问题
We are using JBOSS EAP 6.3 maintained via openshift. We want to connect with Websphere MQ which is SSL enabled.
I am successfully able to connect to non-ssl MQ via JBOSS. But while trying to connect with ssl MQ i am facing below error,
Blockquote Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) at sun.security.ssl.Handshaker.activate(Handshaker.java:470) [jsse.jar:1.7.0_79] at sun.security.ssl.SSLSocketImpl.kickstartHandshake(SSLSocketImpl.java:1438) [jsse.jar:1.7.0_79] at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1308) [jsse.jar:1.7.0_79] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359) [jsse.jar:1.7.0_79] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343) [jsse.jar:1.7.0_79] at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1314) at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1309) at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_79] at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1307) ... 26 more
I have made required entries in standalone.xml and jboss-ejb3.xml
standalone.xml
<system-properties>
<property name="javax.net.ssl.keyStore" value="${env.OPENSHIFT_REPO_DIR}/.openshift/config/mq.jks"/>
<property name="javax.net.ssl.keyStorePassword" value="password"/>
<property name="javax.net.ssl.trustStore" value="${env.OPENSHIFT_REPO_DIR}/.openshift/config/mq.jks"/>
<property name="javax.net.ssl.trustStorePassword" value="password"/>
<property name="sslCipherSuite" value="SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>
<property name="org.apache.coyote.http11.Http11Protocol.COMPRESSION" value="on"/>
</system-properties>
<resource-adapter id='wmq.jmsra.rar'>
<archive>
wmq.jmsra.rar
</archive>
<transaction-support>NoTransaction</transaction-support>
<connection-definitions>
<connection-definition jndi-name='java:jboss/${env.OPENSHIFT_MQ_CLIENT_CONNECTIONFACTORY_NAME}' class-name='com.ibm.mq.connector.outbound.ManagedConnectionFactoryImpl' pool-name='wmq.jmsra.rar_CD'>
<config-property name='port'>
${env.OPENSHIFT_MQ_CLIENT_PORT}
</config-property>
<config-property name='hostName'>
${env.OPENSHIFT_MQ_CLIENT_HOST_NAME}
</config-property>
<config-property name='channel'>
${env.OPENSHIFT_MQ_CLIENT_CHANNEL}
</config-property>
<config-property name='transportType'>
${env.OPENSHIFT_MQ_CLIENT_TRANSPORT_TYPE}
</config-property>
<config-property name='queueManager'>
${env.OPENSHIFT_MQ_CLIENT_QUEUE_MANAGER}
</config-property>
<config-property name='sslCipherSuite'>
SSL_RSA_WITH_3DES_EDE_CBC_SHA
</config-property>
</connection-definition>
</connection-definitions>
<admin-objects>
<admin-object jndi-name='java:jboss/${env.OPENSHIFT_MQ_CLIENT_QUEUE_NAME1}' class-name='com.ibm.mq.connector.outbound.MQQueueProxy' pool-name='BNE_DEV_IN'>
<config-property name='baseQueueName'>
${env.OPENSHIFT_MQ_CLIENT_QUEUE_NAME1}
</config-property>
</admin-object>
</admin-objects>
</resource-adapter>
jboss-ejb3.xml
<activation-config>
<activation-config-property>
<activation-config-property-name>destination</activation-config-property-name>
<activation-config-property-value>QueueName</activation-config-property-value>
</activation-config-property>
<activation-config-property>
<activation-config-property-name>hostName</activation-config-property-name>
<activation-config-property-value>hostName</activation-config-property-value>
</activation-config-property>
<activation-config-property>
<activation-config-property-name>queueManager</activation-config-property-name>
<activation-config-property-value>qmanagerName</activation-config-property-value>
</activation-config-property>
<activation-config-property>
<activation-config-property-name>channel</activation-config-property-name>
<activation-config-property-value>channelName</activation-config-property-value>
</activation-config-property>
<activation-config-property>
<activation-config-property-name>transportType</activation-config-property-name>
<activation-config-property-value>CLIENT</activation-config-property-value>
</activation-config-property>
<activation-config-property>
<activation-config-property-name>destinationType</activation-config-property-name>
<activation-config-property-value>javax.jms.Queue</activation-config-property-value>
</activation-config-property>
<activation-config-property>
<activation-config-property-name>useJNDI</activation-config-property-name>
<activation-config-property-value>false</activation-config-property-value>
</activation-config-property>
<activation-config-property>
<activation-config-property-name>port</activation-config-property-name>
<activation-config-property-value>portNumber</activation-config-property-value>
</activation-config-property>
<activation-config-property>
<activation-config-property-name>sslCipherSuite</activation-config-property-name>
<activation-config-property-value>SSL_RSA_WITH_3DES_EDE_CBC_SHA</activation-config-property-value>
</activation-config-property>
Can anyone please help me to find what is missing?
回答1:
The error message states it clearly that you are using a sslCipherSuite not supported by the queue manager. Find out what SSL Cipher Spec is set on the channel of the queue manager you are connecting to, and set a compatible sslCipherSuite instead of the one you are using now (SSL_RSA_WITH_3DES_EDE_CBC_SHA).
回答2:
It generally helps to know which version of MQ a question is about. Since the cipher in question is almost universally supported, it's possible that the QMgr is of modern vintage in which this cipher has been deprecated. That's all versions of MQ v8.x and versions of 7.x with newer GSKits and FixPacs.
Please see Deprecated CipherSpecs in the Knowledge Center for details on which ciphers are no longer considered safe and how to configure MQ to use them anyway, if you are an adrenaline junkie and like to live life on the bleeding edge. Assuming of course that this is indeed the issue generating the messages you are reporting.
回答3:
Although this is not intended as a complete answer, I hope that it will assist.
Until recently, MQ did not support advanced ciphers except when the IBM JRE was used. Non-IBM JRE did not allow selection of AES and other TLS based ciphers. This was resolved in IBM v8 and in some earlier versions with the release of a PTF. See http://www-01.ibm.com/support/docview.wss?uid=swg1IV66840
It is important to note that in order to use this capability, the Java System Property com.ibm.mq.cfg.useIBMCipherMappings must be set to false.
Since you are using JBOSS, I expect that you are not using an IBM JRE, and you will therefore need to set this Java System Property.
来源:https://stackoverflow.com/questions/32324779/how-to-configure-jboss-connectivity-with-websphere-ssl-enabled-mq