问题
I have set the KeyStore to *User to get the certificate from the windows certificate store.The Mq Client application is trying to find the certificate using the label name as shown in the log from the client Trace. I tried setting the CertificateLabel from the client.ini and code but it is not overriding the value.
How should i change that? Even if i can override how can i change the label of the certificate which i directly imported into my certificate store?
Please Help
000001B6 12:23:39.868134 4236.8 Created store object to access certificates
000001B7 12:23:39.868134 4236.8 Opened store
000001B8 12:23:39.868134 4236.8 Accessing certificate - **ibmwebspheremq(username)**
How should i change the lable in the certificate store for the existing certificate
And then it throws the below exception
000001B9 12:23:39.868134 4236.8 TLS12 supported - True
000001BA 12:23:39.868134 4236.8 Setting SslProtol as Tls
000001BB 12:23:39.868134 4236.8 Starting SSL Authentication
000001BC 12:23:39.868134 4236.8 ------------{ MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])
000001BD 12:23:39.868134 4236.8 Client callback has been invoked to find client certificate
000001BE 12:23:39.868134 4236.8 ------------} MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK
000001BF 12:23:40.507601 4236.8 System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
回答1:
I've just finished battling this exact same problem, with MQ v.8, over the last 2 days and found Shashi's link to be helpful, but it didn't completely solve my problem. In addition to the instructions on that link, you need to make sure that the "Friendly name" of the certificate in the store is compliant with the MQ certificate label naming convention i.e. ibmwebspheremqlogonuserID.
For example, let's say you're currently logged in and your logon ID is jdoe. When you run your MQ client, the MQ client libraries will look for a certificate with a friendly name matching ibmwebspheremqjdoe. Finally, I only needed to add the following two properties to connect successfully:
properties.Add(MQC.SSL_CERT_STORE_PROPERTY, "*SYSTEM");
properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA");
Bear in mind that I installed the CA-signed certificate into the "Local computer" key store and not the user keystore. That's why I specified *SYSTEM in the SSL_CERT_STORE_PROPERTY.
Here are all of the properties I used:
properties = new Hashtable();
properties.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED);
properties.Add(MQC.HOST_NAME_PROPERTY, hostName);
properties.Add(MQC.PORT_PROPERTY, port);
properties.Add(MQC.CHANNEL_PROPERTY, channelName);
properties.Add(MQC.SSL_CERT_STORE_PROPERTY, "*SYSTEM");
properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA");
来源:https://stackoverflow.com/questions/34817966/certificate-label-when-fetching-from-windows-cert-store-for-net-mq-client