當通過JMS/JNDI連接到WebSphere MQ時出現SSLHandshakeException

Question

我正在配置WebSphere MQ和SSL，然後使用Java和JMS/JNDI連接到它。我使用的版本是6.0.1.1。以下是我遵循的步驟，但由於出現SSL異常，我無法運行它。

步驟1：配置SSL爲MQ系列

export JAVA_HOME=/opt/mqm/ssl 
cd /var/mqm/qmgrs/MYQMGR/ssl 
# Set up the key repository 
gsk7cmd -keydb -create -db keydb.kdb -pw password -type cms -expire 1500 -stash 
# Create a self-signed personal certificate 
gsk7cmd -cert -create -db keydb.kdb -pw password -label ibmwebspheremqmyqmgr -dn "CN=My Queue Manager,O=My Company,C=UK" -size 1024 -x509version 3 -expire 365 
# Export your personal certificate 
gsk7cmd -cert -extract -db filename -pw password -label ibmwebspheremqmyqmgr -target myqmgr.cert.arm -format ascii 

步驟2：爲Java配置SSL

# Generate the private/public key pair 
# keypass option is the password to protect the private key 
# storepass option is the password to protect the keystore 
keytool -genkey -keystore keystore -storepass storepass -keypass keypass -dname "cn=My Java Client,O=My Company,C=UK" -alias ClientMQ -keyalg RSA -keysize 2048 
# Export the public key if you need 2-way authentification 
keytool -export -keystore keystore -storepass storepass -alias ClientMQ -file client.cer 
# Import MQ public certificate into the truststore 
# storepass option is the password to protect the keystore 
keytool -import -keystore truststore -storepass trustpass -keypass keypass -alias ibmwebspheremqmyqmgr -file myqmgr.cert.arm 

步驟3：配置MQ綁定

的SSL.CHANNEL已被創造機智小時命令：DEFINE CHANNEL(SSL.CHANNEL) CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCIPH(RC4_SHA_US) SSLCAUTH(OPTIONAL) DESCR('Channel using SSL')

JMSAdmin.config

INITIAL_CONTEXT_FACTORY=com.sun.jndi.fscontext.RefFSContextFactory 
PROVIDER_URL=file:///opt/mqm/java/bin/JNDI 
SECURITY_AUTHENTICATION=none 


cd /opt/mqm/java/bin 
. setjmsenv 
./JMSAdmin -v -cfg JMSAdmin.config 

DEFINE QCF(QCF_NAME) SYNCPOINTALLGETS(YES) HOSTNAME(HOST) PORT(1414) TRANSPORT(client) QMANAGER(MYQMGR) CHANNEL(SSL.CHANNEL) SSLCIPHERSUITE(SSL_RSA_WITH_RC4_128_SHA) 
DEFINE Q(MYQNAME) QMANAGER(MYQMGR) QUEUE(LOCALQUEUE) 

第4步：找出爲什麼我得到的異常

當我跑我的Java應用程序調用connectionFactory.createQueueConnection();時，我得到以下異常：

javax.jms.JMSException: MQJMS2005: failed to create MQQueueManager for 'xxxx:xxxxx' 
com.ibm.mq.MQException: MQJE001: Completion Code 2, Reason 2397 
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake 

這裏是SSL跟蹤：

keyStore is : 
keyStore type is : jks 
keyStore provider is : 
init keystore 
init keymanager of type SunX509 
trustStore is: c:\home\doc\jsse\truststore 
trustStore type is : jks 
trustStore provider is : 
init truststore 
adding as trusted cert: 
    Subject: CN=My Queue Manager,O=My Company,C=UK 
    Issuer: CN=My Queue Manager,O=My Company,C=UK 
    Algorithm: RSA; Serial number: 0x5072a61a 
    Valid from Sun Oct 07 12:08:26 CEST 2012 until Tue Oct 08 12:08:26 CEST 2013 

trigger seeding of SecureRandom 
done seeding SecureRandom 
%% No cached client session 
*** ClientHello, TLSv1 
RandomCookie: GMT: 1349707178 bytes = { 204, 18, 167, 43, 13, 107, 252, 221, 191, 41, 25, 59, 207, 92, 67, 219, 251, 104, 195, 209, 7, 129, 104, 171, 139, 47, 163, 71 } 
Session ID: {} 
Cipher Suites: [SSL_RSA_WITH_RC4_128_SHA] 
Compression Methods: { 0 } 
*** 
[write] MD5 and SHA1 hashes: len = 45 
0000: 01 00 00 29 03 01 50 73 E6 AA CC 12 A7 2B 0D 6B ...)..Ps.....+.k 
0010: FC DD BF 29 19 3B CF 5C 43 DB FB 68 C3 D1 07 81 ...).;.\C..h.... 
0020: 68 AB 8B 2F A3 47 00 00 02 00 05 01 00   h../.G....... 
Thread pool thread #0, WRITE: TLSv1 Handshake, length = 45 
[write] MD5 and SHA1 hashes: len = 44 
0000: 01 03 01 00 03 00 00 00 20 00 00 05 50 73 E6 AA ........ ...Ps.. 
0010: CC 12 A7 2B 0D 6B FC DD BF 29 19 3B CF 5C 43 DB ...+.k...).;.\C. 
0020: FB 68 C3 D1 07 81 68 AB 8B 2F A3 47    .h....h../.G 
Thread pool thread #0, WRITE: SSLv2 client hello message, length = 44 
[Raw write]: length = 46 
0000: 80 2C 01 03 01 00 03 00 00 00 20 00 00 05 50 73 .,........ ...Ps 
0010: E6 AA CC 12 A7 2B 0D 6B FC DD BF 29 19 3B CF 5C .....+.k...).;.\ 
0020: 43 DB FB 68 C3 D1 07 81 68 AB 8B 2F A3 47  C..h....h../.G 
Thread pool thread #0, received EOFException: error 
Thread pool thread #0, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake 
Thread pool thread #0, SEND TLSv1 ALERT: fatal, description = handshake_failure 
Thread pool thread #0, WRITE: TLSv1 Alert, length = 2 
[Raw write]: length = 7 
0000: 15 03 01 00 02 02 28        ......(
Thread pool thread #0, called closeSocket() 
Finalizer, called close() 
Finalizer, called closeInternal(true) 

在MQ方面：

AMQ9660: SSL key repository: password stash file absent or unusable. 

EXPLANATION: 
The SSL key repository cannot be used because MQ cannot obtain a password to 
access it. Reasons giving rise to this error include: 
(a) the key database file and password stash file are not present in the 
    location configured for the key repository, 
(b) the key database file exists in the correct place but that no password 
    stash file has been created for it, 
(c) the files are present in the correct place but the userid under which MQ is 
    running does not have permission to read them, 
(d) one or both of the files are corrupt. 

但他們都不適用於我。

ls -ltr /var/mqm/qmgrs/MYQMGR/ssl/ 
total 235 
-rw-r--r-- 1 mqm  mqm   129 Oct 8 12:00 keydb.sth 
-rw-r--r-- 1 mqm  mqm  115080 Oct 8 12:08 keydb.kdb 
-rw-r--r-- 1 mqm  mqm   80 Oct 8 12:08 keydb.rdb 
-rw-r--r-- 1 mqm  mqm   80 Oct 8 12:08 keydb.crl 

Answer 1

愚蠢的錯誤：alter qmgr SSLKEYR('/var/mqm/qmgrs/MYQMGR/ssl/keydb')解決了這個問題。