Java连接到WMQ 8

本文介绍了Java连接到WMQ 8的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我正在尝试将现有的Java应用程序连接到WebSphere MQ8.过去，该方法已与其他版本的Java和WMQ一起使用，但是对于Java 8和WMQ8，则不希望这样做.我得到了:

I am trying to get an existing Java application connect to WebSphere MQ 8. This has worked in the past with other versions of Java and WMQ, but with Java 8 and WMQ8, this doesn't want to work.I am getting:

handling exception: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
WRITE: TLSv1.2 Alert, length = 2
called closeSocket()
Exception in thread "main" com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'.

我看不出为什么会这样.我已经设置了各种javax.net.ssl参数.我使用适当的SSL_TRUSTSTORE&我创建的KEYSTORE.拥有一个SSL_CIPHERSUITE.

I just can't see why this is occurring. I have set the various javax.net.ssl parameters. I use appropriate SSL_TRUSTSTORE & KEYSTORE that I have created. Have a SSL_CIPHERSUITE.

我已经(几乎)尝试了WMQ支持的所有已记录的CipherSuite.我正在使用以下设置和环境浏览整个列表:

I have tried (almost) all of the documented CipherSuites that WMQ supports; I am working my through the entire list, with settings and environment like this:

JAVA SSL_CIPHERSUITE = SSL_RSA_WITH_AES_256_CBC_SHA
WMQ通道SSL_CIPHERSUITE = TLS_RSA_WITH_AES_256_CBC_SHA
MQ Client 7.0.0.1-我尝试切换到MQ Client 8，没有任何改善
IBM WebSphere MQ，版本:8.0.0.5
与客户端错误相对应的AMQERR01.log中没有任何内容
Oracle Java 8(Java SE SE运行时环境(内部版本1.8.0_60-b27))-已启用SSLv3(已更改jdk.tls.disabledAlgorithms = RC4，DH keySize< 768)

其他信息:

客户(银行)正在使用MQ 7，因此我没有选择他们正在使用哪个质量管理.但是我一直在使用MQ 8在本地进行测试，以检查这是否是问题的一部分.
我已经尝试过:-Dcom.ibm.mq.cfg.useIBMCipherMappings = false
使用Oracle的JCE无限强度管辖权策略文件.

The customer (bank) is using MQ 7 so I don't have a choice in thematter of which QM they are using. But I have been testing locally with MQ 8 to check if that is part of the issue.
I've tried: -Dcom.ibm.mq.cfg.useIBMCipherMappings=false
Using JCE Unlimited Strength Jurisdiction Policy Files from Oracle.

推荐答案

MQ v7.0已于2008年6月27日发布(Fix Pack 7.0.0.1与2009年1月20日相关)，并且自2015年9月30日起不再受支持. 1.5年).根据我的回答，下面这个版本的MQ将不支持Oracle JRE上的TLS CipherSuites，尽管您可以更新到更高的修订包，但我强烈建议您迁移到受支持的MQ客户端版本.较新的MQ客户端版本可以连接到较旧的MQ队列管理器.您可以在以下链接中下载仅Java安装的MQ 8.0或MQ 9.0 jar文件:

MQ v7.0 was released June 27th 2008 (Fix Pack 7.0.0.1 was related January 20th 2009) and has been out of support since September 30th 2015 (over 1.5 years). Is per my answer below this version of MQ will not support TLS CipherSuites on a Oracle JRE, while you could update to a later Fix Pack I would strongly suggest that you move to a supported version of the MQ client. Newer MQ client versions can connect to older MQ queue managers. You can download a java only install of MQ 8.0 or MQ 9.0 jar files at the links below:

IBM MQ v8.0客户端
IBM MQ v9.0客户端

IBM MQ v8.0 Client
IBM MQ v9.0 Client

APAR IV66840 添加了新功能，以允许用户使用非IBM Java运行时环境以使用TLS CipherSuite.

APAR IV66840 added new functionality to allow users of non-IBM Java runtime environments to make use of TLS CipherSuites.

对于v7.0，此文件包含在Fix Pack 7.0.1.13中(请注意，Fix Pack 7.0.1.14是该版本的最终版本).

For v7.0 this is included in Fix Pack 7.0.1.13 (note that Fix Pack 7.0.1.14 was the final for this version).

对于8.0，它包含在Fix Pack 8.0.0.2.中.

For 8.0 this is included in Fix Pack 8.0.0.2.

注意::此APAR是客户端修复程序.

NOTE: This APAR is a client side fix.

要启用此选项，您需要执行以下操作:

To enable this option you would need to do the following:

com.ibm.mq.cfg.useIBMCipherMappings

必须设置为值:

false

例如，可以使用JVM参数进行配置:

For example, this can be configured by using the JVM argument:

-Dcom.ibm.mq.cfg.useIBMCipherMappings=false

然后，您需要将Oracle JRE的CipherSuite指定为TLS_RSA_WITH_AES_256_CBC_SHA，请注意SSL_RSA_WITH_AES_256_CBC_SHA是IBM JRE CipherSuite的名称.

You would then need to specify the CipherSuite as TLS_RSA_WITH_AES_256_CBC_SHA for a Oracle JRE, note that SSL_RSA_WITH_AES_256_CBC_SHA is the IBM JRE CipherSuite name.

通过上述操作后，您可能会遇到AMQ9771、2393 SSL初始化错误.

After getting past the above you may then run into getting a AMQ9771, 2393 SSL Initialization error.

dW Answers帖子"".它指出以下内容:

dW Answers post "Why do I get AMQ9771, 2393 SSL Initialization error from a MQ Java/JMS application when trying to use an TLS AES 256 cipher?". It states that the following:

大多数Java JRE(包括Oracle/Sun和IBM)在启用了加密算法.这限制了最大密钥大小还有一些算法.

Most Java JREs, including Oracle/Sun and IBM's have Import Limits on Cryptographic Algorithms enabled. This limits the maximum key sizes and also some algorithms.

尝试使用AES 256密码时，例如 ECDHE_RSA_AES_256_CBC_SHA384或TLS_RSA_WITH_AES_256_CBC_SHA256 MQ Java/JMS应用程序，您需要确保您的JRE支持此功能密码.在大多数情况下，当需要更强大的密码算法时，例如AES 256密码，JCE无限强度司法管辖区必须获取策略文件并将其安装在JDK/JRE中.

When trying to use a AES 256 cipher, such as ECDHE_RSA_AES_256_CBC_SHA384 or TLS_RSA_WITH_AES_256_CBC_SHA256 with a MQ Java/JMS application, you need to ensure your JRE supports this cipher. In most cases, when the stronger cipher algorithms are needed, such as AES 256 ciphers, the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE.

JDK/JRE文档中对此进行了说明:对于Oracle 1.7:

This is noted in the JDK/JRE documentation: For Oracle 1.7:

http://docs.oracle.com /javase/7/docs/technotes/guides/security/SunProviders.html

上面到oracle站点的链接指出:

The link above to the oracle site states:

验证此动作是否由用户负责根据当地法规允许.

It is the user's responsibility to verify that this action is permissible under local regulations.

如果您确实收到2393，请按照上面的建议获取并安装 JCE无限强度管辖权政策文件 .

If you do get the 2393 follow the advise above to obtain and install the JCE Unlimited Strength Jurisdiction Policy Files.

这篇关于Java连接到WMQ 8的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！