一.密钥仓库操作相关命令
(nfture@AppServeframe)/app/nfture> runmqckm --help
Invalid object: --help
-Program usage-
Object Action Description
------ ------ -----------
-keydb -changepw Change the password for a key database
-convert Convert the format of a key database
-create Create a key database
-delete Delete a key database
-expiry Display password expiry
-list Currently supported types of key database.
-stashpw Stash the password of a key database into a file
-cert -add Add a CA Certificate
-create Create a self-signed certificate
-delete Delete a certificate
-details Show the details of a specific certificate
-export Export a personal certificate and associated private key
into a PKCS12 file or a key database
-extract Extract a certificate from a key database
-getdefault Show the default personal certificate
-import Import a certificate from a key database or a PKCS12 file
-list List certificates in a key database
-listsigners List signer certificates delivered with ikeyman
-listibmcloudsigners Constants.Command.LongDescription.Cert.ListIBMCloudSigner
-modify Modify a certificate (NOTE: the only field that may be
modified is the trust field)
-populate Populate with included CA Certificates
-addtrust Constants.Command.LongDescription.Cert.AddTrust
-receive Receive a certificate
-rename Rename a certificate
-setdefault Set the default personal certificate
-sign Sign a certificate
-validate Validate a certificate path
-certreq -create Create a certificate request
-delete Delete a certificate request from a certificate request
database
-details Show the details of a specific certificate request
-extract Extract a certificate from a certificate request database
-list List all certificate requests in a certificate request
database
-recreate Re-create a certificate request
-seckey -create Create a secret key
-delete Delete a secret key
-details Show the details of a specific secret key
-export Export secret keys to a file
-import Import secret keys from a file
-list List all secret keys in a key database
-rename Rename a secret key
-version Display iKeyman version information
-locale Set the display language
-help Display this help text
创建密钥仓库
runmqckm -keydb -create -db key.kdb -pw passw0rd -type cms -expire 365 -stash
runmqakm -keydb -create -db key.kdb -pw passw0rd -type cms -expire 365 -stash
将CA证书加入到密钥仓库当中
runmqckm -cert -add -db key.kdb -label MYCA -file ca.cer -pw passw0rd
runmqakm -cert -add -db key.kdb -label MYCA -file ca.cer -pw passw0rd
将个人证书加入到密钥仓库当中
runmqckm -cert -import -file SignedServerCert.p12 -type pkcs12 -pw cert_pssd -target key.kdb -target_pw passw0rd
runmqakm -cert -import -file client.p12 -type pkcs12 -pw 123456 -target key.kdb -target_pw passw0rd
列出密钥仓库当中的CA证书
runmqckm -cert -list CA -db key.kdb -pw passw0rd
runmqakm -cert -list CA -db key.kdb -pw passw0rd
列出密钥仓库当中的个人证书
runmqckm -cert -list personal -db key.kdb -pw passw0rd
runmqakm -cert -list personal -db key.kdb -pw passw0rd
列出密钥仓库当中所有的证书
runmqckm -cert -list -db key.kdb -pw passw0rd
runmqakm -cert -list -db key.kdb -pw passw0rd
从密钥仓库中导出CA证书
runmqckm -cert -extract -db key.kdb -pw passw0rd -label MYCA -target ca.cer
runmqakm -cert -extract -db key.kdb -pw passw0rd -label MYCA -target ca.cer
从密钥仓库当中导出个人证书
runmqckm -cert -export -db key.kdb -pw passw0rd -label personallable -type cms -target personal.p12 -target_pw target_password -target_type pkcs12
创建证书请求文件,将生成的CRS发送给CA签发
runmqckm -certreq -create -db key.kdb -pw passw0rd -label label -dn “CN=QueueManagerName,O=IBM,C=US,OU=MQ Support,ST=Florida” -size 1024 -file certreq.crs
从密钥仓库当中删除label对应的证书
runmqckm -cert -delete -db key.kdb -pw passw0rd -label MYCA
生成自签名证书
runmqckm -cert -create -db key.kdb -pw passw0rd -label MYLABELNAME -dn “CN=MQL2,O=IBM,C=US,OU=MQ Support,ST=NorthCarolina” -size 2048
修改存储在sth文件中的密钥仓库过期密码
runmqckm -keydb -changepw -db key.kdb -pw passw0rd -new_pw newpassw0rd -expire 365 -stash
二.使用SSL通道加密进行MQ消息传输
1.创建启动管理器
crtmqm SSL1
strmqm SSL1
2.定义监听器,通道,本地队列
runmqsc SSL1
DEFINE LISTENER(LIST1) TRPTYPE(TCP) PORT(1490) CONTROL(QMGR)
START LISTENER(LIST1)
DEFINE CHANNEL(SSL1.SVRCONN) CHLTYPE(SVRCONN) SSLCAUTH(OPTIONAL)
DEFINE QLOCAL(Q1)
3.定义通道
runmqsc SSL1
DEFINE CHANNEL(SSL1.SVRCONN) CHLTYPE(CLNTCONN) CONNAME ('127.0.0.1(1490)') QMNAME(SSL1)
4.MQ7.1 or higher, disable CHLAUTH and CONNAUTH ()
runmqsc SSL1
ALTER QMGR CHLAUTH(DISABLED) CONNAUTH (' ')
REFRESH SECURITY TYPE(CONNAUTH)
5.设置环境变量CCDT(client channel definition table)路径和文件名
set MQCHLLIB=/opt/mqm/qmgrs/SSL1\@ipcc
set MQCHLTAB=AMQCLCHL.TAB
6.收发消息
amqsputc Q1 SSL1
amqsgetc Q1 SSL1
7.SSL配置
A.创建密钥仓库
runmqckm -keydb -create -db key.kdb -type cms -pw passw0rd -stash
B.创建自签管理器证书
runmqckm -cert -create -db key.kdb -pw passw0rd -label ibmwebspheremqssl1 -dn "CN=ssl1,O=IBM,C=US" -size 2048
C.导出管理器端证书公钥
runmqckm -cert -extract -db key.kdb -pw passw0rd -label ibmwebspheremqssl1 -target ssl1.arm
D.创建客户端密钥仓库
runmqckm -keydb -create -db user.kdb -type cms -pw passw0rd -stash
E.创建自签客户端证书
runmqckm -cert -create -db user.kdb -pw passw0rd -label ibmwebspheremqmonlimit -dn "CN=onlimit,O=NF,C=CN" -size 2048
F.导出客户端证书公钥
runmqckm -cert -extract -db user.kdb -pw passw0rd -label ibmwebspheremqonlimit -target onlimit.arm
G.将客户端和管理器端的公钥导入到相互的kdb密钥仓库中
#将管理器的公钥导入到客户端user.kdb中
runmqckm -cert -add -db user.kdb -pw passw0rd -label ssl1_signer -file ssl1.arm
#将客户端的公钥导入到管理器端的key.kdb中
runmqckm -cert -add -db key.kdb -pw passw0rd -label ibmwebspheremqonlimit -file onlimit.arm
H.列出所有证书内容
runmqckm -cert -list personal -db user.kdb -pw passw0rd
runmqckm -cert -list ca -db user.kdb -pw passw0rd
I.进行通道信息验证
runmqsc SSL1
ALTER CHANNEL(SSL1.SVRCONN) chltype(SVRCONN) sslciph(ECDHE_RSA_AES_256_CBC_SHA384)
ALTER CHANNEL(SSL1.SVRCONN) chltype(CLNTCONN) sslciph(ECDHE_RSA_AES_256_CBC_SHA384)
REFRESH SECURITY TYPE(SSL)
J.从KDB格式转换成JAVA 在JKS格式.
runmqckm -keydb -convert -db key.kdb -new_format jus -pw passw0rd -target hostname.jks
设置环境变量
set MQCHLLIB=xxx
set MQCHLTAB=AMQCLCHL.TAB
set MQSSLKEYR=xxx
I.结果验证
amqsputc Q1 SSL1
三.使用框架时通道报错验证出错问题记录
1.使用框架时,产品框架默认配置了MQSERVER环境变量.
同时设置MQSERVER环境变量时, MQCHLTAB的设置将不起作用
PLUG. MQSERVER =SSL1.SVRCONN/TCP/127.0.0.1(1490)
set MQCHLLIB=xxx
set MQCHLTAB=AMQCLCHL.TAB
造成客户端连接管理器时报错2393错误,同时管理器错误日志显示为
RemoteHost(127.0.0.1(1490))
CommentInsert1(SSL1.SVRCONN)
CommentInsert2(localhost (127.0.0.1)(1490))
CommentInsert3(SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA ) -> SSLCIPH(????))
AMQ9641E: Remote CipherSpec error for channel 'SSL1.SVRCONN' to host 'localhost
(127.0.0.1)(1490)'.
将配置中的PLUG. MQSERVER移除后,SSL通道加密正常
三.使用SSL通道CA签发证书进行加密消息传输
1.管理器配置部份
(nfture@AppServeframe)/app/nfture> crtmqm SSL1
IBM MQ queue manager created.
Directory '/var/mqm/qmgrs/SSL1' created.
The queue manager is associated with installation 'Installation1'.
Creating or replacing default objects for queue manager 'SSL1'.
Default objects statistics : 84 created. 0 replaced. 0 failed.
Completing setup.
Setup completed.
(nfture@AppServeframe)/app/nfture> strmqm SSL1
IBM MQ queue manager 'SSL1' starting.
The queue manager is associated with installation 'Installation1'.
5 log records accessed on queue manager 'SSL1' during the log replay phase.
Log replay for queue manager 'SSL1' complete.
Transaction manager state recovered for queue manager 'SSL1'.
IBM MQ queue manager 'SSL1' started using V9.1.0.0.
(nfture@AppServeframe)/app/nfture> runmqsc SSL1
5724-H72 (C) Copyright IBM Corp. 1994, 2018.
Starting MQSC for queue manager SSL1.
DEFINE LISTENER(LIST1) TRPTYPE(TCP) PORT(1490) CONTROL(QMGR)
1 : DEFINE LISTENER(LIST1) TRPTYPE(TCP) PORT(1490) CONTROL(QMGR)
AMQ8626I: IBM MQ listener created.
START LISTENER(LIST1)
2 : START LISTENER(LIST1)
AMQ8021I: Request to start IBM MQ listener accepted.
DEFINE CHANNEL(SSL1.SVRCONN) CHLTYPE(SVRCONN) SSLCAUTH(OPTIONAL)
3 : DEFINE CHANNEL(SSL1.SVRCONN) CHLTYPE(SVRCONN) SSLCAUTH(OPTIONAL)
AMQ8014I: IBM MQ channel created.
DEFINE QLOCAL(Q1)
4 : DEFINE QLOCAL(Q1)
AMQ8006I: IBM MQ queue created.
DEFINE CHANNEL(SSL1.SVRCONN) CHLTYPE(CLNTCONN) CONNAME ('127.0.0.1(1490)') QMNAME(SSL1)
5 : DEFINE CHANNEL(SSL1.SVRCONN) CHLTYPE(CLNTCONN) CONNAME ('127.0.0.1(1490)') QMNAME(SSL1)
AMQ8014I: IBM MQ channel created.
ALTER QMGR CHLAUTH(DISABLED) CONNAUTH (' ')
6 : ALTER QMGR CHLAUTH(DISABLED) CONNAUTH (' ')
AMQ8005I: IBM MQ queue manager changed.
REFRESH SECURITY TYPE(CONNAUTH)
7 : REFRESH SECURITY TYPE(CONNAUTH)
AMQ8560I: IBM MQ security cache refreshed.
ALTER CHANNEL(SSL1.SVRCONN) chltype(SVRCONN) sslciph(ECDHE_RSA_AES_256_CBC_SHA384)
8 : ALTER CHANNEL(SSL1.SVRCONN) chltype(SVRCONN) sslciph(ECDHE_RSA_AES_256_CBC_SHA384)
AMQ8016I: IBM MQ channel changed.
ALTER CHANNEL(SSL1.SVRCONN) chltype(CLNTCONN) sslciph(ECDHE_RSA_AES_256_CBC_SHA384)
9 : ALTER CHANNEL(SSL1.SVRCONN) chltype(CLNTCONN) sslciph(ECDHE_RSA_AES_256_CBC_SHA384)
AMQ8016I: IBM MQ channel changed.
REFRESH SECURITY TYPE(SSL)
10 : REFRESH SECURITY TYPE(SSL)
AMQ8560I: IBM MQ security cache refreshed.
dis CHANNEL(SSL1.SVRCONN)
11 : dis CHANNEL(SSL1.SVRCONN)
AMQ8414I: Display Channel details.
CHANNEL(SSL1.SVRCONN) CHLTYPE(SVRCONN)
ALTDATE(2021-06-26) ALTTIME(11.37.29)
CERTLABL( ) COMPHDR(NONE)
COMPMSG(NONE) DESCR( )
DISCINT(0) HBINT(300)
KAINT(AUTO) MAXINST(999999999)
MAXINSTC(999999999) MAXMSGL(4194304)
MCAUSER( ) MONCHL(QMGR)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCAUTH(OPTIONAL)
SSLCIPH(ECDHE_RSA_AES_256_CBC_SHA384) SSLPEER( )
TRPTYPE(TCP)
AMQ8414I: Display Channel details.
CHANNEL(SSL1.SVRCONN) CHLTYPE(CLNTCONN)
AFFINITY(PREFERRED) ALTDATE(2021-06-26)
ALTTIME(11.37.34) CERTLABL( )
CLNTWGHT(0) COMPHDR(NONE)
COMPMSG(NONE) CONNAME(127.0.0.1(1490))
DEFRECON(NO) DESCR( )
HBINT(300) KAINT(AUTO)
LOCLADDR( ) MAXMSGL(4194304)
MODENAME( ) PASSWORD( )
QMNAME(SSL1) RCVDATA( )
RCVEXIT( ) SCYDATA( )
SCYEXIT( ) SENDDATA( )
SENDEXIT( ) SHARECNV(10)
SSLCIPH(ECDHE_RSA_AES_256_CBC_SHA384) SSLPEER( )
TPNAME( ) TRPTYPE(TCP)
USERID( )
dis qmgr;
12 : dis qmgr;
AMQ8408I: Display Queue Manager details.
QMNAME(SSL1) ACCTCONO(DISABLED)
ACCTINT(1800) ACCTMQI(OFF)
ACCTQ(OFF) ACTIVREC(MSG)
ACTVCONO(DISABLED) ACTVTRC(OFF)
ADVCAP(DISABLED) ALTDATE(2021-06-26)
ALTTIME(11.37.13) AMQPCAP(NO)
AUTHOREV(DISABLED) CCSID(819)
CERTLABL(ibmwebspheremqssl1) CERTVPOL(ANY)
CHAD(DISABLED) CHADEV(DISABLED)
CHADEXIT( ) CHLEV(DISABLED)
CHLAUTH(DISABLED) CLWLDATA( )
CLWLEXIT( ) CLWLLEN(100)
CLWLMRUC(999999999) CLWLUSEQ(LOCAL)
CMDEV(DISABLED) CMDLEVEL(910)
COMMANDQ(SYSTEM.ADMIN.COMMAND.QUEUE) CONFIGEV(DISABLED)
CONNAUTH( ) CRDATE(2021-06-26)
CRTIME(11.36.19) CUSTOM( )
DEADQ( ) DEFCLXQ(SCTQ)
DEFXMITQ( ) DESCR( )
DISTL(YES) IMGINTVL(60)
IMGLOGLN(OFF) IMGRCOVO(YES)
IMGRCOVQ(YES) IMGSCHED(MANUAL)
INHIBTEV(DISABLED) IPADDRV(IPV4)
LOCALEV(DISABLED) LOGGEREV(DISABLED)
MARKINT(5000) MAXHANDS(256)
MAXMSGL(4194304) MAXPROPL(NOLIMIT)
MAXPRTY(9) MAXUMSGS(10000)
MONACLS(QMGR) MONCHL(OFF)
MONQ(OFF) PARENT( )
PERFMEV(DISABLED) PLATFORM(UNIX)
PSMODE(ENABLED) PSCLUS(ENABLED)
PSNPMSG(DISCARD) PSNPRES(NORMAL)
PSRTYCNT(5) PSSYNCPT(IFPER)
QMID(SSL1_2021-06-26_11.36.19) REMOTEEV(DISABLED)
REPOS( ) REPOSNL( )
REVDNS(ENABLED) ROUTEREC(MSG)
SCHINIT(QMGR) SCMDSERV(QMGR)
SPLCAP(DISABLED) SSLCRLNL( )
SSLCRYP( ) SSLEV(DISABLED)
SSLFIPS(NO) SSLKEYR(/var/mqm/qmgrs/SSL1/ssl/key)
SSLRKEYC(0) STATACLS(QMGR)
STATCHL(OFF) STATINT(1800)
STATMQI(OFF) STATQ(OFF)
STRSTPEV(ENABLED) SUITEB(NONE)
SYNCPT TREELIFE(1800)
TRIGINT(999999999) VERSION(09010000)
XRCAP(NO)
end
13 : end
12 MQSC commands read.
No commands have a syntax error.
All valid MQSC commands were processed.
2.证书签发部份
所有设置密码以123456为例
(nfture@AppServeframe)/app/nfture/sslcert> openssl genrsa -out root.key -aes256 2048
Generating RSA private key, 2048 bit long modulus
..............................................................+++
................+++
e is 65537 (0x10001)
Enter pass phrase for root.key:
Verifying - Enter pass phrase for root.key:
(nfture@AppServeframe)/app/nfture/sslcert> openssl req -new -key root.key -out root.csr
Enter pass phrase for root.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SH
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:NFcertCa
Organizational Unit Name (eg, section) []:dev
Common Name (eg, your name or your server's hostname) []:NFcertCaHost
Email Address []:NFcertCaHost@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:NFcertCa
(nfture@AppServeframe)/app/nfture/sslcert> openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt
Signature ok
subject=/C=CN/ST=SH/L=shanghai/O=NFcertCa/OU=dev/CN=NFcertCaHost/emailAddress=NFcertCaHost@163.com
Getting Private key
Enter pass phrase for root.key:
(nfture@AppServeframe)/app/nfture/sslcert> openssl genrsa -out server.key -aes256 2048
Generating RSA private key, 2048 bit long modulus
....................................+++
............+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
(nfture@AppServeframe)/app/nfture/sslcert> openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SH
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:NFcertServer
Organizational Unit Name (eg, section) []:dev
Common Name (eg, your name or your server's hostname) []:NFServerHost
Email Address []:NFServerHost@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:NFcertServer
(nfture@AppServeframe)/app/nfture/sslcert> openssl x509 -req -days 730 -sha1 -extensions v3_req -CA root.crt -CAkey root.key -CAserial root.srl -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=/C=CN/ST=SH/L=shanghai/O=NFcertServer/OU=dev/CN=NFServerHost/emailAddress=NFServerHost@163.com
Getting CA Private Key
Enter pass phrase for root.key:
(nfture@AppServeframe)/app/nfture/sslcert> openssl genrsa -out client.key -aes256 2048
Generating RSA private key, 2048 bit long modulus
...+++
..................+++
e is 65537 (0x10001)
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:
(nfture@AppServeframe)/app/nfture/sslcert> openssl req -new -key client.key -out client.csr
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SH
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:NFcertClient
Organizational Unit Name (eg, section) []:dev
Common Name (eg, your name or your server's hostname) []:NFClientHost
Email Address []:NFClientHost@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:NFcertClient
(nfture@AppServeframe)/app/nfture/sslcert> openssl x509 -req -days 730 -sha1 -extensions v3_req -CA root.crt -CAkey root.key -CAserial root.srl -CAcreateserial -in client.csr -out client.crt
Signature ok
subject=/C=CN/ST=SH/L=shanghai/O=NFcertClient/OU=dev/CN=NFClientHost/emailAddress=NFClientHost@163.com
Getting CA Private Key
Enter pass phrase for root.key:
(nfture@AppServeframe)/app/nfture/sslcert> openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:
(nfture@AppServeframe)/app/nfture/sslcert> openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12
Enter pass phrase for server.key:
Enter Export Password:
Verifying - Enter Export Password:
(nfture@AppServeframe)/app/nfture/sslcert> ls
client.crt client.csr client.key client.p12 root.crt root.csr root.key root.srl server.crt server.csr server.key server.p12
(nfture@AppServeframe)/app/nfture/sslcert>
3.MQ密钥仓库制作部份
(nfture@AppServeframe)/app/nfture> mkdir userkdb
(nfture@AppServeframe)/app/nfture> cd userkdb/
(nfture@AppServeframe)/app/nfture/userkdb> runmqckm -keydb -create -db user.kdb -type cms -pw passw0rd -stash
(nfture@AppServeframe)/app/nfture/userkdb> cp ../sslcert/client.p12 .
(nfture@AppServeframe)/app/nfture/userkdb> cp ../sslcert/root.crt .
(nfture@AppServeframe)/app/nfture/userkdb> runmqckm -cert -add -db user.kdb -pw passw0rd -label calable -file root.crt
(nfture@AppServeframe)/app/nfture/userkdb> runmqckm -cert -import -file client.p12 -type pkcs12 -pw 123456 -target user.kdb -target_pw passw0rd
(nfture@AppServeframe)/app/nfture/userkdb> runmqckm -cert -list -db user.kdb -pw passw0rd
Certificates in database /app/nfture/userkdb/user.kdb:
1
calable
(nfture@AppServeframe)/app/nfture/userkdb> cd /var/mqm/qmgrs/SSL1/ssl/
(nfture@AppServeframe)/var/mqm/qmgrs/SSL1/ssl> cp /app/nfture/sslcert/root.crt /app/nfture/sslcert/server.p12 .
(nfture@AppServeframe)/var/mqm/qmgrs/SSL1/ssl> runmqckm -keydb -create -db key.kdb -type cms -pw passw0rd -stash
(nfture@AppServeframe)/var/mqm/qmgrs/SSL1/ssl> runmqckm -cert -add -db key.kdb -pw passw0rd -label calable -file root.crt
(nfture@AppServeframe)/var/mqm/qmgrs/SSL1/ssl> runmqckm -cert -import -file server.p12 -type pkcs12 -pw 123456 -target key.kdb -target_pw passw0rd
(nfture@AppServeframe)/var/mqm/qmgrs/SSL1/ssl> runmqckm -cert -list -db key.kdb -pw passw0rd
Certificates in database /var/mqm/qmgrs/SSL1/ssl/key.kdb:
1
calable
(nfture@AppServeframe)/var/mqm/qmgrs/SSL1/ssl> chmod 666 *
(nfture@AppServeframe)/var/mqm/qmgrs/SSL1/ssl>
4.设置amqsgetc和amqsputc使用的环境变量
将CCDT文件拷贝到环境变量使用的路径中
(nfture@AppServeframe)/var/mqm/qmgrs/SSL1/@ipcc> cp AMQCLCHL.TAB /app/nfture/sslcert/
(nfture@AppServeframe)/app/nfture > setenv MQSSLKEYR /app/nfture/userkdb/user
(nfture@AppServeframe)/app/nfture > setenv MQCHLLIB /app/nfture/sslcert
(nfture@AppServeframe)/app/nfture > setenv MQCHLTAB AMQCLCHL.TAB
5.使用amqsputc进行验证
注意当中的2393错误以及MQ日志中的gsk_get_cert_by_label
(nfture@AppServeframe)/app/nfture > amqsputc Q1 SSL1
Sample AMQSPUT0 start
MQCONNX ended with reason code 2393
(nfture@AppServeframe)/app/nfture >
----- amqzmgr0.c : 2949 -------------------------------------------------------
06/26/21 12:19:52 - Process(27902.4) User(nfture) Program(amqrmppa)
Host(AppServeframe) Installation(Installation1)
VRMF(9.1.0.0) QMgr(SSL1)
Time(2021-06-26T04:19:52.930Z)
RemoteHost(127.0.0.1)
ArithInsert1(407)
CommentInsert1(????)
CommentInsert2(gsk_get_cert_by_label)
CommentInsert3(????)
AMQ9637E: Channel is lacking a certificate.
EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel
name is '????' (if '????' it is unknown at this stage in the SSL processing).
The remote host is '????'.
The channel did not start.
ACTION:
Make sure the appropriate certificates are correctly configured in the key
repositories for both ends of the channel.
6.修改管理器端的KEY.KDB的服务器证书label
(scbibps@AppServeframe)/var/mqm/qmgrs/SSL1/ssl> ls
key.kdb key.rdb key.sth root.crt server.p12
(nfture@AppServeframe)/var/mqm/qmgrs/SSL1/ssl> runmqckm -cert -list personal -db key.kdb -pw passw0rd
Certificates in database /var/mqm/qmgrs/SSL1/ssl/key.kdb:
1
(nfture@AppServeframe)/var/mqm/qmgrs/SSL1/ssl> runmqckm -cert -import -file server.p12 -type pkcs12 -pw 123456 -target key.kdb -target_pw passw0rd -label 1 -new_label ibmwebspheremqssl1
(nfture@AppServeframe)/var/mqm/qmgrs/SSL1/ssl> runmqckm -cert -list personal -db key.kdb -pw passw0rd
Certificates in database /var/mqm/qmgrs/SSL1/ssl/key.kdb:
ibmwebspheremqssl1
(nfture@AppServeframe)/var/mqm/qmgrs/SSL1/ssl>
5.使用amqsputct和amqsgetc进行验证,正常进行通信
(nfture@AppServeframe)/var/mqm/qmgrs/SSL1/ssl> amqsputc Q1 SSL1
Sample AMQSPUT0 start
target queue is Q1
123456789
end
Sample AMQSPUT0 end
(nfture@AppServeframe)/var/mqm/qmgrs/SSL1/ssl> amqsgetc Q1 SSL1
Sample AMQSGET0 start
message <123456789>
message <end>
end
^C
(nfture@AppServeframe)/var/mqm/qmgrs/SSL1/ssl>
软件下载地址
http://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/messaging/mqadv
