We have enabled SSL on
1. MQ version '7.1.0.7'
2. OS->'Linux 2.6.32-642.11.1.el6.x86_64'
3. two months back [aug-2016] and its working fine with SSL enabled and disabled mode
Java Client uses
1. jdk1.7.0_21
2. Worked cipher/suite -> SSL_RSA_WITH_RC4_128_SHA <> RC4_SHA_US
When I try to connect to a MQ v7.1.0.7 queue manager the application is throwing below error:
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'.
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:228)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:95)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:882)
In the queue manager error log AMQERR01.LOG I see this:
AMQ9616: The CipherSpec proposed is not enabled on the server.
EXPLANATION: The SSL or TLS subsystem at the server end of a channel
been configured in such a way that it has rejected the CipherSpec
proposed by an SSL or TLS client. This rejection occurred during the
secure socket handshake (i.e. it happened before the proposed
CipherSpec was compared with the CipherSpec in the server channel
definition).
We have a MQ v6.0.2.12 queue manager where this is working fine.
Could some one provide help what went wrong for system , which was working before?
SSL:
AllowSSLV3=Y
AllowWeakCipherSpec=Y
SSL:
AllowSSLV3=Y
AllowWeakCipherSpec=Y
Updated (2017/01/27) with additional questions:
Worked below TLSv1
TLS_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA TLSv1 TRUETLS_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLSv1 TRUEFailed with TLSv1.2
TLS_RSA_WITH_RC4_128_SHA256 SSL_RSA_WITH_RC4_128_SHA TLSv1.2 FALSEI tried with these settings:
SSLContext sslContext = SSLContext.getInstance("TLSv1"); -Dcom.ibm.mq.cfg.preferTLS=true-Dcom.ibm.mq.cfg.useIBMCipherMappings=falseError is com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'
In the AMQERR01.LOG
There is a mismatch between the CipherSpecs on the local and remote ends
of channel 'TEST.CH'. The channel will not run until this mismatch is
resolved.The CipherSpec required in the local channel definition is
'TLS_RSA_WITH_RC4_128_SHA256'. The name of the CipherSpec negotiated during
the SSL handshake is 'RC4_SHA_US'. A code is displayed if the name of the
negotiated CipherSpec cannot be determined
Updated (2017/01/29) with additional questions:
MQEnvironment.sslCipherSuite ="SSL_RSA_WITH_AES_256_CBC_SHA256";
6.Client Execute /apps/java/jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -classpath .:/tmp/mqssl/com.ibm.mq.jmqi.jar:/tmp/mqssl/com.ibm.mq.jar:com.ibm.ws.webservices.thinclient_8.5.0.jar MQProducerSSL
Getting error as MQJE001: Completion Code '2', Reason '2400' MQRC_UNSUPPORTED_CIPHER_SUITE (2400)
Updated (2017/01/30) with additional questions:
Still same error , but in my client java prg have enabled System.setProperty("javax.net.debug", "all"); to see all activities while execute client. Its Printing TLS_RSA_WITH_AES_256_CBC_SHA256 as Ignoring unavailable cipher suite: as below
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Before call
MQJE001: Completion Code '2', Reason '2400'.
MQJE001: Completion Code '2', Reason '2400'.
Tested with IBM-JDK-71 Same Exception
SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA<><>ECDHE_ECDSA_3DES_EDE_CBC_SHA256
SSL_ECDHE_RSA_WITH_NULL_SHA<><>ECDHE_RSA_NULL_SHA256
Updated (2017/01/31) with additional questions:
com.ibm.mq.jar
MQJE001: Completion Code '2', Reason '2400'.
MQJE001: Completion Code '2', Reason '2400'.
com.ibm.mq.jmqi.jar
Specification-Version: 7.1.0.1
Specification-Vendor: IBM Corporation
Implementation-Title: WebSphere MQ classes for Java
Implementation-Version: 7.1.0.1 - k710-001-120424
Updated (2017/01/31 A) with additional questions:
Since MQ and Client Running in same machine ,got Specification-Version: 7.1.0.7 jars
Testing done with 2 scenarios by changing the classpath
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");MQEnvironment.sslFipsRequired = true;
got exception MQJE001: Completion Code '2', Reason '2400'
MQEnvironment.sslCipherSuite ="SSL_RSA_WITH_AES_256_CBC_SHA256"; ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256)
got exception MQJE001: Completion Code '2', Reason '2393'
Specification-Version: 7.1.0.1
Specification-Vendor: IBM Corporation
Implementation-Title: WebSphere MQ Interface for Java
Implementation-Version: 7.1.0.1 - k710-001-120424
Updated (2017/01/31 B) with additional questions:
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2393'.
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:232)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:96)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893)
at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:780)
at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729)
at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:674)
at MQProducerSSL.main(MQProducerSSL.java:89)
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9204: Connection to host 'localhost(2017)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.createSocket,5=default]],3=localhost(2017),5=RemoteTCPConnection.makeSocketSecure]
MQJE001: Completion Code '2', Reason '2397'.
MQEnvironment.sslFipsRequired = false;
MQEnvironment.sslCipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256";
ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
/apps/hostlink/java/jdk1.7.0_21/jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -classpath .:/opt/mqm/java/lib/com.ibm.mq.jmqi.jar:/opt/mqm/java/lib/com.ibm.mq.jar MQProducerSSL
Worked below TLSv1
----Spec---- REFRESH SECURITY TYPE(SSL)
---Suite---- /apps/java/jdk1.7.0_21/bin/java -Dcom.ibm.mq.cfg.preferTLS=true -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -classpath .:/tmp/mqssl/com.ibm.mq.jmqi.jar:/tmp/mqssl/com.ibm.mq.jar:com.ibm.ws.webservices.thinclient_8.5.0.jar MQProducerSSL
TLSv1 TRUE
MQJE001: Completion Code '2', Reason '2397'.
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'.
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:232)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:96)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893)
at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:780)
at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729)
at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:674)
at MQProducerSSL.main(MQProducerSSL.java:89)
doubt on TLSv1 , if TLSv1 working without above parameters , why need to provide -Dcom.ibm.mq.cfg.preferTLS=true for TLSv2?
even with IBM-JDK 7.1 also TLSv2 not working, what could be issue?
Need to try with MQ8?
Updated (2017/02/01) with additional questions:
Complete Exception in console
Not working , when given below parameters , throwing **MQJE001: Completion Code '2', Reason '2400'**
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
-Dcom.ibm.mq.cfg.preferTLS=true
from AMQERR01.LOG
MQJE001: Completion Code '2', Reason '2397'.
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'.
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:232)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:96)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893)
at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:780)
at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729)
at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:674)
at MQProducerSSL.main(MQProducerSSL.java:89)
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host 'localhost(2017)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Error signing certificate verify],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.startHandshake,5=default]],3=localhost(2017),5=RemoteTCPConnection.protocolConnect]
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2098)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1347)
at com.ibm.mq.MQSESSION.MQCONNX_j(MQSESSION.java:924)
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:221)
... 10 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Error signing certificate verify],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.startHandshake,5=default]
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1310)
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:714)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:356)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:265)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:144)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1709)
... 13 more
Caused by: javax.net.ssl.SSLHandshakeException: Error signing certificate verify
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:987)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:285)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1280)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1273)
at java.security.AccessController.doPrivileged(Native Method)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1271)
... 18 more
Caused by: java.security.NoSuchAlgorithmException: SHA224withRSA Signature not available
at java.security.Signature.getInstance(Signature.java:224)
at sun.security.ssl.JsseJce.getSignature(JsseJce.java:241)
at sun.security.ssl.HandshakeMessage$CertificateVerify.<init>(HandshakeMessage.java:1552)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:982)
... 29 more
removed old jars from classpath , but still same exception
Console Output have below lines printed for Algorithm
----- amqrmrsa.c : 930 --------------------------------------------------------
01/31/2017 08:45:00 PM - Process(14444.328) User(mqm) Program(amqrmppa)
Host(testvm) Installation(Installation1)
VRMF(7.1.0.7) QMgr(TLSTEST.QM)
AMQ9665: SSL connection closed by remote end of channel '????'.
EXPLANATION:
The SSL or TLS connection was closed by the remote host 'localhost (127.0.0.1)'
during the secure socket handshake. The channel is '????'; in some cases its
name cannot be determined and so is shown as '????'. The channel did not start.
ACTION:
Check the remote end of the channel for SSL and TLS errors. Fix them and
restart the channel.
----- amqccisa.c : 6478 -------------------------------------------------------
01/31/2017 08:45:00 PM - Process(14444.328) User(mqm) Program(amqrmppa)
Host(testvm) Installation(Installation1)
VRMF(7.1.0.7) QMgr(TLSTEST.QM)
AMQ9492: The TCP/IP responder program encountered an error.
EXPLANATION:
The responder program was started but detected an error.
The host name was 'localhost (127.0.0.1)'; in some cases the host name cannot
be determined and so is shown as '????'.
ACTION:
Look at previous error messages in the error files to determine the error
encountered by the responder program.
----- amqrmrsa.c : 930 --------------------------------------------------------
In client , passing key.jks file , which is created at MQ level with 'runmqckm'
whether need to specify different Algorithm on creation for TLSv2 ?
TLSV2 WORKED WITH JDK8 and ibm/java-x86_64-71
matching alias: ibmwebspheremqtlstest.qm
*** Certificate chain
chain [0] = [
[
Version: V3
Signature Algorithm: SHA1withRSA,
But question on how to work any TLSv2 cipher with lesser version of Oracle java than 8?
To resolve/work-around the issue:will try one by one
1) use the IBM JVM
2) test with Oracle Java v8
3) Try MQ v8
4) other option to set SSLCAUTH=OPTIONAL and not require client side certificate.
Trying with JDK8 and MQ8
Now Trying to do the same with JDK8 + MQ8 , MQServer8 and MQSeriesGSKit-8.0.0-4.x86_64 installed , but now issue with creating certificate with runmqckm command
export LD_LIBRARY_PATH=/opt/mqm/gskit8/lib64
export PATH=$PATH:/opt/mqm/gskit8/bin
runmqckm
bash: runmqckm: command not found
partially Worked with runmqakm
But failed to create jks files as below
runmqakm -keydb -create -db /var/mqm/qmgrs/TLSTEST!QM/ssl/key.jks -pw password -type jks
CTGSK3017W The database type "jks" is not recognized.
Resolved
No Need to set below path
export LD_LIBRARY_PATH=/opt/mqm/gskit8/lib64
export PATH=$PATH:/opt/mqm/gskit8/bin
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
2015年11月19日发布的IBM MQ Fix Pack 7.1.0.7包括以下APAR:
IV73396:在WEBSPHERE MQ V7队列管理器中弃用SSLV3 CIPHERSPECS
问题描述:
应用此更改后,创建的任何队列管理器都将禁止在与队列管理器关联的通道定义上使用以下CipherSpec:
AES_SHA_US
RC4_SHA_US
RC4_MD5_US
TRIPLE_DES_SHA_US
DES_SHA_EXPORT1024
RC4_56_SHA_EXPORT1024
RC4_MD5_EXPORT
RC2_MD5_EXPORT
DES_SHA_EXPORT
NULL_SHA
NULL_MD5
FIPS_WITH_DES_CBC_SHA
FIPS_WITH_3DES_EDE_CBC_SHA尝试使用或配置其中一个CipherSpec将导致队列管理器错误日志中出现以下一条或多条消息:AMQ8242,AMQ9616,AMQ9635.
这是由于IETF批准并发布RFC7568,因此在2015年6月SSLv3正式弃用
2016年5月19日Miguel A. Rodriguez发布了一篇非常好的IBM developerWorks博客文章" MQ产品的SSL和TLS密码规范弃用 ",其中详细介绍了各种修订包中不推荐使用的密码.
我建议您找到一个支持的TLSv1.2密码,它与Java客户端和IBM MQ SVRCONN通道兼容.由于不推荐使用SSLv3,因此使用IBM或非IBM JRE向Java客户端开放了更多TLS密码,因此有许多更新.
关于IBM对Java客户端密码支持所做的更改的一篇很好的文章是IBM developerWorks博客文章" MQ Java,TLS密码,非IBM JRE和APAR IT06775,IV66840,IT09423,IT10837 - 请帮助我! "6月发布2016年9月,Tom Leend.
您没有遇到IBM MQ v6.0.2.12问题的原因是因为该版本已超过四年(自2012年9月30日以来)已不再支持,并且IBM不会发布任何针对End of Service版本的安全更新它支持的版本.
我建议您转移到受支持的IBM MQ版本.在考虑升级到哪个版本时,请注意当前支持的两个版本将在未来16个月内失去支持:
IBM developerWorks博客文章" MQ Java,TLS密码,非IBM JRE和APAR IT06775,IV66840,IT09423,IT10837 - 请帮助我! "声明添加该设置的APAR IV66840useIBMCipherMappings包含在7.1.0.7中,这应该允许使用TLSv1.2 Cipherspecs和Oracle JRE.
此APAR为WebSphere MQ v7.1和v7.5启用了以下WebSphere MQ CipherSuite到CipherSpec映射,其中Java的类和JMS的类支持SHA-2:
Run Code Online (Sandbox Code Playgroud)Oracle CipherSuite IBM MQ CipherSpec TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256
如果将其与v7.1知识中心页面指定CipherSpecs进行比较,您会发现其中所有这三个都是TLSv1.2 Cipherspecs.
为了与IBM JRE Ciphersuite名称进行比较,WebSphere MQ classes for Java中的v7.1知识中心页面SSL CipherSpecs和CipherSuite列出了类似的映射:
IBM CipherSuite IBM MQ CipherSpec
SSL_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA256
SSL_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256
更新(2017/01/27)以解决更多问题
MQ CipherSpec TLS_RSA_WITH_RC4_128_SHA256不是APAR IV66840中列出的那些之一,已在MQ v7.1下为非IBM JRE启用,它仅在v8.0下列出.上面我列出了添加到MQ v7.1的三个TLSv1.2 CipherSpec.
我建议您尝试将TLS_RSA_WITH_AES_256_CBC_SHA256作为MQ通道上的CipherSpec,将TLS_RSA_WITH_AES_256_CBC_SHA256作为Java CipherSuite.
下面的设置应该与我建议的CipherSpec/CipherSuite一起使用,请注意我将其更改TLSv1为TLSv1.2
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
-Dcom.ibm.mq.cfg.preferTLS=true
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
更新(2017/01/30)尝试解决更多问题
在您的问题中,您在类路径中提到了这些jar文件: /tmp/mqssl/com.ibm.mq.jmqi.jar:/tmp/mqssl/com.ibm.mq.jar
请问您确认哪个版本的IBM MQ产品来自哪个版本,您可以使用unzip实用程序在linux上执行此操作:
unzip -p com.ibm.mq.jar META-INF/MANIFEST.MF|grep Implementation-Version
输出将是:
Implementation-Version: x.x.x.x - pxxx-xxx-YYMMDD
更新(2017/01/31)以解决更多问题
包含该设置的APAR IV66840-Dcom.ibm.mq.cfg.useIBMCipherMappings=false直到v7.1.0.7才包含在MQ中,这是您声明的版本.
根据您提供的输出,您引用的jar文件来自v7.1.0.1安装,该安装不包括对非JRE(如Oracle JRE)上的TLS的支持.
您还注意到jar文件所在/tmp/mqssl,请注意在MQ的v8之前,IBM不支持将jar文件复制到安装它们的默认位置之外.
IBM Technote" 支持的安装WebSphere MQ Java jar文件,JMS jar文件或C/C++库的方法 "指出:
+++第1节:MQ 7.x.
获取MQ jar文件或MQ C/C++库文件到系统的唯一受支持的方法是安装:
- WebSphere MQ产品或
- WebSphere MQ Client SupportPacs.
要合法下载和使用客户端,您必须首先接受许可协议中指定的条款和条件.
不要将WebSphere MQ jar文件复制到应用程序EAR或WAR文件.
不要从其他计算机复制WebSphere MQ jar或MQ C/C++库文件:
- 修补程序包不能应用于从其他计算机复制了jar或C/C++库文件的"安装",这使得确保所有这些jar/library文件彼此保持一致变得更加困难,并处于兼容的水平.
- 在机器之间复制jar/library文件也会导致驻留在同一台机器上的文件的多个副本,这可能导致服务代码和调试问题.
如果您的应用程序与MQ v7.1.0.7队列管理器位于同一服务器上,那么您只需引用目录中的jar文件即可/opt/mqm/java/lib.
如果您的应用程序不在同一台服务器上并且您打算继续使用v7.1或使用v7.5,我建议您安装最新的完整客户端安装,请参阅上面的说明,了解基于何时停止服务的版本建议.
如果您决定使用v8或v9,那么IBM Technote" 支持的安装WebSphere MQ Java jar文件,JMS jar文件或C/C++库的方法 "也指出:
b)从MQ 8.0.0.4开始,您可以使用Redistributable文件:
这意味着使用v8.0.0.4及更高版本,您可以下载MQ JMS和仅Java可再发行客户端.
此处可从FixCentral获取MQ JMS和仅Java可再发行客户端客户端软件包.
更新(2017/01/31 A)以解决进一步的问题
在搜索到您收到的错误后,我发现这个dW答案帖子" 为什么我在尝试使用TLS AES 256密码时从MQ Java/JMS应用程序获得AMQ9771,2393 SSL初始化错误? ".它声明如下:
在这种情况下,问题是由于尝试使用AES 256强密码算法引起的.
大多数Java JRE(包括Oracle/Sun和IBM)都启用了加密算法的导入限制.这限制了最大密钥大小以及一些算法.
尝试将AES 256密码(例如ECDHE_RSA_AES_256_CBC_SHA384或TLS_RSA_WITH_AES_256_CBC_SHA256)与MQ Java/JMS应用程序一起使用时,需要确保JRE支持此密码.在大多数情况下,当需要更强的密码算法(例如AES 256密码)时,必须获取JCE无限强度管辖权策略文件并将其安装在JDK/JRE中.
这在JDK/JRE文档中有说明:对于Oracle 1.7:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
oracle站点上面的链接指出:
如果需要更强大的算法(例如,具有256位密钥的AES),则必须获取JCE Unlimited Strength Jurisdiction Policy Files并将其安装在JDK/JRE中.
用户有责任根据当地法规验证此操作是否允许.
我建议您使用较低的CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA256,或者按照上面的建议获取并安装JCE Unlimited Strength Jurisdiction Policy Files.
更新(2017/02/01)以解决进一步的问题
引起我注意的错误是Caused by: java.security.NoSuchAlgorithmException: SHA224withRSA Signature not available.
我在谷歌上搜索了这个,发现以下dW答案帖子" 如何解决MQ v7.x Java客户端获取SSL错误NoSuchAlgorithmException:SHA224withRSA Signature不可用? "的问题,其中说明如下:
假设使用Oracle JVM:
我们发现问题的根本原因是Oracle JRE 1.7不支持签名算法SHA224withRSA,请参阅可用的签名算法:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
在上面的链接中,感兴趣的表位于" SunRsaSign Provider "下,其中列出了以下支持的签名算法:
MD2withRSA
MD5withRSA
SHA1withRSA
SHA256withRSA
SHA384withRSA
SHA512withRSA
请注意,SHA224withRSA是不是名单上.
同样的dW答案帖子继续说明:
此签名算法可在IBM JVM和Oracle JVM 1.8中使用.
https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
在上面的链接中,感兴趣的表位于" SunRsaSign Provider "下,其中列出了以下支持的签名算法:
MD2withRSA
MD5withRSA
SHA1withRSA
SHA224withRSA
SHA256withRSA
SHA384withRSA
SHA512withRSA
请注意,SHA224withRSA 它在列表中.
dW帖子的建议:
更新(2017/02/01 B)以解决进一步的问题
考虑到通过上述故障排除收集的所有信息,答案是使用MQ v7.1.0.7 MQ Java客户端无法使用小于8的Oracle Java的TLSv1.2密码.
基于我提供的最后一篇dW Answers帖子,IBM建议尝试使用MQ v8,但我不认为他们测试了这个配置,所以它也可能无法正常工作.
如果您确实想尝试使用MQ v8,我建议您使用最新的v8.0.0.5 Java可再发行客户端客户端软件包,我已经提供了链接.
| 归档时间: |
|
| 查看次数: |
7815 次 |
| 最近记录: |