Websphere MQ Java/JMS 客户端的 SSL/AMS 配置


IBM官方配置指南
http://www-01.ibm.com/support/docview.wss?uid=swg24010367

另外可以参考IBM关于Security方面的详细文档
http://www.slideshare.net/MoragHughson/websphere-mq-v8-security-deep-dive

直接使用Java配置SSL

/********************************************************************/
/*                                                                  */
/* Program name: SSLSample                                          */
/*                                                                  */
/* Description: Sample Java program that demonstrates how to        */
/*              specify SSL client connection information for a     */
/*              MQQueueManager connection.                          */
/*                                                                  */
/* <START_COPYRIGHT>                                                */
/* Licensed Materials - Property of IBM                             */
/*                                                                  */
/* (C) Copyright IBM Corp. 2006,2009 All Rights Reserved.           */
/*                                                                  */
/* US Government Users Restricted Rights - Use, duplication or      */
/* disclosure restricted by GSA ADP Schedule Contract with          */
/* IBM Corp.                                                        */
/* <END_COPYRIGHT>                                                  */
/*                                                                  */
/********************************************************************/
/*                                                                  */
/* Overview:                                                        */
/*                                                                  */
/*   This sample is provided with WebSphere MQ SupportPac MO04 -    */
/*   WebSphere MQ SSL Wizard. The wizard will generate command line */
/*   options to be used with this program.                          */
/*                                                                  */
/*   It is assumed that the SSL server connection channel and other */
/*   SSL administration, as instructed by the wizard, has been      */
/*   completed before running this program.                         */
/*                                                                  */
/*   If the SSL connection is successful the program should output: */
/*                                                                  */
/*      "Connection Successful!"                                    */
/*                                                                  */
/********************************************************************/
/*                                                                  */
/* Function:                                                        */
/*                                                                  */
/*   SSLSample is a sample Java program that demonstrates how to    */
/*   supply SSL information for a client connection on a            */
/*   MQQueueManager connection.                                     */
/*                                                                  */
/*   The sample simply connects to the queue manager by             */
/*   constructing the MQQueueManager object and then disconnects    */
/*   using the MQQueueManager disconnect method.                    */
/*                                                                  */
/********************************************************************/
/*                                                                  */
/* Usage:                                                           */
/*                                                                  */
/*   SSLSample has 7 parameters, all of which are mandatory:        */
/*                                                                  */
/*     java SSLSample Conname Port SvrconnChannelName               */
/*             QMgrName SSLCiph SSLKeyr SSLKeyrPassword             */
/*                                                                  */
/*   The parameters are:                                            */
/*                                                                  */
/*     Conname     - the connection name of the server queue        */
/*                   manager in the same format as the CONNAME      */
/*                   parameter on the MQSC DEFINE CHANNEL command,  */
/*                   but without the port specified.                */
/*                                                                  */
/*     Port        - the connection port of the server queue        */
/*                   manager.                                       */
/*                                                                  */
/*     SvrconnChannelName                                           */
/*                 - the name of the server connection channel      */
/*                   on the server queue manager with which the     */
/*                   sample program will try to connect.            */
/*                                                                  */
/*     QMgrName    - the name of the server queue manager.          */
/*                                                                  */
/*     SSLCiph     - the SSL CipherSpec.                            */
/*                                                                  */
/*     SSLKeyr     - the name of a single store, which is both the  */
/*                   keystore and truststore.                       */
/*                                                                  */
/*     SSLKeyrPassword                                              */
/*                 - the SSL key repository password.               */
/*                                                                  */
/*   For example:                                                   */
/*                                                                  */
/*     java SSLSample myhost1 1414 SSL.SVRCONN QM1 NULL_MD5         */
/*                                    C:\mq\ssl\client.kdb password */
/*                                                                  */
/********************************************************************/
import java.util.Hashtable;

import com.ibm.mq.*; //Include the WebSphere MQ classes for Java package
import com.ibm.mq.constants.MQConstants; 

public class SSLSample {

  // define the parms
  private static String conname ;
  private static String port    ;
  private static String channel ;
  private static String qmgr    ;
  private static String sslciph ;
  private static String sslkeyr ;
  private static String sslpass ;
  
  public static void main(String args[]) {
    /****************************************************************/
    /* Check for correct number of arguments                        */
    /****************************************************************/
    if (args.length == 7) {
      conname = args[0];
      port    = args[1];
      channel = args[2];
      qmgr    = args[3];
      sslciph = args[4];
      sslkeyr = args[5];
      sslpass = args[6];
    }
    else {
      System.out.println("Usage parms: Conname Port Channel Qmgr SSLCiph SSLStore SSLKeyStorePassword");
      System.out.println("     NOTE - SSLStore is the name of a single store, which is both the keystore and truststore.");
      return;
    }
  
    new SSLSample().runSample();     
  }

  public void runSample() {
    //System.setProperty("javax.net.debug", "true");

    /****************************************************************/
    /* Utilise the arguments                                        */
    /****************************************************************/
    System.setProperty("javax.net.ssl.trustStore", sslkeyr );
    System.setProperty("javax.net.ssl.keyStore", sslkeyr );
    System.setProperty("javax.net.ssl.keyStorePassword", sslpass );
    MQEnvironment.hostname       = conname;
    MQEnvironment.port           = Integer.parseInt(port);
    MQEnvironment.channel        = channel;
    MQEnvironment.properties.put(MQConstants.SSL_CIPHER_SUITE_PROPERTY,sslciph); 

    /****************************************************************/
    /* Print out parms                                              */
    /****************************************************************/
    System.out.println("Connecting to:");
    System.out.println("  Conname = " + MQEnvironment.hostname);
    System.out.println("  Port = " + MQEnvironment.port);
    System.out.println("  Channel = " + MQEnvironment.channel);
    System.out.println("  Qmgr = " + qmgr);
    System.out.println("  SSLCiph = "+ MQEnvironment.properties.get(MQConstants.SSL_CIPHER_SUITE_PROPERTY));
    System.out.println("  SSLTrustStore = "+ System.getProperty("javax.net.ssl.trustStore"));
    System.out.println("  SSLKeyStore = "+ System.getProperty("javax.net.ssl.keyStore"));
    System.out.println("  SSLKeyStorePassword = "+ System.getProperty("javax.net.ssl.keyStorePassword"));

    try {

      /**************************************************************/
      /* Connect to queue manager                                   */
      /**************************************************************/
      System.out.println("Connecting...");
      MQQueueManager qMgr = new MQQueueManager(qmgr);
      System.out.println("Connection successful!");

      /**************************************************************/
      /* Disconnect from queue manager                              */
      /**************************************************************/
      System.out.println("Disconnecting from the Queue Manager");
      qMgr.disconnect();
      System.out.println("Done!");
    }
    catch (MQException ex) {
      System.out.println("A WebSphere MQ Error occured : Completion Code "
                + ex.completionCode + " Reason Code " + ex.reasonCode);
    }
  }
} 


使用JMS配置SSL
/********************************************************************/
/*                                                                  */
/* Program name: SSLSampleJMS                                       */
/*                                                                  */
/* Description: Sample JMS program that demonstrates how to         */
/*              specify SSL client connection information for a     */
/*              MQQueueConnectionFactory connection.                */
/*                                                                  */
/* <START_COPYRIGHT>                                                */
/* Licensed Materials - Property of IBM                             */
/*                                                                  */
/* (C) Copyright IBM Corp. 2006, 2009 All Rights Reserved.          */
/*                                                                  */
/* US Government Users Restricted Rights - Use, duplication or      */
/* disclosure restricted by GSA ADP Schedule Contract with          */
/* IBM Corp.                                                        */
/* <END_COPYRIGHT>                                                  */
/*                                                                  */
/********************************************************************/
/*                                                                  */
/* Overview:                                                        */
/*                                                                  */
/*   This sample is provided with WebSphere MQ SupportPac MO04 -    */
/*   WebSphere MQ SSL Wizard. The wizard will generate command line */
/*   options to be used with this program.                          */
/*                                                                  */
/*   It is assumed that the SSL server connection channel and other */
/*   SSL administration, as instructed by the wizard, has been      */
/*   completed before running this program.                         */
/*                                                                  */
/*   If the SSL connection is successful the program should output: */
/*                                                                  */
/*      "Connection Successful!"                                    */
/*                                                                  */
/********************************************************************/
/*                                                                  */
/* Function:                                                        */
/*                                                                  */
/*   SSLSampleJMS is a sample Java program that demonstrates how to */
/*   supply SSL information for a client connection on a            */
/*   MQQueueConnectionFactory connection.                           */
/*                                                                  */
/*   The sample simply connects to the queue manager.               */
/*                                                                  */
/********************************************************************/
/*                                                                  */
/* Usage:                                                           */
/*                                                                  */
/*   SSLSampleJMS has 7 parameters, all of which are mandatory:     */
/*                                                                  */
/*     java SSLSampleJMS Conname Port SvrconnChannelName            */
/*             QMgrName SSLCiph SSLKeyr SSLKeyrPassword             */
/*                                                                  */
/*   The parameters are:                                            */
/*                                                                  */
/*     Conname     - the connection name of the server queue        */
/*                   manager in the same format as the CONNAME      */
/*                   parameter on the MQSC DEFINE CHANNEL command,  */
/*                   but without the port specified.                */
/*                                                                  */
/*     Port        - the connection port of the server queue        */
/*                   manager.                                       */
/*                                                                  */
/*     SvrconnChannelName                                           */
/*                 - the name of the server connection channel      */
/*                   on the server queue manager with which the     */
/*                   sample program will try to connect.            */
/*                                                                  */
/*     QMgrName    - the name of the server queue manager.          */
/*                                                                  */
/*     SSLCiph     - the SSL CipherSpec.                            */
/*                                                                  */
/*     SSLKeyr     - the name of a single store, which is both the  */
/*                   keystore and truststore.                       */
/*                                                                  */
/*     SSLKeyrPassword                                              */
/*                 - the SSL key repository password.               */
/*                                                                  */
/*   For example:                                                   */
/*                                                                  */
/*     java SSLSampleJMS myhost1 1414 SSL.SVRCONN QM1               */
/*                           NULL_MD5 C:\mq\ssl\client.kdb password */
/*                                                                  */
/********************************************************************/
import javax.jms.*;
import com.ibm.mq.*;
import com.ibm.mq.jms.*;
import com.ibm.mq.jms.services.*;
import com.ibm.msg.client.wmq.common.CommonConstants;
//import com.ibm.mq.constants.MQConstants; 

public class SSLSampleJMS {
  private static String conname ;
  private static String port    ;
  private static String channel ;
  private static String qmgr    ;
  private static String sslciph ;
  private static String sslkeyr ;
  private static String sslpass ;
  private  MQQueueConnectionFactory qcf;
  private  QueueConnection queueCon;
  private QueueSession queueSession;
  
  public static void main(String args[]) {
    /**************************************************************/
    /* Check for correct number of arguments                      */
    /**************************************************************/
    if (args.length == 7) {
      conname = args[0];
      port    = args[1];
      channel = args[2];
      qmgr    = args[3];
      sslciph = args[4];
      sslkeyr = args[5];
      sslpass = args[6];
    }
    else {
      System.out.println("Usage parms: Conname Port Channel Qmgr SSLCiph SSLStore SSLKeyStorePassword");
      System.out.println("     NOTE - SSLStore is the name of a single store, which is both the keystore and truststore.");
      return;
    }
  
    new SSLSampleJMS().runSample();     
  }

  public void runSample() {
    //System.setProperty("javax.net.debug", "true");

    /****************************************************************/
    /* Utilise the arguments                                        */
    /****************************************************************/
    System.setProperty("javax.net.ssl.trustStore", sslkeyr );
	 	System.setProperty("javax.net.ssl.keyStore", sslkeyr );
	 	System.setProperty("javax.net.ssl.keyStorePassword", sslpass );

    try {
      /**************************************************************/
      /* Utilise the arguments                                      */
      /**************************************************************/
      qcf = new MQQueueConnectionFactory();
      qcf.setHostName(conname);
      qcf.setPort(Integer.parseInt(port));
      qcf.setQueueManager(qmgr);
      qcf.setChannel(channel);
      qcf.setTransportType(CommonConstants.WMQ_CM_CLIENT);
      qcf.setSSLCipherSuite(sslciph);
      
      /**************************************************************/
      /* Print out parms                                            */
      /**************************************************************/
      System.out.println("Connecting to:");
      System.out.println("  Conname = " + qcf.getHostName());
      System.out.println("  Port = " + qcf.getPort());
      System.out.println("  Channel = " + qcf.getChannel());
      System.out.println("  Qmgr = " + qcf.getQueueManager());
      System.out.println("  SSLCiph = "+ qcf.getSSLCipherSuite());
      System.out.println("  SSLTrustStore = "+ System.getProperty("javax.net.ssl.trustStore"));
      System.out.println("  SSLKeyStore = "+ System.getProperty("javax.net.ssl.keyStore"));
      System.out.println("  SSLKeyStorePassword = "+ System.getProperty("javax.net.ssl.keyStorePassword"));
      
      /**************************************************************/
      /* Connect to queue manager                                   */
      /**************************************************************/
      queueCon = qcf.createQueueConnection();
      queueSession = queueCon.createQueueSession(false, Session.AUTO_ACKNOWLEDGE);
      System.out.println("Connection Successful!"     );
      
    } catch(Exception e){
      e.printStackTrace();
    }
  }
}




http://www.ibm.com/developerworks/cn/websphere/library/techarticles/0510_fehners/0510_fehners.html


http://www.ibm.com/developerworks/cn/websphere/techjournal/0211_yusuf/yusuf.html

Troubleshooting Java/JMS SSL Configurations
http://www-01.ibm.com/support/docview.wss?uid=swg21614686


Can I use the same keystore for AMS as used for MQ SSL?
Websphere MQ Java/JMS 客户端的 SSL/AMS 配置_第1张图片

http://stackoverflow.com/questions/4271116/wmq-ams-keystore
You can, but also have the option to use separate certs and/or keystores if you want. The keystore.conf file contains the details of the keystore and the label of the certificate that AMS will use for encrypting and signing messages. This can point to the same certificate as used by the application for making connections to WebSphere MQ, the same certificate the app server uses for SSL connections or an entirely separate keystore dedicated to AMS.

The key (excuse the pun) is to manage the keystores based on the security model required. The app server's keystore probably has a number of external-facing certificates in its trust store. For example, it might trust several commercial certificate authorities. The AMS keystore must contain the certificates of anyone who will be signing or encrypting messages that your app will consume or receiving encrypted messages from your app. Since these are usually internal-facing it might be worthwhile to use a separate keystore for AMS than is used for external-facing entities. Otherwise the two different security models (internal-facing and external-facing) end up trusting each others participants.

This is just one example and in general the idea is to construct the keystores based on the specific security model required and using a least-trust principle. You have to balance the cost of maintaining separate keystores against the extra security of maintaining individual ones.

Secure Your Messages with IBM MQ Advanced Message Security
http://www.slideshare.net/MoragHughson/ame2286-ams
Key slides
Websphere MQ Java/JMS 客户端的 SSL/AMS 配置_第2张图片
Websphere MQ Java/JMS 客户端的 SSL/AMS 配置_第3张图片
Websphere MQ Java/JMS 客户端的 SSL/AMS 配置_第4张图片
Websphere MQ Java/JMS 客户端的 SSL/AMS 配置_第5张图片
Websphere MQ Java/JMS 客户端的 SSL/AMS 配置_第6张图片
Websphere MQ Java/JMS 客户端的 SSL/AMS 配置_第7张图片

你可能感兴趣的:(java,IBM,ssl,jms,MQ)