从Windows Cert Store获取.Net MQ客户端时的证书标签 [英] Certificate Label when fetching from Windows Cert Store for .Net MQ Client

问题描述

我已将KeyStore设置为* User，以从Windows证书存储区获取证书。MqClient应用程序正尝试使用标签名称来查找证书，如客户端Trace中的日志所示。我尝试从client.ini和代码设置CertificateLabel，但它不会覆盖该值。

I have set the KeyStore to *User to get the certificate from the windows certificate store.The Mq Client application is trying to find the certificate using the label name as shown in the log from the client Trace. I tried setting the CertificateLabel from the client.ini and code but it is not overriding the value.

我该如何更改？即使我可以覆盖我如何更改直接导入到证书存储中的证书的标签？

How should i change that? Even if i can override how can i change the label of the certificate which i directly imported into my certificate store?

请帮助

000001B6 12:23:39.868134 4236.8 Created store object to access certificates 
000001B7 12:23:39.868134 4236.8 Opened store 
000001B8 12:23:39.868134 4236.8 Accessing certificate - **ibmwebspheremq(username)** 


How should i change the lable in the certificate store for the existing certificate 

And then it throws the below exception 

000001B9 12:23:39.868134 4236.8 TLS12 supported - True 
000001BA 12:23:39.868134 4236.8 Setting SslProtol as Tls 
000001BB 12:23:39.868134 4236.8 Starting SSL Authentication 
000001BC 12:23:39.868134 4236.8 ------------{ MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) 
000001BD 12:23:39.868134 4236.8 Client callback has been invoked to find client certificate 
000001BE 12:23:39.868134 4236.8 ------------} MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK 
000001BF 12:23:40.507601 4236.8 System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm

推荐答案

在过去的2天里，我刚刚使用MQ v.8解决了这个完全相同的问题，并且发现Shashi的链接很有帮助，但是并不能完全解决我的问题。除了该链接上的指示之外，您还需要确保商店中证书的友好名称符合MQ证书标签命名约定，即 ibmwebspheremq logonuserID 。

I've just finished battling this exact same problem, with MQ v.8, over the last 2 days and found Shashi's link to be helpful, but it didn't completely solve my problem. In addition to the instructions on that link, you need to make sure that the "Friendly name" of the certificate in the store is compliant with the MQ certificate label naming convention i.e. ibmwebspheremqlogonuserID.

例如，假设您当前登录且登录ID为jdoe。当您运行MQ客户端时，MQ客户端库将查找名称与 ibmwebspheremqjdoe 相匹配的友好名称的证书。最后，我只需要添加以下两个属性即可成功连接：

For example, let's say you're currently logged in and your logon ID is jdoe. When you run your MQ client, the MQ client libraries will look for a certificate with a friendly name matching ibmwebspheremqjdoe. Finally, I only needed to add the following two properties to connect successfully:

properties.Add(MQC.SSL_CERT_STORE_PROPERTY, "*SYSTEM");
properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA");

请记住，我将CA签名的证书安装在本地计算机密钥存储区中，而不是用户密钥库。这就是为什么我在SSL_CERT_STORE_PROPERTY中指定* SYSTEM的原因。

Bear in mind that I installed the CA-signed certificate into the "Local computer" key store and not the user keystore. That's why I specified *SYSTEM in the SSL_CERT_STORE_PROPERTY.

以下是我使用的所有属性：

Here are all of the properties I used:

properties = new Hashtable();
properties.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED);
properties.Add(MQC.HOST_NAME_PROPERTY, hostName);
properties.Add(MQC.PORT_PROPERTY, port);
properties.Add(MQC.CHANNEL_PROPERTY, channelName);
properties.Add(MQC.SSL_CERT_STORE_PROPERTY, "*SYSTEM");
properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA");

这篇关于从Windows Cert Store获取.Net MQ客户端时的证书标签的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！