WMQ JMS API SSL的Sun JDK和SSL_RSA_WITH_AES_128_CBC_SHA

我要如何使用SSL_RSA_WITH_AES_128_CBC_SHA（隊列連接工廠），JMS客戶端連接到使用TLS_RSA_WITH_AES_128_CBC_SHAWMQ JMS API SSL的Sun JDK和SSL_RSA_WITH_AES_128_CBC_SHA

服務器

客戶的Sun JDK 7勝
服務器IBM電源開關（I）在服務器上
MQ 7.1版本
MQ客戶端與MQ資源管理器
連接的版本7.5.0.4工作正常
以下代碼適用於ibm JDK C：\ Program Files \ IBM \ WebSphere MQ Explorer \ jre \ jre \ bin
以下代碼不適用於「C：\ Program Files \ Java \ jdk1.7.0_67」 \ BIN與Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 Download installed

代碼：

 // Instantiate the initial context 
     String contextFactory = "com.sun.jndi.fscontext.RefFSContextFactory"; 
     Hashtable environment = new Hashtable(); 
     environment.put(Context.INITIAL_CONTEXT_FACTORY, contextFactory); 
     environment.put(Context.PROVIDER_URL, initialContextUrl); 
     Context context = new InitialDirContext(environment); 
     System.out.println("Initial context found!"); 

     String keystoreName = System.getProperty("javax.net.ssl.keyStore"); 
     System.out.println("keystoreName " + keystoreName + " canRead " + new File(keystoreName).canRead()); 
     String truststoreName = System.getProperty("javax.net.ssl.trustStore"); 
     System.out.println("truststoreName " + keystoreName + " canRead " + new File(truststoreName).canRead()); 


     // Lookup the connection factory 
     JmsConnectionFactory cf = (JmsConnectionFactory) context.lookup(connectionFactoryFromJndi); 


     System.out.println("CF = " + cf.getClass().getName()); 

     MQConnectionFactory mqcf = (MQConnectionFactory) cf; 
     System.out.println("getSSLCipherSuite:" + mqcf.getSSLCipherSuite()); 
     System.out.println("getSSLSocketFactory:" + mqcf.getSSLSocketFactory()); 

     // Lookup the destination 
     destination = (JmsDestination) context.lookup(destinationFromJndi); 
     System.out.println("getSSLSocketFactory:" + mqcf.getSSLSocketFactory()); 

     // Create JMS objects 
     connection = cf.createConnection(); 
     System.out.println("getSSLSocketFactory:" + mqcf.getSSLSocketFactory()); 

     session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE); 
     System.out.println("getSSLSocketFactory:" + mqcf.getSSLSocketFactory()); 

     consumer = session.createConsumer(destination); 
     System.out.println("getSSLSocketFactory:" + mqcf.getSSLSocketFactory()); 

     // Start the connection 

     connection.start(); 
     System.out.println("getSSLSocketFactory:" + mqcf.getSSLSocketFactory());

給我：

Initial context found! 
keystoreName C:/Users/...key.jks canRead true 
truststoreName C:/Users/.../key.jks canRead true 
CF = com.ibm.mq.jms.MQConnectionFactory 
getSSLCipherSuite:SSL_RSA_WITH_AES_128_CBC_SHA 
getSSLSocketFactory:null 
getSSLSocketFactory:null 
keyStore is : C:/Users/.../key.jks 
keyStore type is : jks 
keyStore provider is : 
init keystore 
init keymanager of type SunX509 
*** 
found key for : ibmwebspheremquserid 
..... 
    Valid from Mon May 14 23:59:46 CEST 2012 until Thu May 14 23:59:46 CEST 2015 

trigger seeding of SecureRandom 
done seeding SecureRandom 
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 
Allow unsafe renegotiation: false 
Allow legacy hello messages: true 
Is initial handshake: true 
Is secure renegotiation: false 
com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'qm' with connection mode 'Client' and host name 'host(1414)'. 
Check the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information. 
Inner exception(s): 
com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2393' ('MQRC_SSL_INITIALIZATION_ERROR'). 
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9204: Connection to host 'host(1414)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Unsupported ciphersuite SSL_RSA_WITH_AES_128_CBC_SHA],3=host/host:1414 (10.20.28.12),4=SSLSocket.createSocket,5=default]],3=host(1414),5=RemoteTCPConnection.makeSocketSecure] 
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Unsupported ciphersuite SSL_RSA_WITH_AES_128_CBC_SHA],3=host/host:1414 (10.20.28.12),4=SSLSocket.createSocket,5=default] 
java.lang.IllegalArgumentException: Unsupported ciphersuite SSL_RSA_WITH_AES_128_CBC_SHA 
FAILURE

來源

2014-11-04 oluies

您是否可以選擇讓客戶端使用TLS而不是SSL？ – 2014-11-05 00:32:56

客戶端正在使用JNDI隊列工廠，根據此鏈接SSL_RSA_WITH_AES_128_CBC_SHA \t等同於TLS_RSA_WITH_AES_128_CBC_SHA。 http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm – oluies 2014-11-05 11:49:00

從Oracle JVM（JSSE）

參見「What TLS cipherspecs/ciphersuites are supported when connecting from Oracle Java (non-IBM JRE) to MQ queue manager?」

在MQ客戶端版本8.0.0.2有包括使用TLS與Oracle JVM補丁，這個工程使用SSL lanes回答上述

的得到這個工作，你需要一個包含 IV66840最新的MQ客戶端：WMQ V7 JAVA/JMS：增加支持選定TLS CIPHERSPECS WHEN 跑在非IBM Java運行時環境
http://www-01.ibm.com/support/docview.wss?uid=swg1IV66840
（download）

根據你的位置，你可能還需要安裝 Java加密擴展（JCE）無限強度權限策略文件8（download）

要使用這個，你必須通過配置使用JVM參數：

-Dcom.ibm.mq.cfg.useIBMCipherMappings=false

請注意，默認安全實現行爲differs Oracle和IBM的JVM：

的Oracle JSSE Reference guide說：

如果的KeyManager []參數爲空，則空的KeyManager將可以針對此上下文中定義。

的IBM JSSE Reference guide說：

如果的KeyManager [] paramater爲空，已安裝的安全商將搜索的的KeyManagerFactory的最高優先級執行，從適當的KeyManager會得到。

，這意味着你必須設置your own ssl context

SSLContext sslcontext = SSLContext.getInstance("TLS"); 
String keyStore = System.getProperty("javax.net.ssl.keyStore"); 
String keyStoreType = System.getProperty("javax.net.ssl.keyStoreType", KeyStore.getDefaultType()); 
String keyStorePassword = System.getProperty("javax.net.ssl.keyStorePassword",""); 
KeyManager[] kms = null; 
if (keyStore != null) 
{ 
    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); 
    KeyStore ks = KeyStore.getInstance(keyStoreType); 
    if (keyStore != null && !keyStore.equals("NONE")) { 
     fs = new FileInputStream(keyStore); 
    ks.load(fs, keyStorePassword.toCharArray()); 
    if (fs != null) 
     fs.close(); 
    char[] password = null; 
    if (keyStorePassword.length() > 0) 
     password = keyStorePassword.toCharArray(); 
    kmf.init(ks,password); 
    kms = kmf.getKeyManagers(); 
} 
sslcontext.init(kms,null,null);

，然後提供該給MQ JMS客戶端：

JmsConnectionFactory cf = ...                  

    MQConnectionFactory mqcf = (MQConnectionFactory) cf;    
    mqcf.setSSLSocketFactory(sslcontext.getSocketFactory());

如果使用這可能由應用程序處理的應用程序服務器服務器。

來源

2016-02-29 18:38:09 oluies

切換到IBM JRE/JDK，它會工作。

來源

2014-11-05 16:40:49 Roger

這是Windows ...不再支持？ – oluies 2014-11-05 20:21:03

我看你以前見過這個http://www.capitalware.com/rl_blog/?p=3074 – oluies 2014-11-05 23:23:23

是的。 MQ Explorer使用IBM JRE，因此它受到支持，而且它應該是您應該使用的。 – Roger 2014-11-06 22:19:46

WMQ JMS API SSL的Sun JDK和SSL_RSA_WITH_AES_128_CBC_SHA

回答

相關問題