我一直在IBMWebsphereMQ(9.2(中使用SSL。我正在为MQ构建一个客户端库,为了在服务器端更熟悉MQ,我安装了IBM MQ Developer edition并运行了提供的脚本来创建一个"默认"MQ服务器实例。
- 为
DEV.APP.SVRCONN服务器连接创建了客户端连接 - 使用IBM密钥管理工具创建了个人证书,并将其命名为
ibmwebspheremq - 在队列管理器(QM1(上启用SSL,并将其标记为
ibmwebspheremq - 更新了
DEV.APP.SVRCONN通道的SSL配置,并将cipherspec属性设置为TLS 1.2, 256-bit Secure Hash Algorithm, 128-bit AES encryption (TLS_RSA_WITH_AES_128_CBC_SHA256),并要求使用SSL
使用测试我的设置
amqssslc -l ibmwebspheremq -k C:ProgramDataIBMMQqmgrsQM1sslkey -c DEV.APP.SVRCONN -x 127.0.0.1 -s TLS_RSA_WITH_AES_128_CBC_SHA256 -m QM1
这给了我:
Sample AMQSSSLC start
Connecting to queue manager QM1
Using the server connection channel DEV.APP.SVRCONN
on connection name 127.0.0.1.
Using SSL CipherSpec TLS_RSA_WITH_AES_128_CBC_SHA256
Using SSL key repository stem C:ProgramDataIBMMQqmgrsQM1sslkey
Certificate Label: ibmwebspheremq
No OCSP configuration specified.
MQCONNX ended with reason code 2035
错误详细信息(来自日志(:
The active values of the channel were 'MCAUSER(app) CLNTUSER(Wilko)
SSLPEER(SERIALNUMBER=61:9B:A4:3E,CN=DESKTOP-ROH98N2,C=NL)
SSLCERTI(CN=DESKTOP-ROH98N2,C=NL) ADDRESS(DESKTOP-ROH98N2)'. The
MATCH(RUNCHECK) mode of the DISPLAY CHLAUTH MQSC command can be used to
identify the relevant CHLAUTH record.
ACTION:
Ensure that the application provides a valid user ID and password, or change
the queue manager connection authority (CONNAUTH) configuration to OPTIONAL to
allow client applications to connect which have not supplied a user ID and
password.
----- cmqxrmsa.c : 2086 -------------------------------------------------------
22/11/2021 15:51:37 - Process(15880.45) User(MUSR_MQADMIN) Program(amqrmppa.exe)
Host(DESKTOP-ROH98N2) Installation(Installation1)
VRMF(9.2.3.0) QMgr(QM1)
Time(2021-11-22T14:51:37.594Z)
CommentInsert1(DEV.APP.SVRCONN)
CommentInsert2(15880(1112))
CommentInsert3(127.0.0.1)
AMQ9999E: Channel 'DEV.APP.SVRCONN' to host '127.0.0.1' ended abnormally.
EXPLANATION:
The channel program running under process ID 15880(1112) for channel
'DEV.APP.SVRCONN' ended abnormally. The host name is '127.0.0.1'; in some cases
the host name cannot be determined and so is shown as '????'.
ACTION:
Look at previous error messages for the channel program in the error logs to
determine the cause of the failure. Note that this message can be excluded
completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
found in the System Administration Guide.
----- amqrmrsa.c : 630 --------------------------------------------------------
我有点卡住了,我还在日志中看到有PEER相关信息被转储,但我没有使用SSLPEER设置(我只想让每个人都使用相同的证书连接(。
编辑2:
RUNMQSC QM1输出和命令DISPLAY QMGR CONNAUTH:
1 : DISPLAY QMGR CONNAUTH
AMQ8408I: Display Queue Manager details.
QMNAME(QM1) CONNAUTH(DEV.AUTHINFO)
RUNMQSC QM1输出和命令DISPLAY AUTHINFO(name-from-previous-command):
3 : DISPLAY AUTHINFO(DEV.AUTHINFO)
AMQ8566I: Display authentication information details.
AUTHINFO(DEV.AUTHINFO) AUTHTYPE(IDPWOS)
ADOPTCTX(YES) DESCR( )
CHCKCLNT(REQDADM) CHCKLOCL(OPTIONAL)
FAILDLAY(1) AUTHENMD(OS)
ALTDATE(2021-11-18) ALTTIME(15.09.20)
DISPLAY CHLAUTH(*):输出
4 : DISPLAY CHLAUTH(*)
AMQ8878I: Display channel authentication record details.
CHLAUTH(DEV.ADMIN.SVRCONN) TYPE(USERMAP)
CLNTUSER(admin) USERSRC(CHANNEL)
AMQ8878I: Display channel authentication record details.
CHLAUTH(DEV.ADMIN.SVRCONN) TYPE(BLOCKUSER)
USERLIST(nobody)
AMQ8878I: Display channel authentication record details.
CHLAUTH(DEV.APP.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(CHANNEL)
CHCKCLNT(REQUIRED)
AMQ8878I: Display channel authentication record details.
CHLAUTH(SYSTEM.ADMIN.SVRCONN) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(CHANNEL)
AMQ8878I: Display channel authentication record details.
CHLAUTH(SYSTEM.*) TYPE(ADDRESSMAP)
ADDRESS(*) USERSRC(NOACCESS)
我希望在使用证书时不必提供用户名和密码。我在这里错过了什么?
您的队列管理器被配置为强制任何客户端连接的密码,这些客户端连接试图使用具有特权的已解析MCAUSER运行。这就是AUTHINFO(DEV.AUTHINFO)上的CHCKCLNT(REQDADM)的作用。
此外,DEV.APP.SVRCONN通道的CHLAUTH规则已对此进行了进一步升级,以强制使用该通道的ALL连接使用密码。
如果您的意图是让提供证书的渠道不受此授权的约束,那么您应该添加一个更具体的CHLAUTH规则,大致如下:-
SET CHLAUTH(DEV.APP.SVRCONN) TYPE(SSLPEERMAP) +
SSLPEER('SERIALNUMBER=61:9B:A4:3E,CN=DESKTOP-ROH98N2,C=NL') +
SSLCERTI('CN=DESKTOP-ROH98N2,C=NL') CHCKCLNT(ASQMGR) USERSRC(CHANNEL)
请记住,如果此连接正在断言特权用户id,则仍然需要从CHCKCLNT(REQDADM)的系统范围设置中提供密码。
请记住,如果您不确定要匹配的是哪条CHLAUTH规则,那么您在错误消息中看到的所有详细信息都可以用于形成DISPLAY CHLAUTH命令,以准确地发现您匹配的是哪个规则。在"我被CHLAUTH屏蔽了"中阅读更多关于这一点的信息——我该如何找出原因?