时间戳

首页 > 解决方案 > WebSphere MQ 8 和 IBM MQ 9 的 TLS WebConfiguration

websphere - WebSphere MQ 8 和 IBM MQ 9 的 TLS WebConfiguration

问题描述

我在队列管理器上设置 tls 时遇到问题。以下是我在 Windows 10 上用于创建和设置队列管理器以及通道和密钥库的命令。

"C:\Program Files\IBM\MQ\bin64\crtmqm.exe" QMTLS
"C:\Program Files\IBM\MQ\bin64\strmqm.exe" QMTLS

"C:\Program Files\IBM\MQ\bin64\runmqsc.exe" QMTLS
DEF LISTENER(TCP.1416) TRPTYPE(TCP) CONTROL(QMGR) PORT(1416) REPLACE

START LISTENER(TCP.1416)

DEF CHL(CONNECTION.TLS) CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCIPH('TLS_RSA_WITH_AES_128_CBC_SHA256') SSLCAUTH(REQUIRED) DESCR('Channel with tls support')

DEFINE CHANNEL (CONNECTION.TLS) CHLTYPE (CLNTCONN) TRPTYPE (TCP) CONNAME (127.0.0.1) QMNAME (QMTLS) SSLCIPH('TLS_RSA_WITH_AES_128_CBC_SHA256') MAXMSGL (104857600) DESCR ('Client connection to Server')
exit

cd C:\ProgramData\IBM\MQ\qmgrs\QMTLS\ssl

"C:\Program Files\IBM\MQ\bin64\runmqakm.exe" -keydb -create -db key.kdb -pw passw0rd -stash

"C:\Program Files\IBM\MQ\bin64\runmqakm.exe" -cert -create -db key.kdb -label ibmwebspheremqqmtls -stashed -size 2048 -sigalg SHA256WithRSA -dn CN=QMTLS -fips -ca false

"C:\Program Files\IBM\MQ\bin64\runmqakm.exe" -cert -extract -db key.kdb -label ibmwebspheremqqmtls -target qmtls.arm -stashed

mkdir jks
cd jks

"C:\Program Files\IBM\MQ\java\jre\bin\keytool.exe" -genkey -alias ibmwebspheremquser -keyalg RSA -sigalg SHA256withRSA -dname "cn=user@example.com,C=US" -keystore userkey.jks -storetype jks -storepass passw0rd -keypass passw0rd -validity 365 -keysize 2048

"C:\Program Files\IBM\MQ\java\jre\bin\keytool.exe" -export -keystore userkey.jks -alias ibmwebspheremquser -storepass passw0rd -file userkey.arm -rfc

cd ..
copy jks\userkey.arm userkey.arm

"C:\Program Files\IBM\MQ\bin64\runmqakm.exe" -cert -add -db key.kdb -stashed -file userkey.arm -label userkey -trust enable -fips

copy qmtls.arm jks\qmtls.arm
cd jks

"C:\Program Files\IBM\MQ\java\jre\bin\keytool.exe" -import -alias QMTLS -file qmtls.arm -storepass passw0rd -keystore userkey.jks

"C:\Program Files\IBM\MQ\bin64\runmqsc.exe" QMTLS

SET CHLAUTH('CONNECTION.TLS') TYPE(BLOCKUSER) USERLIST('*NOACCESS') DESCR('allow access to tls') WARN(NO) ACTION(ADD) 

refresh security type(ssl)

exit

当我尝试使用通道 CONNECTION.TLS 和 userkey.jks 密钥库直接连接到队列管理器时,我收到一条错误消息 AMQ4199:

Queue manager QMTLS is not available for client connection due to an SSL configuration error. (AMQ4199)
Queue manager QMTLS is not available for client connection due to an SSL configuration error. (AMQ4199)
Severity: 30 (Severe Error)
Explanation: The user is trying to connect to a remote queue manager using a secure connection.
Response: Check the SSL configuration of the target queue manager and the local SSL trust store.

标签: websphereibm-mqtls1.2websphere-8

解决方案

推荐阅读