IBM MQ8.0 – AMQ9503通道协商失败
在客户端通道(SVRCONN)启用SSL时,从Java客户端连接到IBM MQ8.0时出现问题。 在通道上禁用SSL(SSLAUTH为OPTIONAL)时,流程正常。
客户端是带有JRE1.7的java。 MQ服务器版本是IBM MQ8.0
创建自签名证书并根据MQ设置引用正确交换。
javax.net.debug = ssl选项cofirms在日志中证书交换和SSL握手成功。
但是当java客户端代码试图获取MQManager对象时,抛出MQ Exception。
com.ibm.mq.MQException: MQJE001: Completion code '2', reason '2059' ... caused by: com.ibm.jmqi.JmqiException: CC=2;RC=2059;AMQ9204: Connection to host '1.2.3.4(1414)' rejected. [1=com.ibm.jmqi.JmqiException[CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=CHANNEL.SVRCONN.SSL]],3=1.2.3.4(1414), 5=RemoteConnection.analyseSegment] ... caused by: com.ibm.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=CHANNEL.SVRCONN.SSL] 我已将客户端和MQ客户端通道(SVRCONN)中的TLS_RSA_WITH_AES_256_CBC_SHA256配置为cipherspec。
尝试使用其他密码,如TLS_RSA_WITH_AES_128_CBC_SHA,错误保持不变。
MQ server error log has AMQ9665: SSL connection closed by remote end of channel '????' Explanation: The SSL or TLS connection was closed by the remote host '5.6.7.8' during the secure socket handshake. The channel is '????', in some cases its name can not be determined and so is shown as '????'. The chanel didn't start. ACTION: Check the remote end of for SSL and TLS errors. Fix them and restart the channel.
但是远程方面,我只有使用MQ库连接到MQ服务器的java客户端。
SSLLog第4 页SSLLog第5页
无法从服务器获取数据,因此从SSL日志添加了最后2页的图像。
上面已经给出了MQ服务器端日志。 除此之外还有一个默认日志AMQ9999:频道’????’ 主持人1.2.3.4exception结束。 重复记录同样的错误。 没有找到任何其他日志。
下面的MQ客户端代码片段。
void connect2MQ() { MQEnvironment.hostname=1.2.3.4 MQEnvironment.port=1414 MQEnvironment.channel=CLIENT.SVRCONN.SSL if(SSLEnabled.equals("Y") // It is set to 'Y' in main method { MQEnvironment.sslCipherSuit="TLS_RSA_WITH_AES_128_CBC_SHA"; System.setProperty("javax.net.ssl.truststore","trustStoreCertFilePath"); System.setProperty("javax.net.ssl.keyStore","keyStoreCertFilePath"); System.setProperty("javax.net.ssl.trustStorePassword","Pass"); System.setProperty("javax.net.ssl.keyStorePassword","Pass"); System.setProperty("javax.net.ssl.trustStoreType","JKS"); System.setProperty("javax.net.ssl.keyStoreType","JKS"); } try { MQQueueManager qmgr = new MQQueueManager("QMGR.TEST.SSL"); // Exception is thrown from here ... }
您似乎遇到了APAR IT10837中描述的问题。 这已在8.0.0.5及更高版本的Java Jlasses for Java和MQ Classes for JMS客户端jar文件中修复,我建议移至8.0.0.7,这是最新的v8版本。
错误消息不匹配,但使用SSLCAUTH(OPTIONAL)并且不使用SSLCAUTH(REQUIRED)的症状与正在运行的没有修复的版本匹配。
Tom Leend的IBM developerWorks MQdev博客名为“ MQ Java,TLS密码,非IBM JRE和APAR IT06775,IV66840,IT09423,IT10837 – HELP ME PLEASE!”它描述了一个解决方法,如果你不在有修复的MQ。
---- Code Snippet Start ---- KeyStore keyStore = KeyStore.getInstance("JKS"); java.io.FileInputStream keyStoreInputStream = new java.io.FileInputStream("/home/tom/myKeyStore.jks"); keyStore.load (keyStoreInputStream, password_char_array); KeyStore trustStore trustStore = KeyStore.getInstance ("JKS"); java.io.FileInputStream trustStoreInputStream = new java.io.FileInputStream("/home/tom/myTrustStore.jks"); trustStore.load (trustStoreInputStream, password_char_array); keyStoreInputStream.close(); trustStoreInputStream.close(); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keyStore,password); trustManagerFactory.init(trustStore); SSLContext sslContext = SSLContext.getInstance("TLSv1"); sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null); SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory(); // classes for JMS //myJmsConnectionFactory.setObjectProperty( // WMQConstants.WMQ_SSL_SOCKET_FACTORY, sslSocketFactory); // classes for Java MQEnvironment.sslSocketFactory = sslSocketFactory; ---- Code Snippet End ----