未能在客户端进程和MQ系列之间建立SSL通信。

huangapple go评论77阅读模式
英文:

failed to establish SSL communication b/w client process and MQ series

问题

根据公司政策,我们需要对客户进程与 MQ 服务器之间的通信渠道进行加密。在我们的分布式系统中,我们有一些需要与 MQ 建立连接的 Java 进程,比如说,进程 A 和 B。

A 和 B 运行在不同的虚拟机上。它们拥有完全相同的环境,包括相同版本的 JRE(1.8.0_151-b12)、相同的依赖项、相同的 JCE 扩展文件。我们在每个进程的启动脚本中添加了与 SSL 相关的 JVM 参数,比如:

-Djavax.net.ssl.trustStore
-Djavax.net.ssl.trustStorePassword
-Djavax.net.ssl.keyStore
-Djavax.net.ssl.keyStorePassword

相应的 trustStore 和 keyStore 文件已经就位,并且被正确引用。

进程 A 正常工作,我们观察到了 SSL 握手和加密消息。然而,进程 B 失败,并显示了类似以下的消息:

忽略不可用的密码套件 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
...
原因是:java.lang.IllegalArgumentException: 无法使用当前已安装的提供程序支持 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

我花了时间在网上查找,并找到了一个相关的帖子1:它建议下载和升级 JCE 文件 - 问题是我已经安装了 JCE 文件(无限制版本),而且这些文件对于两个进程都是相同的。我认为 JCE 文件不是问题的根本原因。

我的问题是,MQ 团队是否也需要安装 JCE 文件,以便客户端建立 SSL 连接?我这边的配置是否已经完成,是否有什么我可能遗漏的地方?

更新: 问题已解决。请参见我的下面评论。

英文:

As per the firm's policy we are required to encrypt communication channels b/w our client processes with MQ server. In our distributed system, we have a few Java processes required to establish connection with MQ. Let me say, process A and B.

A and B run on different virtual machines. They have EXACTLY the same environment including JRE of same version(1.8.0_151-b12), same dependencies, same JCE extension files. We added ssl related JVM parameters to the launching scripts of each process, such as

-Djavax.net.ssl.trustStore
-Djavax.net.ssl.trustStorePassword
-Djavax.net.ssl.keyStore
-Djavax.net.ssl.keyStorePassword

the corresponding trustStore and keyStore files are in place and properly referred to.

A works fine and we observed the SSL handshake and encrypted messages. However, process B failed with messages such as:

ignoring unavailable cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
...
Caused by: java.lang.IllegalArgumentException: Cannot support 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA with currently installed providers

I did spend time checking online and one relevant post is from here : it suggested downloading and upgrading JCE files - the thing is that I already have JCE files (unlimited) installed and those are the same for both processes. I don't think JCE files is the root of the problem.

My question is, does the MQ team also have to install JCE files as well, in order for the client to establish SSL connection? Is the configuration on my end completed, anything I might have missed?

Update: problem solved. See my comments below.

答案1

得分: 2

无限强度的司法管辖策略文件直到1.8.0_162版本才默认包含并启用(crypto.policy设置为无限)。在1.8.0_151版本中,虽然包含了无限强度的司法管辖策略文件,但并未启用。

请检查您确实在两个虚拟机上运行了Java 1.8.0_151-b12版本,如果是的话,请确保工作的虚拟机上的java安全文件的crypto.policy设置与不工作的虚拟机相同。

英文:

Unlimited Strength Jurisdiction Policy Files were not included and enabled (crypto.policy set to unlimited) by default until 1.8.0_162. At 1.8.0_151 Unlimited Strength Jurisdiction Policy Files were included but not enabled.

Please check that you in fact running Java 1.8.0_151-b12 on both VMs, if you are then make sure the java security file crypto.policy setting on the working VM is identical to the non-working VM.

huangapple
  • 本文由 发表于 2020年9月2日 22:29:34
  • 转载请务必保留本文链接:https://go.coder-hub.com/63707735.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定