使用SSL/Keystore连接到Java中的Websphere MQ
我想通过Java连接到Websphere 6.0 MQ.我已经有一个用于正常"队列的代码,但是现在我需要访问一个经过SSL加密(密钥库)的新队列.我已经收到一个名为something.jks的文件,我认为这是我需要存储在某处的证书.我一直在搜索网络,但找不到正确的信息.
I'd like to connect to a Websphere 6.0 MQ via Java. I have already working code for a "normal" queue, but now I need to access a new queue which is SSL encrypted (keystore). I have been sent a file called something.jks, which I assume is a certificate I need to store somewhere. I have been searching the net, but I can't find the right information.
这是我用于普通"队列的代码.我假设我需要设置一些属性,但不确定是哪一个.
This is the code I use for the "normal" queue. I assume I need to set some property, but not sure which one.
MQQueueConnectionFactory connectionFactory = new MQQueueConnectionFactory();
connectionFactory.setChannel(channel_);
connectionFactory.setHostName(hostname_);
connectionFactory.setPort(port_);
connectionFactory.setQueueManager(queueManager_);
connectionFactory.setTransportType(1);
connectionFactory.setSSsetSSLCertStores(arg0)
Connection connection = connectionFactory.createConnection();
connection.setExceptionListener(this);
session_ = connection.createSession(DEFAULT_TRANSACTED, DEFAULT_ACKMODE);
connection.start();
javax.jms.Queue fQueue = session_.createQueue(queue_);
consumer = session_.createConsumer(fQueue);
developerWorks中的Alex Fehners教程有点陈旧(2005年),但是其中的代码示例适合您.
Alex Fehners tutorial in developerWorks is a bit old (2005) but has code samples that should work for you.
Websphere MQ Java/JMS客户端的SSL配置
您的Java应用将基于其证书对QMgr进行身份验证.这意味着为您提供的jks文件必须具有QMgr的自签名证书,或者将具有对QMgr的证书进行签名的证书颁发机构的根证书.无论哪种情况,都可以使用-Djavax.net.ssl.trustStore=<location of trustStore>指向文件,如上面链接的文章所述.如果jks有密码,则还需要指定-Djavax.net.ssl.trustStorePassword=<password>.必须始终使用信任库对QMgr进行身份验证.下一部分可能是必需的,也可能不是必需的.
Your Java app will authenticate the QMgr based on its certificate. That means the jks file you were provided must have either the QMgr's self-signed certificate or it will have the root certificate of a Certificate Authority that signed the QMgr's certificate. In either case you point to the file using the -Djavax.net.ssl.trustStore=<location of trustStore> as noted in the article linked above. If the jks has a password, you will need to specify -Djavax.net.ssl.trustStorePassword=<password> as well. Authenticating the QMgr with a truststore is always required. The next part may or may not be required.
另一个难题是,QMgr可能要求您的应用程序出示证书.换句话说,QMgr证书始终是 身份验证的,是否要求应用程序进行身份验证是可选的.如果是,则您具有所谓的相互身份验证".如果您连接到的通道已使用SSLCAUTH(REQUIRED)配置,则启用了相互身份验证,并且QMgr必须在其密钥库中具有应用程序的自签名证书或用于对应用程序的证书进行签名的CA根证书.希望任何设置您的jks文件的人都已经为此做好了准备.
The other piece of the puzzle is that the QMgr may require your app to present a certificate. In other words, the QMgr cert is always authenticated, whether the app is required to authenticate is optional. If it is then you have what is known as "mutual authentication". If the channel that you connect to has been configured with SSLCAUTH(REQUIRED) then mutual auth has been enabled and the QMgr must have your application's self-signed cert or a CA root cert that signed your app's cert in its keystore. Hopefully whoever set up your jks file will have arranged for this already.
假设需要相互认证,那么您的jks除了具有QMgr的受信任证书之外,还将具有一个代表您的应用程序的私有证书.要使应用程序获取证书并将其呈现给QMgr,请使用-Djavax.net.ssl.keyStore=<location of keyStore>和-Djavax.net.ssl.keyStorePassword=<password>参数.请注意,这些存储区说 key 存储区,而以前的Parms存储区说是 trust 存储区.
Assuming mutual auth is required, then your jks will have, in addition to the QMgr's trusted cert, a private cert representing your application. To get the app to fetch the cert and present it to the QMgr, you use the -Djavax.net.ssl.keyStore=<location of keyStore> and -Djavax.net.ssl.keyStorePassword=<password> parameters. Note these say key store whereas the previous parms said trust store.
我的建议是与WMQ管理员一起设置和测试SSL连接.第一阶段应该是使用SSLCAUTH(OPTIONAL)测试通道.这验证该应用程序可以解析和验证QMgr的证书.只有当您开始工作时,WMQ管理员才将通道更改为SSLCAUTH(REQUIRED),从而以相反的方向测试身份验证.
My recommendation is to work with the WMQ administrator to set up and test the SSL connection. The first phase should be to test the channel with SSLCAUTH(OPTIONAL). This verifies that the application can resolve and authenticate the QMgr's certificate. Only when you get this working would the WMQ admin then change the channel to SSLCAUTH(REQUIRED) which tests authentication in the reverse direction.
我强烈建议您将WMQ v7客户端用于新的应用程序.这有两个原因:1)v6的使用期限为2011年9月; 2)v7代码具有更多内置的诊断功能.v7客户端代码与v6 QMgr完全兼容,并且像v6客户端一样工作.您只是没有获得v7功能.在此处免费下载WMQ客户端代码:
I would highly recommend that you use the WMQ v7 client for a new application. This is for two reasons: 1) v6 is end-of-life as of Sept 2011; 2) the v7 code has a lot more diagnostic capability built in. The v7 client code is completely compatible with a v6 QMgr and works like the v6 client. You just don't get the v7 functionality. Download the WMQ client code free here:
我今年将在IMPACT上运行WMQ动手安全实验室,并将在周末在
I'm running the WMQ Hands-On Security Lab at IMPACT this year and will be posting the scripts and lab guide over the weekend at http://t-rob.net so check back for that.