java - 使用 Java 客户端连接到 MQ channel :CERTLABL error

Question

我正在使用 Java 开发微服务，以通过 SSL 连接到 IBM Websphere MQ V8.0。但是，我在日志中看到了这个错误:

JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2059' ('MQRC_Q_MGR_NOT_AVAILABLE')

在 MQ 端错误是 CSQX673E 原因是:

The SSL or TLS channel's channel-name is configured to use certificate label: cert-label. However, the remote peer did not send the necessary information to allow the local channel to use the correct certificate. The remote host is conn-id.

谁能告诉我如何使用 Java 传递此参数。

据我了解，CERTLABL 不是证书的一部分。

Answer 1

---

请注意，以下信息在 MQ v8.0.0、v9.0.0 和 v9.1.0 知识中心中的记录相同。

---

IBM 记录在IBM MQ 8.0.0 知识中心页面 IBM MQ>Security>Security overview>IBM MQ security mechanisms>Security protocols in IBM MQ>The SSL or TLS key repository>Digital certificate labels, understanding the requirements以下内容:

IBM MQ Version 8.0 supports the use of multiple certificates on the same queue manager, using a per-channel certificate label attribute. Inbound channels to the queue manager (for example, server connection or receiver) rely on detecting the channel name using TLS Server Name Indication (SNI), in order to present the correct certificate from the queue manager.

同一页面还记录了这一点:

Note that inbound channels (including receiver, cluster-receiver, unqualified server, and server-connection channels) only send the configured certificate if the IBM MQ version of the remote peer fully supports certificate label configuration, and the channel is using a TLS CipherSpec.

In all other cases, the queue manager CERTLABL parameter determines the certificate sent. In particular, the following only ever receive the certificate configured by the CERTLABL parameter of the queue manager, regardless of the channel-specific label setting:

• All current Java and JMS clients.
• Versions of IBM MQ prior to Version 8.0.

---

IBM 还在 IBM MQ 8.0.0 知识中心页面 IBM MQ>Reference>Configuration reference>Channel attributes>Channel attributes in alphabetical order>Certificate label (CERTLABL) 中记录了类似的信息:

Inbound channels (including RCVR, CLUSRCVR, unqualified SERVER, and SVRCONN channels) will only send the configured certificate if the IBM® MQ version of the remote peer fully supports certificate label configuration and the channel is using a TLS CipherSpec. If that is not the case, the queue manager CERTLABL attribute determines the certificate sent. This restriction is because the certificate label selection mechanism for inbound channels depends upon a TLS protocol extension that is not supported in all cases. In particular, Java™ clients, JMS clients, and all versions of IBM MQ prior to Version 8.0 do not support the required protocol extension and will only ever receive the certificate configured by the queue manager CERTLABL attribute, regardless of the channel-specific label setting.

---

正如您所说，Java 8 确实支持 SNI，但显然 IBM 尚未在 IBM MQ Classes for Java 或 IBM MQ Classes for JMS 中实现该功能。

我能想到的一个可能的解决方案是，您可以找出 MQ 调用哪个底层函数来创建 TLS session 并覆盖它以将 SNI 属性设置为 MQ 将使用如下代码在队列管理器上识别的值:

SSLParameters params = sslSocket.getSSLParameters();
params.setServerNames(serverNames);
sslSocket.setSSLParameters(params);

---

IBM 在技术说明“IBM WebSphere MQ: How does MQ provide multiple certificates (CERTLABL) capability”中记录了 channel 名称在 SNI 中传递的格式:

The SNI address used by MQ is based upon the channel name that is being requested, followed by a suffix of ".chl.mq.ibm.com".

MQ channel names are mapped to be valid SNI names as follows:

• Upper case letters A-Z are folded to lower case
• Digits 0 through 9 are left unchanged
• All other characters including lower-case letters a-z are converted into their 2-digit hexadecimal ASCII character code followed by a hyphen.
• lower case letters a through z map to "61-" through "7a-" respectively
• percent (%) maps to "25-"
• hyphen (-) maps to "2d-"
• dot (.) maps to "2e-"
• forward slash (/) maps to "2f-"
• underscore (_) maps to "5f-"

On EBCDIC platforms, the channel name is converted to ASCII before this mapping is applied. As an example, channel name "TO.QMGR1" maps to an SNI address of "to2e-qmgr1.chl.mq.ibm.com".

By contrast, the lower case channel name "to.qmgr1" maps onto SNI address of "74-6f-2e-71-6d-67-72-1.chl.mq.ibm.com".