问题描述
我想通过 Java 连接到 Websphere 6.0 MQ.我已经为正常"队列编写了代码,但现在我需要访问一个新的 SSL 加密队列(密钥库).我收到了一个名为 something.jks 的文件,我认为它是我需要存储在某处的证书.我一直在网上搜索,但我找不到正确的信息.
I'd like to connect to a Websphere 6.0 MQ via Java. I have already working code for a "normal" queue, but now I need to access a new queue which is SSL encrypted (keystore). I have been sent a file called something.jks, which I assume is a certificate I need to store somewhere. I have been searching the net, but I can't find the right information.
这是我用于正常"队列的代码.我想我需要设置一些属性,但不确定是哪一个.
This is the code I use for the "normal" queue. I assume I need to set some property, but not sure which one.
MQQueueConnectionFactory connectionFactory = new MQQueueConnectionFactory();
connectionFactory.setChannel(channel_);
connectionFactory.setHostName(hostname_);
connectionFactory.setPort(port_);
connectionFactory.setQueueManager(queueManager_);
connectionFactory.setTransportType(1);
connectionFactory.setSSsetSSLCertStores(arg0)
Connection connection = connectionFactory.createConnection();
connection.setExceptionListener(this);
session_ = connection.createSession(DEFAULT_TRANSACTED, DEFAULT_ACKMODE);
connection.start();
javax.jms.Queue fQueue = session_.createQueue(queue_);
consumer = session_.createConsumer(fQueue);
推荐答案
developerWorks 中的 Alex Fehners 教程有点旧(2005 年),但有代码示例,应该适合您.
Alex Fehners tutorial in developerWorks is a bit old (2005) but has code samples that should work for you.
Websphere MQ Java/JMS 客户端的 SSL 配置
您的 Java 应用程序将根据 QMgr 的证书对其进行身份验证.这意味着您提供的 jks 文件必须具有 QMgr 的自签名证书,或者它将具有签署 QMgr 证书的证书颁发机构的根证书.在任何一种情况下,您都可以使用 -Djavax.net.ssl.trustStore= 指向该文件,如上面链接的文章中所述.如果 jks 有密码,您还需要指定 -Djavax.net.ssl.trustStorePassword=.使用信任库对 QMgr 进行身份验证是始终所必需的.下一部分可能需要也可能不需要.
Your Java app will authenticate the QMgr based on its certificate. That means the jks file you were provided must have either the QMgr's self-signed certificate or it will have the root certificate of a Certificate Authority that signed the QMgr's certificate. In either case you point to the file using the -Djavax.net.ssl.trustStore=<location of trustStore> as noted in the article linked above. If the jks has a password, you will need to specify -Djavax.net.ssl.trustStorePassword=<password> as well. Authenticating the QMgr with a truststore is always required. The next part may or may not be required.
另一个难题是 QMgr 可能要求您的应用提供证书.换句话说,QMgr 证书是始终认证的,应用是否需要认证是可选的.如果是,那么您就拥有所谓的相互认证".如果您连接到的通道已使用 SSLCAUTH(REQUIRED) 配置,则已启用相互身份验证,并且 QMgr 必须具有您的应用程序的自签名证书或对您的应用程序的证书进行签名的 CA 根证书它的密钥库.希望设置 jks 文件的人已经为此安排好了.
The other piece of the puzzle is that the QMgr may require your app to present a certificate. In other words, the QMgr cert is always authenticated, whether the app is required to authenticate is optional. If it is then you have what is known as "mutual authentication". If the channel that you connect to has been configured with SSLCAUTH(REQUIRED) then mutual auth has been enabled and the QMgr must have your application's self-signed cert or a CA root cert that signed your app's cert in its keystore. Hopefully whoever set up your jks file will have arranged for this already.
假设需要相互认证,那么除了 QMgr 的可信证书之外,您的 jks 还将拥有代表您的应用程序的私有证书.要让应用程序获取证书并将其呈现给 QMgr,您可以使用 -Djavax.net.ssl.keyStore= 和 -Djavax.net.ssl.keyStorePassword= 参数.请注意,这些表示 key 存储,而前面的参数表示 trust 存储.
Assuming mutual auth is required, then your jks will have, in addition to the QMgr's trusted cert, a private cert representing your application. To get the app to fetch the cert and present it to the QMgr, you use the -Djavax.net.ssl.keyStore=<location of keyStore> and -Djavax.net.ssl.keyStorePassword=<password> parameters. Note these say key store whereas the previous parms said trust store.
我的建议是与 WMQ 管理员一起设置和测试 SSL 连接.第一阶段应该是使用 SSLCAUTH(OPTIONAL) 测试通道.这将验证应用程序是否可以解析和验证 QMgr 的证书.只有当您使此工作正常时,WMQ 管理员才会将通道更改为 SSLCAUTH(REQUIRED) 以反向测试身份验证.
My recommendation is to work with the WMQ administrator to set up and test the SSL connection. The first phase should be to test the channel with SSLCAUTH(OPTIONAL). This verifies that the application can resolve and authenticate the QMgr's certificate. Only when you get this working would the WMQ admin then change the channel to SSLCAUTH(REQUIRED) which tests authentication in the reverse direction.
我强烈建议您将 WMQ v7 客户端用于新应用程序.这有两个原因:1) v6 已于 2011 年 9 月停产;2) v7 代码内置了更多的诊断功能. v7 客户端代码与 v6 QMgr 完全兼容,并且像 v6 客户端一样工作.您只是没有获得 v7 功能.在此处免费下载 WMQ 客户端代码:
I would highly recommend that you use the WMQ v7 client for a new application. This is for two reasons: 1) v6 is end-of-life as of Sept 2011; 2) the v7 code has a lot more diagnostic capability built in. The v7 client code is completely compatible with a v6 QMgr and works like the v6 client. You just don't get the v7 functionality. Download the WMQ client code free here:
IBM - MQC7:WebSphere MQ V7.0 客户端
我今年在 IMPACT 运行 WMQ 动手安全实验室,并将在周末在 http://t-rob.net 所以回来看看.
I'm running the WMQ Hands-On Security Lab at IMPACT this year and will be posting the scripts and lab guide over the weekend at http://t-rob.net so check back for that.
这篇关于使用 SSL/Keystore 连接到 Java 中的 Websphere MQ的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!