1

我正在尝试按主题连接到发布/订阅的频道。我在非托管模式下运行,因为这是唯一支持 SSL 的模式。我已经指定了密钥CIPHER SPEC与应用程序在同一目录中的位置(我也尝试了密钥存储的完整路径,但这也不起作用)。那里有一个关联,其中包含使用证书的密码(加密)。下面是代码片段,较少的连接字符串和其他敏感信息。KEY_REPOkey.kdbkey.sth

XMSFactoryFactory factoryFactory = XMSFactoryFactory.GetInstance(XMSC.CT_WMQ);
IConnectionFactory connectionFactory = factoryFactory.CreateConnectionFactory();

connectionFactory.SetIntProperty(XMSC.WMQ_CONNECTION_MODE, XMSC.WMQ_CM_CLIENT_UNMANAGED);

connectionFactory.SetStringProperty(XMSC.WMQ_HOST_NAME, "hostName");
connectionFactory.SetIntProperty(XMSC.WMQ_PORT, 1234);
connectionFactory.SetStringProperty(XMSC.WMQ_CHANNEL, "Channel");
connectionFactory.SetStringProperty(XMSC.WMQ_QUEUE_MANAGER, "QueueManager");

connectionFactory.SetStringProperty(XMSC.WMQ_SSL_CIPHER_SPEC, "NULL_SHA");
connectionFactory.SetStringProperty(XMSC.WMQ_SSL_KEY_REPOSITORY, @"key");

connection = connectionFactory.CreateConnection();

我在 Visual Studio 中得到以下异常,它只是告诉我 MQ 客户端抛出了一个错误。

CWSMQ0006E: An exception was received during the call to the method 
ConnectionFactory.CreateConnection: CompCode: 2, Reason: 2393. During 
execution of the specified method an exception was thrown by another 
component. See the linked exception for more information.

我可以通过下面的事件日志看到 MQ 客户端抛出的特定错误。

No SSL certificate for channel 'SECUREQUEUE.SVRCONN'.  

The channel 'SECUREQUEUE.SVRCONN' did not supply a certificate to use during 
SSL handshaking, but a certificate is required by the remote queue manager. 
The channel did not start.  

Ensure that the key repository of the local queue manager or MQ client contains an 
SSL certificate which is associated with the queue manager or client. Alternatively,
if appropriate, change the remote channel definition so that its SSLCAUTH attribute 
is set to OPTIONAL and it has no SSLPEER value set. &P If you have migrated from 
WebSphere MQ V5.3 to V6, it is possible that the missing certificate is due to a 
failure during SSL key repository migration. Check the relevant error logs. If 
these show that an orphan certificate was encountered then you should obtain the 
relevant missing certification authority (signer) certificates and then import 
these and the orphan certificate into the WebSphere MQ V6 key repository, and then
re-start the channel.

我似乎无法弄清楚这个设置有什么问题..有什么想法吗?

4

1 回答 1

1

该错误似乎表明 QMgr 的证书已由客户端验证。这意味着它找到了 KDB 和 STH 文件。现在它正在尝试验证客户端证书。这大概意味着...

a) 找不到客户端证书,可能是因为标签
b) QMgr 没有客户端的公钥(自签名)或 CA 根

我通常按​​照这个其他 SO 答案中概述的过程来验证 TLS 通道测试。 如果您成功测试,SSLCAUTH(OPTIONAL)那么它往往会证实我的猜测。如果这不起作用,那么您需要提供有关您是否使用自签名证书、QMgr 的 KDB 中REFRESH SECURITY TYPE(SSL)的内容、更新其密钥库后是否在 QMgr 上运行以及客户端密钥库中的证书标签名称的详细信息。

于 2013-02-18T22:28:56.210 回答