无法使用TLS证书对IBM MQ C#进行身份验证 [英] Unable to autheticate to IBM MQ C# with TLS-certificate
本文介绍了无法使用TLS证书对IBM MQ C#进行身份验证的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在尝试使用.net内核("IBMMQDotnetClient" Version ="9.2.0.1" )和 linux 中的证书连接到IBM MQ.strong>容器( mcr.microsoft.com/dotnet/core/runtime:3.1 ).
I'm trying to connect to a IBM MQ using .net core ("IBMMQDotnetClient" Version="9.2.0.1") with a certificate inside a linux container (mcr.microsoft.com/dotnet/core/runtime:3.1).
配置哈希表:
new Hashtable {
{
MQC.HOST_NAME_PROPERTY, "localhost"
},
{
MQC.CHANNEL_PROPERTY, "DEV.SVRCONN"
},
{
MQC.PORT_PROPERTY, 1419
},
{
MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA"
},
{
MQC.SSL_CERT_STORE_PROPERTY, "*USER"
}}
该跟踪揭示了此异常:
0000702 17:37:10.738499 1.1 KeyStore is *USER
00000703 17:37:10.738530 1.1 KeyResetCount is 0
00000704 17:37:10.738543 1.1 CertificationCheck = False
00000705 17:37:10.738553 1.1 CipherSpec value is TLS_RSA_WITH_AES_128_CBC_SHA
00000706 17:37:10.738562 1.1 SSLPEERNAME value is
00000707 17:37:10.738570 1.1 -----------} MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions) rc=OK
00000708 17:37:10.738625 1.1 -----------{ MQEncryptedSocket.MakeSecuredConnection()
00000709 17:37:10.738653 1.1 Created an instance of SSLStreams
0000070A 17:37:10.738662 1.1 Setting current certificate store as 'User'
0000070B 17:37:10.738676 1.1 Linux so use My & CurrentUser
0000070C 17:37:10.738683 1.1 Created store object to access certificates
0000070D 17:37:10.738740 1.1 Opened store
0000070E 17:37:10.738750 1.1 Accessing certificate - ibmwebspheremqroot
0000070F 17:37:10.748556 1.1 Number of certificates in the store:6
00000710 17:37:10.748629 1.1 TLS12 supported - True
00000711 17:37:10.748648 1.1 Setting SslProtol as Tls
00000712 17:37:10.748655 1.1 Starting SSL Authentication
00000713 17:37:10.748738 1.1 ------------{ MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])
00000714 17:37:10.748754 1.1 Client callback has been invoked to find client certificate
00000715 17:37:10.748766 1.1 ------------} MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK
00000716 17:37:10.766153 1.1 ------------{ MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) inputs [11]
00000717 17:37:10.766190 1.1 SSL Server Certificate validation failed - RemoteCertificateNameMismatch, RemoteCertificateChainErrors
00000718 17:37:10.766196 1.1 ------------} MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) rc=OK
00000719 17:37:10.766662 1.1 System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
- 相同的代码在Windows上可以工作
- 我已经安装了签署证书的根CA.
编辑1 @Morag Hughson-关于证书,我已经安装了组织根CA,已签署IBM MQ证书的subCA:
EDIT 1 @Morag Hughson - Regarding the certificates i've installed the organizations root CA, subCA that have signed the IBM MQ cert:
COPY ssl/ /usr/local/share/ca-certificates/
RUN update-ca-certificates --fresh --verbose
也尝试通过代码进行操作:
Also tried doing it in code:
var root = new X509Store(StoreName.Root, StoreLocation.CurrentUser);
root.Open(OpenFlags.ReadWrite);
root.Add(theAppCert);
collection.Add(new X509Certificate2("./ssl/root.crt"));
root.AddRange(collection);
这是我添加IBM MQ证书的方式
This is how i add the IBM MQ certificate
var collection = new X509Certificate2Collection();
collection.Import(File.ReadAllBytes("./ssl/key.p12"), "123456", X509KeyStorageFlags.PersistKeySet);
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
var theAppCert = collection.Find(X509FindType.FindBySubjectName, "app_test", false)[0];
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
theAppCert.FriendlyName ="ibmwebspheremq{Environment.UserName.ToLower()}";
}
store.Open(OpenFlags.ReadWrite);
store.Add(theAppCert);
编辑2
够了吗?
0000049D 17:51:51.929051 1.1 Data:- IBM.WMQ.MQTCPConnection#02EED1CA
0000049D 17:51:51.929051 1.1 0x00000000 54 53 48 20 00 00 00 24 02 05 0A 00 00 00 00 00 : TSH ...$......
0000049D 17:51:51.929051 1.1 0x00000010 00 00 00 00 22 02 00 00 E4 04 00 00 08 00 00 00 : ...."..?....
0000049D 17:51:51.929051 1.1 0x00000020 1A 00 00 00 : ...
0000049E 17:51:51.929066 1.1 Data Length --> 36
0000049F 17:51:51.929071 1.1 ------------} MQTCPConnection.Receive(ref byte [ ],ref int,ref int) rc=OK
000004A0 17:51:51.929076 1.1 Bytes Read from Socket = 36
000004A1 17:51:51.929083 1.1 ------------{ MQTSH.ReadStruct(Byte [ ],int) inputs [System.Byte[]] [0]
000004A2 17:51:51.929106 1.1 ------------} MQTSH.ReadStruct(Byte [ ],int) rc=OK returns [28]
000004A3 17:51:51.929120 1.1 ------------{ MQTSH.CheckTSH(byte [ ]) inputs [System.Byte[]]
000004A4 17:51:51.929127 1.1 ------------} MQTSH.CheckTSH(byte [ ]) rc=OK returns [True]
000004A5 17:51:51.929134 1.1 ------------{ MQFAPConnection.AnalyseErrorSegment(MQTSH) inputs [IBM.WMQ.MQTSH#039490E2]
000004A6 17:51:51.929140 1.1 -------------{ MQTSH.GetLength()
000004A7 17:51:51.929145 1.1 -------------} MQTSH.GetLength() rc=OK returns [28]
000004A8 17:51:51.929196 1.1 Constructing IBM.WMQ.MQERD#003917F2 MQMBID sn=p920-001-200918 su=_tqsBSQMcEeuBJdh7_yjHsA pn=basedotnet/nmqi/MQERD.cs
000004A9 17:51:51.929208 1.1 -------------{ MQERD.ReadStruct(Byte [ ],int) inputs [System.Byte[]] [28]
000004AA 17:51:51.929216 1.1 -------------} MQERD.ReadStruct(Byte [ ],int) rc=OK returns [8]
000004AB 17:51:51.929231 1.1 New MQException CompCode: 2 Reason: 2059```
推荐答案
我设法通过仅将.p12文件中三个证书中的一个( CN = app_test )安装到我的文件中来使其工作本地用户商店.
I managed to get it working by only installing one (CN=app_test) of the three certificates from the .p12 file into my local user store.
文件包含:
-
CN =根CA v2,DC = corp1,DC = ad1,DC = xxx,DC = net -
CN = Appl Sub CA v2,DC = corp1,DC = ad1,DC = xxx,DC = net -
CN = app_test
如果我安装了这三个证书的整个集合,则MQ的代码2059会失败.
If i install the whole collection of those three certificates i get a failure with the code 2059 from MQ.
这篇关于无法使用TLS证书对IBM MQ C#进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
