-8.0.0-4.x86_64,但现在出现了使用runmqckm命令创建证书的问题 export LD_LIBRARY_PATH = / opt / mqm / gskit8 / lib64 export PATH = $ PATH:/ opt / mqm / gskit8 / bin runmqckm bash:runmqckm:找不到命令 部分使用runmqakm 但是无法创建jks文件,如下所示 runmqakm -keydb -create -db /var/mqm/qmgrs/TLSTEST!QM/ssl/key.jks -pw password -type jks CTGSK3017W无法识别数据库类型jks。 已解决 无需在路径下方设置 export LD_LIBRARY_PATH = / opt / mqm / gskit8 / lib64 export PATH = $ PATH:/ opt / mqm / gskit8 / bin 新关于TLSv2 Ciphersuite的问题 TLSv2与带有MQ8的JDk8密码套件? 解决方案 IBM 2015年11月19日发布的MQ Fix Pack 7.1.0.7 包括以下APAR: IV73396:在WEBSPHERE MQ V7队列管理器中弃用SSLV3 CIPHERSPECS 问题描述: 应用此更改后,任何创建的队列管理器都将禁止我们关于与队列管理器关联的通道定义的以下CipherSpec之一: AES_SHA_US RC4_SHA_US RC4_MD5_US TRIPLE_DES_SHA_US DES_SHA_EXPORT1024 RC4_56_SHA_EXPORT1024 RC4_MD5_EXPORT RC2_MD5_EXPORT DES_SHA_EXPORT NULL_SHA NULL_MD5 FIPS_WITH_DES_CBC_SHA FIPS_WITH_3DES_EDE_CBC_SHA 尝试使用或配置其中一个CipherSpec将导致队列管理器错误日志中出现以下一条或多条消息:AMQ8242, AMQ9616 ,AMQ9635。 这是因为SSLv3正在运行由于IETF批准和2015年6月正式弃用发布 RFC7568 简介 自1996年发布以来,SSLv3协议[ RFC6101 ]受到一系列长期攻击,包括其密钥交换机制和它支持的加密方案。尽管在1999年被TLS 1.0 [ RFC2246 ]取代,随后在2002年被TLS 1.1取代[ RFC4346 ]和2006年的1.2 [ RFC5246 ],这些替换版本的可用性尚未普及。因此,许多TLS实现都允许SSLv3的协商。 SSLv3的前身SSL版本2不再被认为足够安全[ RFC6176 ]。 SSLv3现在如下。 有一篇非常好的IBM developerWorks博客文章 SSL和MLS密码规范对MQ产品的弃用由Miguel A. Rodriguez于2016年5月19日发布,详细介绍了各种修订包中不推荐使用的密码。 我建议您找到一个支持的TLSv1.2密码,它与Java客户端和IBM MQ SVRCONN通道兼容。由于不推荐使用SSLv3,因此使用IBM或非IBM JRE向Java客户端开放了更多TLS密码,因此有许多更新。 关于IBM对IBM客户端密码支持所做的更改是 MQ Java,TLS密码,非IBM JRE和APAR IT06775,IV66840,IT09423,IT10837 - 请帮助我!由Tom Leend于2016年6月9日发布。 您对IBM MQ v6.0.2.12没有问题的原因是因为该版本已经超过四年的支持(从那时起) 2012年9月30日)IBM不会像支持版本那样发布任何End of Service版本的安全更新。 我建议您转到支持的版本IBM MQ的sion。在考虑升级到哪个版本时,请注意, 当前 支持的两个版本将在未来16个月内停止支持: MQ v7.1在 2017年4月30日的不到四个月内失去支持。 MQ v7.5在 2018年4月30日上不再支持。 MQ v8.0和v9.0目前没有公布支持结束日期。 IBM developerWorks博客文章 MQ Java,TLS密码,非IBM JRE和APAR IT06775,IV66840,IT09423,IT10837 - 帮助我请!声明APAR IV66840 添加了 useIBMCipherMappi ngs 设置包含在7.1.0.7中,这应该允许将TLSv1.2 Cipherspecs与Oracle JRE一起使用。 表中的APAR IV66840 有以下信息: 以下WebSphere MQ CipherSuite到CipherSpec映射已通过此APAR为WebSphere MQ v7.1和v7.5启用,其中用于Java的类和用于JMS的类支持SHA-2:￴ Oracle CipherSuite IBM MQ CipherSpec TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 如果你比较到v7.1知识中心页面指定CipherSpec ,您会发现所有这三个都是TLSv1.2 Cipherspecs。 与IBM JRE Ciphersuite名称进行比较,v7.1知识中心页面 WebSphere MQ classes for Java中的SSL CipherSpecs和CipherSuite 列出了类似的映射: IBM CipherSuite IBM MQ CipherSpec SSL_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA256 SSL_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 更新(2017/01/27)以解决更多问题 MQ CipherSpec TLS_RSA_WITH_RC4_128_SHA256不是APAR中列出的那个 IV66840 已在MQ v7.1下为非IBM JRE启用,它仅在v8.0下列出。 Above I listed the three TLSv1.2 CipherSpecs that were added to MQ v7.1. I would suggest you try TLS_RSA_WITH_AES_256_CBC_SHA256 as the CipherSpec on the MQ channel and TLS_RSA_WITH_AES_256_CBC_SHA256 as the Java CipherSuite. The settings below should work with the my suggested CipherSpec/CipherSuite, please note that I changed it from TLSv1 to TLSv1.2 SSLContext sslContext = SSLContext.getInstance(\"TLSv1.2\"); -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false UPDATE (2017/01/30) to try and address further questions In your question you mention these jar files in your classpath: /tmp/mqssl/com.ibm.mq.jmqi.jar:/tmp/mqssl/com.ibm.mq.jar Will you please confirm which version of the IBM MQ product each of these are from, you can do this on linux with the unzip utility: unzip -p com.ibm.mq.jar META-INF/MANIFEST.MF|grep Implementation-Version Output will be: Implementation-Version: x.x.x.x - pxxx-xxx-YYMMDD UPDATE (2017/01/31) to address further questions APAR IV66840 which includes the -Dcom.ibm.mq.cfg.useIBMCipherMappings=false setting is not included in MQ until v7.1.0.7, this is the version you stated is being used. Based on the output you provided the jar files you are referencing are from a v7.1.0.1 install which does not include support for TLS on non-IBM JREs such as Oracle JRE. You also note that the jar files are in /tmp/mqssl, please note that prior to v8 of MQ IBM does not support copying the jar files outside of the default location where they are installed. IBM Technote \"Supported way to install WebSphere MQ Java jar files, JMS jar files, or C/C++ libraries\" states: +++ Section 1: MQ 7.x The only supported way to get the MQ jar files or the MQ C/C++ library files onto a system is to install either: the WebSphere MQ product or the WebSphere MQ Client SupportPacs. To legally download and use a client you must first accept the terms and conditions specified in the License Agreement. Do not copy the WebSphere MQ jar files to application EAR or WAR files. Do not copy the WebSphere MQ jar or MQ C/C++ library files from other machines: Fix Packs cannot be applied to an \"installation\" where jar or C/C++ library files have been copied from another machine, and this makes it much more difficult to ensure that all of these jar/library files are kept in step with each other, and are at compatible levels. Copying jar/library files between machines can also result in multiple copies of the files residing on the same machine, whi ch can cause problems servicing the code and debugging problems. If your application is on the same server as the MQ v7.1.0.7 Queue Manager then you can just reference the jar file that are in the directory /opt/mqm/java/lib. If your application is not on the same server and you plan to stay with v7.1 or go with v7.5 I would recommend installing the latest full client install, see my note above on suggestions for versions based on when they are End of Service. If you decide to go with v8 or v9, IBM Technote \"Supported way to install WebSphere MQ Java jar files, JMS jar files, or C/C++ libraries\" also states: b) Starting with MQ 8.0.0.4, you can use Redistributable files: Installation scenarios for MQ 8.0 and 9.0 in Linux and Windows - Chapter 8: You need to redistribute MQ runtime libraries with your application. How to download the MQ 8.0.0.4+ and MQ 9.0.0.x redistributable client images for Linux x86-64 and Windows 64-bit Bitesize Blogging: MQ 8.0.0.4 Redistributable Clients What this means is that with v8.0.0.4 and higher you can download a MQ JMS and Java only redistributable client. The MQ JMS and Java only redistributable client client packages are available from FixCentral here. UPDATE (2017/01/31 A) to address further questions After searching on the error you are receiving I found this dW Answers post \"Why do I get AMQ9771, 2393 SSL Initialization error from a MQ Java/JMS application when trying to use an TLS AES 256 cipher?\". It states that the following: In this case, the issue is caused by attempting to use AES 256 strong cipher algorithms. Most Java JREs, including Oracle/Sun and IBM’s have Import Limits on Cryptographic Algorithms enabled. This limits the maximum key sizes and also some algorithms. When trying to use a AES 256 cipher, such as ECDHE_RSA_AES_256_CBC_SHA384 or TLS_RSA_WITH_AES_256_CBC_SHA256 with a MQ Java/JMS application, you need to ensure your JRE supports this cipher. In most cases, when the stronger cipher algorithms are needed, such as AES 256 ciphers, the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE. This is noted in the JDK/JRE documentation: For Oracle 1.7: http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html The link above to the oracle site states: If stronger algorithms are needed (for example, AES with 256-bit keys), the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE. It is the user’s responsibility to verify that this action is permissible under local regulations. I would suggest that you either use the lower CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA256, or follow the advise above to obtain and install the JCE Unlimited Strength Jurisdiction Policy Files. UPDATE (2017/02/01) to address further questions The error that caught my eye was Caused by: java.security.NoSuchAlgorithmException: SHA224withRSA Signature not available. I searched on google for this and found the following dW Answers post \"How to resolve issue with MQ v7.x Java client getting SSL error NoSuchAlgorithmException: SHA224withRSA Signature not available?\" which states t he following: Assuming using Oracle JVM: We have found that the root cause of the issue is the signature algorithm SHA224withRSA is not supported by Oracle JRE 1.7, see signature algorithms available: https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html In the above link the table of interest is under \"The SunRsaSign Provider\" which lists the following supported signature algorithms: MD2withRSA MD5withRSA SHA1withRSA SHA256withRSA SHA384withRSA SHA512withRSA Note that SHA224withRSA is not on the list. The same dW Answers post goes on to state: This signature algorithm is available in the IBM JVM and also in Oracle JVM 1.8. https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html In the above link the table of interest is under \"The SunRsaSign Provider\" which lists the following supported signature algorithms: MD2withRSA MD5withRSA SHA1withRSA SHA224withRSA SHA256withRSA SHA384withRSA SHA512withRSA Note that SHA224withRSA is on the list. Recommendations from the dW post: Try with Oracle Java 8 (1.8) Try with IBM Java UPDATE (2017/02/01 B) to address further questions Taking into account all of the information gathered through the troubleshooting above the answer is that it is not possible to use a TLSv1.2 cipher with a Oracle Java less than 8 using MQ v7.1.0.7 MQ Java client. Based on the last dW A nswers post I provided, IBM suggested trying with MQ v8, but I do not think they tested this configuration so it may also not work. If you do want to try with MQ v8 I would suggest you go with the latest v8.0.0.5 Java only redistributable client client packages which I provided links already. We have enabled SSL on1. MQ version '7.1.0.7'2. OS->'Linux 2.6.32-642.11.1.el6.x86_64'3. two months back [aug-2016] and its working fine with SSL enabled and disabled modeJava Client uses1. jdk1.7.0_212. Worked cipher/suite -> SSL_RSA_WITH_RC4_128_SHA <> RC4_SHA_USWhen I try to connect to a MQ v7.1.0.7 queue manager the application is throwing below error: com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'. at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:228) at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553) at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593) at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:95) at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198) at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:882)In the queue manager error log AMQERR01.LOG I see this:AMQ9616: The CipherSpec proposed is not enabled on the server. EXPLANATION: The SSL or TLS subsystem at the server end of a channel been configured in such a way that it has rejected the CipherSpec proposed by an SSL or TLS client. This rejection occurred during the secure socket handshake (i.e. it happened before the proposed CipherSpec was compared with the CipherSpec in the server channel definition).We have a MQ v6.0.2.12 queue manager where this is working fine.Could some one provide help what went wrong for system , which was working before?Resolved by adding below lines in qm.ini fileSSL: AllowSSLV3=Y AllowWeakCipherSpec=Y Updated (2017/01/27) with additional questions:Worked below TLSv1TLS_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA TLSv1 TRUETLS_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLSv1 TRUEFailed with TLSv1.2TLS_RSA_WITH_RC4_128_SHA256 SSL_RSA_WITH_RC4_128_SHA TLSv1.2 FALSEI tried with these settings:SSLContext sslContext = SSLContext.getInstance("TLSv1");-Dcom.ibm.mq.cfg.preferTLS=true-Dcom.ibm.mq.cfg.useIBMCipherMappings=falseError is com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'In the AMQERR01.LOG There is a mismatch between the CipherSpecs on the local and remote endsof channel 'TEST.CH'. The channel will not run until this mismatch isresolved.The CipherSpec required in the local channel definition is'TLS_RSA_WITH_RC4_128_SHA256'. The name of the CipherSpec negotiated duringthe SSL handshake is 'RC4_SHA_US'. A code is displayed if the name of thenegotiated CipherSpec cannot be determined Updated (2017/01/29) with additional questions:SSLContext sslContext = SSLContext.getInstance("TLSv1.2");MQEnvironment.sslFipsRequired = true;MQEnvironment.sslCipherSuite ="SSL_RSA_WITH_AES_256_CBC_SHA256";ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256)REFRESH SECURITY TYPE(SSL)6.Client Execute/apps/java/jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -classpath .:/tmp/mqssl/com.ibm.mq.jmqi.jar:/tmp/mqssl/com.ibm.mq.jar:com.ibm.ws.webservices.thinclient_8.5.0.jar MQProducerSSLGetting error as MQJE001: Completion Code '2', Reason '2400'MQRC_UNSUPPORTED_CIPHER_SUITE (2400) Updated (2017/01/30) with additional questions:Still same error , but in my client java prg have enabled System.setProperty("javax.net.debug", "all"); to see all activities while execute client. Its Printing TLS_RSA_WITH_AES_256_CBC_SHA256 as Ignoring unavailable cipher suite: as belowIgnoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAIgnoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHAIgnoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHAIgnoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHAIgnoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHAIgnoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAIgnoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHAIgnoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHAIgnoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256TLS_DHE_RSA_WITH_AES_128_CBC_SHA256TLS_DHE_DSS_WITH_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHATLS_ECDH_ECDSA_WITH_AES_128_CBC_SHABefore callMQJE001: Completion Code '2', Reason '2400'.MQJE001: Completion Code '2', Reason '2400'.Tested with IBM-JDK-71 Same ExceptionSSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA<><>ECDHE_ECDSA_3DES_EDE_CBC_SHA256SSL_ECDHE_RSA_WITH_NULL_SHA<><>ECDHE_RSA_NULL_SHA256 Updated (2017/01/31) with additional questions:com.ibm.mq.jar Specification-Version: 7.1.0.1Specification-Vendor: IBM CorporationImplementation-Title: WebSphere MQ classes for JavaImplementation-Version: 7.1.0.1 - k710-001-120424com.ibm.mq.jmqi.jar Specification-Version: 7.1.0.1Specification-Vendor: IBM CorporationImplementation-Title: WebSphere MQ Interface for JavaImplementation-Version: 7.1.0.1 - k710-001-120424 Updated (2017/01/31 A) with additional questions:Since MQ and Client Running in same machine ,got Specification-Version: 7.1.0.7 jarsTesting done with 2 scenarios by changing the classpathWithout -Dcom.ibm.mq.cfg.useIBMCipherMappings=falsejdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS=true -classpath .:/opt/mqm/java/lib/com.ibm.mq.jmqi.jar:/opt/mqm/java/lib/com.ibm.mq.jar MQProducerSSLgot exception MQJE001: Completion Code '2', Reason '2400'With -Dcom.ibm.mq.cfg.useIBMCipherMappings=false/apps/hostlink/java/jdk1.7.0_21/jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=true -classpath .:/opt/mqm/java/lib/com.ibm.mq.jmqi.jar:/opt/mqm/java/lib/com.ibm.mq.jar MQProducerSSLgot exception MQJE001: Completion Code '2', Reason '2393' com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2393'.at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:232)at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553)at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593)at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:96)at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198)at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893)at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:780)at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729)at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177)at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:674)at MQProducerSSL.main(MQProducerSSL.java:89)Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9204: Connection to host 'localhost(2017)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.createSocket,5=default]],3=localhost(2017),5=RemoteTCPConnection.makeSocketSecure] Updated (2017/01/31 B) with additional questions:MQEnvironment.sslFipsRequired = false;MQEnvironment.sslCipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256";ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)/apps/hostlink/java/jdk1.7.0_21/jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -classpath .:/opt/mqm/java/lib/com.ibm.mq.jmqi.jar:/opt/mqm/java/lib/com.ibm.mq.jar MQProducerSSLMQJE001: Completion Code '2', Reason '2397'.MQJE001: Completion Code '2', Reason '2397'.com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'. at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:232) at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553) at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593) at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:96) at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198) at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893) at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:780) at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729) at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177) at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:674) at MQProducerSSL.main(MQProducerSSL.java:89)Worked below TLSv1----Spec---- TLS_RSA_WITH_DES_CBC_SHA---Suite---- SSL_RSA_WITH_DES_CBC_SHATLSv1 TRUE Not working , when given below parameters , throwing **MQJE001: Completion Code '2', Reason '2400'**-Dcom.ibm.mq.cfg.useIBMCipherMappings=false-Dcom.ibm.mq.cfg.preferTLS=truedoubt on TLSv1 , if TLSv1 working without above parameters , why need to provide -Dcom.ibm.mq.cfg.preferTLS=true for TLSv2?even with IBM-JDK 7.1 also TLSv2 not working, what could be issue?Need to try with MQ8? Updated (2017/02/01) with additional questions:Complete Exception in consoleMQJE001: Completion Code '2', Reason '2397'.com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'. at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:232) at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553) at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593) at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:96) at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198) at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893) at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:780) at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729) at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177) at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:674) at MQProducerSSL.main(MQProducerSSL.java:89)Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host 'localhost(2017)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Error signing certificate verify],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.startHandshake,5=default]],3=localhost(2017),5=RemoteTCPConnection.protocolConnect] at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2098) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1347) at com.ibm.mq.MQSESSION.MQCONNX_j(MQSESSION.java:924) at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:221) ... 10 moreCaused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Error signing certificate verify],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.startHandshake,5=default] at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1310) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:714) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:356) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:265) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:144) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1709) ... 13 moreCaused by: javax.net.ssl.SSLHandshakeException: Error signing certificate verify at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:987) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:285) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1280) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1273) at java.security.AccessController.doPrivileged(Native Method) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1271) ... 18 moreCaused by: java.security.NoSuchAlgorithmException: SHA224withRSA Signature not available at java.security.Signature.getInstance(Signature.java:224) at sun.security.ssl.JsseJce.getSignature(JsseJce.java:241) at sun.security.ssl.HandshakeMessage$CertificateVerify.<init>(HandshakeMessage.java:1552) at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:982) ... 29 morefrom AMQERR01.LOG----- amqrmrsa.c : 930 --------------------------------------------------------01/31/2017 08:45:00 PM - Process(14444.328) User(mqm) Program(amqrmppa) Host(testvm) Installation(Installation1) VRMF(7.1.0.7) QMgr(TLSTEST.QM)AMQ9665: SSL connection closed by remote end of channel '????'.EXPLANATION:The SSL or TLS connection was closed by the remote host 'localhost (127.0.0.1)'during the secure socket handshake. The channel is '????'; in some cases itsname cannot be determined and so is shown as '????'. The channel did not start.ACTION:Check the remote end of the channel for SSL and TLS errors. Fix them andrestart the channel.----- amqccisa.c : 6478 -------------------------------------------------------01/31/2017 08:45:00 PM - Process(14444.328) User(mqm) Program(amqrmppa) Host(testvm) Installation(Installation1) VRMF(7.1.0.7) QMgr(TLSTEST.QM)AMQ9492: The TCP/IP responder program encountered an error.EXPLANATION:The responder program was started but detected an error.The host name was 'localhost (127.0.0.1)'; in some cases the host name cannotbe determined and so is shown as '????'.ACTION:Look at previous error messages in the error files to determine the errorencountered by the responder program.----- amqrmrsa.c : 930 --------------------------------------------------------removed old jars from classpath , but still same exceptionConsole Output have below lines printed for Algorithmmatching alias: ibmwebspheremqtlstest.qm*** Certificate chainchain [0] = [[ Version: V3 Signature Algorithm: SHA1withRSA,In client , passing key.jks file , which is created at MQ level with 'runmqckm'whether need to specify different Algorithm on creation for TLSv2 ? TLSV2 WORKED WITH JDK8 and ibm/java-x86_64-71SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); **Oracle JDK8** MQEnvironment.sslFipsRequired = false; MQEnvironment.sslCipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256"; ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) **IBM-JDK 7.1** MQEnvironment.sslFipsRequired = false; MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_NULL_SHA256"; ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_NULL_SHA256)But question on how to work any TLSv2 cipher with lesser version of Oracle java than 8?To resolve/work-around the issue:will try one by one1) use the IBM JVM2) test with Oracle Java v83) Try MQ v84) other option to set SSLCAUTH=OPTIONAL and not require client side certificate. Trying with JDK8 and MQ8Now Trying to do the same with JDK8 + MQ8 , MQServer8 and MQSeriesGSKit-8.0.0-4.x86_64 installed , but now issue with creating certificate with runmqckm commandexport LD_LIBRARY_PATH=/opt/mqm/gskit8/lib64export PATH=$PATH:/opt/mqm/gskit8/binrunmqckmbash: runmqckm: command not foundpartially Worked with runmqakmBut failed to create jks files as belowrunmqakm -keydb -create -db /var/mqm/qmgrs/TLSTEST!QM/ssl/key.jks -pw password -type jksCTGSK3017W The database type "jks" is not recognized.ResolvedNo Need to set below pathexport LD_LIBRARY_PATH=/opt/mqm/gskit8/lib64export PATH=$PATH:/opt/mqm/gskit8/bin New Question on TLSv2 CiphersuiteTLSv2 with JDk8 Ciphersuites with MQ8? 解决方案 IBM MQ Fix Pack 7.1.0.7 released November 19th 2015 includes the following APAR:IV73396: DEPRECATION OF SSLV3 CIPHERSPECS IN WEBSPHERE MQ V7 QUEUE MANAGERS PROBLEM DESCRIPTION: Once this change is applied, any queue managers created will disallow the use of the following CipherSpecs on channel definitions associated with the queue manager: AES_SHA_US RC4_SHA_US RC4_MD5_US TRIPLE_DES_SHA_US DES_SHA_EXPORT1024 RC4_56_SHA_EXPORT1024 RC4_MD5_EXPORT RC2_MD5_EXPORT DES_SHA_EXPORT NULL_SHA NULL_MD5 FIPS_WITH_DES_CBC_SHA FIPS_WITH_3DES_EDE_CBC_SHA Attempting to use or configure one of these CipherSpecs will result in one or more of the following messages in the queue manager error log: AMQ8242, AMQ9616, AMQ9635.This was a result of SSLv3 being formally deprecated in June 2015 as a result of the IETF approving and publishing RFC7568 Introduction Since it was released in 1996, the SSLv3 protocol [RFC6101] has been subject to a long series of attacks, both on its key exchange mechanism and on the encryption schemes it supports. Despite being replaced by TLS 1.0 [RFC2246] in 1999, and subsequently TLS 1.1 in 2002 [RFC4346] and 1.2 in 2006 [RFC5246], availability of these replacement versions has not been universal. As a result, many implementations of TLS have permitted the negotiation of SSLv3. The predecessor of SSLv3, SSL version 2, is no longer considered sufficiently secure [RFC6176]. SSLv3 now follows.There is a very good IBM developerWorks blog post "SSL and TLS Cipher Specification Deprecations for the MQ Product" posted May 19 2016 by Miguel A. Rodriguez that goes into detail about which ciphers are deprecated in various Fix Packs.I would recommend that you find a supported TLSv1.2 cipher to use that is compatible with both the Java client and the IBM MQ SVRCONN channel. There were many updates as a result of SSLv3 being deprecated which opened up more TLS ciphers to Java clients using either IBM or Non-IBM JREs.A good write up about the changes IBM made to the Java client cipher support is IBM developerWorks blog post "MQ Java, TLS Ciphers, Non-IBM JREs & APARs IT06775, IV66840, IT09423, IT10837 -- HELP ME PLEASE!" posted on June 9th 2016 by Tom Leend.The reason you do not have a problem with IBM MQ v6.0.2.12 is because that version has been out of support for over four years (since September 30th 2012) and IBM would not release any security updates for a End of Service version like it does for supported versions.I would recommend that you move to a supported version of IBM MQ. When considering which version to upgrade to, note that two of the currently supported versions will be going out of support over the next 16 months:MQ v7.1 goes out of support in less than four months on April 30th 2017.MQ v7.5 goes out of support on April 30th 2018.MQ v8.0 and v9.0 do not have currently announced end of support dates.IBM developerWorks blog post "MQ Java, TLS Ciphers, Non-IBM JREs & APARs IT06775, IV66840, IT09423, IT10837 -- HELP ME PLEASE!" states that APAR IV66840 which added the useIBMCipherMappings setting is included in 7.1.0.7 and this should allow the use of TLSv1.2 Cipherspecs with a Oracle JRE.The table in the APAR IV66840 has this information: The following WebSphere MQ CipherSuite to CipherSpec mappings have been enabled by this APAR for WebSphere MQ v7.1 and v7.5 where the classes for Java and classes for JMS support SHA-2:￴Oracle CipherSuite IBM MQ CipherSpecTLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256If you compare that to the v7.1 Knowledge center page Specifying CipherSpecs, you find that all three of those are TLSv1.2 Cipherspecs.For comparison with the IBM JRE Ciphersuite name, the v7.1 Knowledge center page SSL CipherSpecs and CipherSuites in WebSphere MQ classes for Java lists a similar mapping:IBM CipherSuite IBM MQ CipherSpecSSL_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA256SSL_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHASSL_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 UPDATE (2017/01/27) to address further questionsThe MQ CipherSpec TLS_RSA_WITH_RC4_128_SHA256 is not one of those listed in APAR IV66840 has having been enabled for non-IBM JREs under MQ v7.1, it is only listed under v8.0. Above I listed the three TLSv1.2 CipherSpecs that were added to MQ v7.1.I would suggest you try TLS_RSA_WITH_AES_256_CBC_SHA256 as the CipherSpec on the MQ channel and TLS_RSA_WITH_AES_256_CBC_SHA256 as the Java CipherSuite.The settings below should work with the my suggested CipherSpec/CipherSuite, please note that I changed it from TLSv1 to TLSv1.2 SSLContext sslContext = SSLContext.getInstance("TLSv1.2");-Dcom.ibm.mq.cfg.preferTLS=true-Dcom.ibm.mq.cfg.useIBMCipherMappings=false UPDATE (2017/01/30) to try and address further questionsIn your question you mention these jar files in your classpath: /tmp/mqssl/com.ibm.mq.jmqi.jar:/tmp/mqssl/com.ibm.mq.jarWill you please confirm which version of the IBM MQ product each of these are from, you can do this on linux with the unzip utility:unzip -p com.ibm.mq.jar META-INF/MANIFEST.MF|grep Implementation-VersionOutput will be:Implementation-Version: x.x.x.x - pxxx-xxx-YYMMDD UPDATE (2017/01/31) to address further questionsAPAR IV66840 which includes the -Dcom.ibm.mq.cfg.useIBMCipherMappings=false setting is not included in MQ until v7.1.0.7, this is the version you stated is being used.Based on the output you provided the jar files you are referencing are from a v7.1.0.1 install which does not include support for TLS on non-IBM JREs such as Oracle JRE.You also note that the jar files are in /tmp/mqssl, please note that prior to v8 of MQ IBM does not support copying the jar files outside of the default location where they are installed.IBM Technote "Supported way to install WebSphere MQ Java jar files, JMS jar files, or C/C++ libraries" states: +++ Section 1: MQ 7.x The only supported way to get the MQ jar files or the MQ C/C++ library files onto a system is to install either: the WebSphere MQ product or the WebSphere MQ Client SupportPacs. To legally download and use a client you must first accept the terms and conditions specified in the License Agreement. Do not copy the WebSphere MQ jar files to application EAR or WAR files. Do not copy the WebSphere MQ jar or MQ C/C++ library files from other machines: Fix Packs cannot be applied to an "installation" where jar or C/C++ library files have been copied from another machine, and this makes it much more difficult to ensure that all of these jar/library files are kept in step with each other, and are at compatible levels. Copying jar/library files between machines can also result in multiple copies of the files residing on the same machine, which can cause problems servicing the code and debugging problems.If your application is on the same server as the MQ v7.1.0.7 Queue Manager then you can just reference the jar file that are in the directory /opt/mqm/java/lib.If your application is not on the same server and you plan to stay with v7.1 or go with v7.5 I would recommend installing the latest full client install, see my note above on suggestions for versions based on when they are End of Service.If you decide to go with v8 or v9, IBM Technote "Supported way to install WebSphere MQ Java jar files, JMS jar files, or C/C++ libraries" also states: b) Starting with MQ 8.0.0.4, you can use Redistributable files: Installation scenarios for MQ 8.0 and 9.0 in Linux and Windows - Chapter 8: You need to redistribute MQ runtime libraries with your application. How to download the MQ 8.0.0.4+ and MQ 9.0.0.x redistributable client images for Linux x86-64 and Windows 64-bit Bitesize Blogging: MQ 8.0.0.4 Redistributable ClientsWhat this means is that with v8.0.0.4 and higher you can download a MQ JMS and Java only redistributable client.The MQ JMS and Java only redistributable client client packages are available from FixCentral here. UPDATE (2017/01/31 A) to address further questionsAfter searching on the error you are receiving I found this dW Answers post "Why do I get AMQ9771, 2393 SSL Initialization error from a MQ Java/JMS application when trying to use an TLS AES 256 cipher?". It states that the following: In this case, the issue is caused by attempting to use AES 256 strong cipher algorithms. Most Java JREs, including Oracle/Sun and IBM's have Import Limits on Cryptographic Algorithms enabled. This limits the maximum key sizes and also some algorithms. When trying to use a AES 256 cipher, such as ECDHE_RSA_AES_256_CBC_SHA384 or TLS_RSA_WITH_AES_256_CBC_SHA256 with a MQ Java/JMS application, you need to ensure your JRE supports this cipher. In most cases, when the stronger cipher algorithms are needed, such as AES 256 ciphers, the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE. This is noted in the JDK/JRE documentation: For Oracle 1.7: http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.htmlThe link above to the oracle site states: If stronger algorithms are needed (for example, AES with 256-bit keys), the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE. It is the user's responsibility to verify that this action is permissible under local regulations.I would suggest that you either use the lower CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA256, or follow the advise above to obtain and install the JCE Unlimited Strength Jurisdiction Policy Files. UPDATE (2017/02/01) to address further questionsThe error that caught my eye was Caused by: java.security.NoSuchAlgorithmException: SHA224withRSA Signature not available.I searched on google for this and found the following dW Answers post "How to resolve issue with MQ v7.x Java client getting SSL error NoSuchAlgorithmException: SHA224withRSA Signature not available?" which states the following: Assuming using Oracle JVM: We have found that the root cause of the issue is the signature algorithm SHA224withRSA is not supported by Oracle JRE 1.7, see signature algorithms available: https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.htmlIn the above link the table of interest is under "The SunRsaSign Provider" which lists the following supported signature algorithms: MD2withRSA MD5withRSA SHA1withRSA SHA256withRSA SHA384withRSA SHA512withRSANote that SHA224withRSA is not on the list.The same dW Answers post goes on to state: This signature algorithm is available in the IBM JVM and also in Oracle JVM 1.8. https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.htmlIn the above link the table of interest is under "The SunRsaSign Provider" which lists the following supported signature algorithms: MD2withRSA MD5withRSA SHA1withRSA SHA224withRSA SHA256withRSA SHA384withRSA SHA512withRSANote that SHA224withRSA is on the list.Recommendations from the dW post:Try with Oracle Java 8 (1.8)Try with IBM Java UPDATE (2017/02/01 B) to address further questionsTaking into account all of the information gathered through the troubleshooting above the answer is that it is not possible to use a TLSv1.2 cipher with a Oracle Java less than 8 using MQ v7.1.0.7 MQ Java client.Based on the last dW Answers post I provided, IBM suggested trying with MQ v8, but I do not think they tested this configuration so it may also not work.If you do want to try with MQ v8 I would suggest you go with the latest v8.0.0.5 Java only redistributable client client packages which I provided links already. 这篇关于启用S​​SL时出现MQ错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持! 上岸,阿里云!
05-30 08:25