配置 IBM Websphere Mq 服务器和 Java 客户端以创建 SSL 连接

Question

我需要在 IBM MQ Qmanager 和 Java 客户端之间创建 SSL 连接。为了使用 IBM Key Management GUI 做到这一点，

1. 为 QManager 创建了 key.dkb 并为其添加了自签名证书。
2. 然后我提取了那个证书。(cert.arm)
3. 创建了 trustStore.jks 文件并在签署者证书下添加了之前提取的 cert.arm。
4. 把key.dkb的路径放到Qmanager->SSL，选择合适的密码套件。
5. 在 Java 客户端中，将 System.property 添加到 trustStore.jks。

当我运行程序时，我得到了一个异常，如下所示。

Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR').
        at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:203)
        ... 10 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host '127.0.0.1(1414)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Remote host closed connection during handshake],3=localhost/127.0.0.1:1414 (localhost),4=SSLSocket.startHandshake,5=default]],3=127.0.0.1(1414),5=RemoteTCPConnection.protocolConnect]
        at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2282)
        at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1294)
        at com.ibm.mq.ese.jmqi.InterceptedJmqiImpl.jmqiConnect(InterceptedJmqiImpl.java:376)
        at com.ibm.mq.ese.jmqi.ESEJMQI.jmqiConnect(ESEJMQI.java:560)
        at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:345)
        ... 9 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Remote host closed connection during handshake],3=localhost/127.0.0.1:1414 (localhost),4=SSLSocket.startHandshake,5=default]
        at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1329)
        at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:863)
        at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:409)
        at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:305)
        at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
        at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1730)
        ... 13 more
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
        at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1298)
        at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1290)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1290)
        ... 18 more
Caused by: java.io.EOFException: SSL peer shut down incorrectly
        at sun.security.ssl.InputRecord.read(InputRecord.java:505)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
        ... 25 more

基本上这意味着 Qmanager 没有由 trustStore 签名的证书。 所以我想我在制作自签名证书和信任库时错过了一些东西。

有人可以帮助我创建自签名证书以使用 IBM 密钥管理 GUI 工具与 java 客户端建立 SSL 连接吗？

Answer 1

我可以通过ibm mq troubleshooting guide解决问题

我刚刚在我的 Qmanager 密钥库存储库中运行了 mqcertck 命令，发现它没有对 key.kdb 的读取权限。使用 chmod 授予读取权限后问题解决。