尽管我提供了 -Djavax.net.ssl.trustStore 属性,但为什么 java 使用 JAVA_HOME/lib/security/cacerts 的默认位置密钥库/信任库
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/33821785/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Why java uses default location keystore/truststore of JAVA_HOME/lib/security/cacerts though I have supplied -Djavax.net.ssl.trustStore properties
提问by Laxman G
In my java application I am running with supplied -Djavax.net.ssl.trustStoreSystem properties as below.
在我的 java 应用程序中,我使用提供的-Djavax.net.ssl.trustStore系统属性运行,如下所示。
-Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.trustStoreType=jks -Djavax.net.debug=ssl
This is my Complete command line :
这是我的完整命令行:
$JAVA_HOME/bin/java -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp -Xms512m -Xmx1024m -XX:MaxPermSize=192m -Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.keyStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.keyStorePassword=XXXXX -Dweblogic.security.SSL.ignoreHostnameVerification=true -Djavax.net.debug=ssl -Djavax.net.ssl.trustStoreType=jks -cp /Oracle/Middleware/Oracle_Home/wlserver/server/lib/wlfullclient.jar:/myapp/stand??alone/lib/asm-5.0.3.jar:/myapp/standalone/lib/castor-1.3.2-core.jar:/myapp/standa??lone/lib/myAPP_final.jar
But java is not using that certificate from custom keyStore from the custom path. It is by default going to $JAVA_HOME/lib/security/cacertswith that I am getting below exception :
但是 java 没有使用来自自定义路径的自定义 keyStore 的证书。默认情况下$JAVA_HOME/lib/security/cacerts,我会遇到以下异常:
java.net.ConnectException: t3s://myapphost.com:7500: Destination 10.243.155.222, 7900 unreachable; nested exception is:
javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination
When i am importing and adding same certificate in the $JAVA_HOME/lib/security/cacertsit not giving any Exception.
当我导入并添加相同的证书时,$JAVA_HOME/lib/security/cacerts它没有给出任何异常。
I have refer and this postand try to configured same things in $JAVA_HOME/jre/lib/security/java.securityand added following entry:
我参考了这篇文章并尝试在其中配置相同的内容$JAVA_HOME/jre/lib/security/java.security并添加以下条目:
javax.net.ssl.trustStore=/myapp/app.jks
javax.net.ssl.trustStorePassword=XXXXX
javax.net.ssl.trustStoreType=jks
Still i am facing same problem.
我仍然面临同样的问题。
My Question and problem here is, why java always goes java default keyStore location: $JAVA_HOME/lib/security/cacertsthough i have supplied and configured my own custom keyStore using : -Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.trustStoreType=jks -Djavax.net.debug=ssl
我的问题和问题是,为什么 java 总是使用 java 默认的 keyStore 位置:$JAVA_HOME/lib/security/cacerts尽管我已经使用以下方法提供和配置了我自己的自定义 keyStore:-Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.trustStoreType=jks -Djavax.net.debug=ssl
And if i am importing same certificate in default java keyStore loation it is working fine for me.
如果我在默认的 java keyStore loation 中导入相同的证书,它对我来说工作正常。
where and what all i need to change to configure different keystore to avoid to above exception.
我需要更改的位置和内容以配置不同的密钥库以避免上述异常。
采纳答案by Laxman G
After seeing this PostI have configured and supplied following system properties -Doption it resolved the problem for me. Hope it will help to others so i am posting it.
看到这篇文章后,我已经配置并提供了以下系统属性-D选项,它为我解决了问题。希望它会对其他人有所帮助,所以我发布了它。
-Dweblogic.security.CustomTrustKeyStoreFileName=/myapp/app.jks
-Dweblogic.security.TrustKeyStore=CustomTrust
-Dweblogic.security.CustomTrustKeyStorePassPhrase=XXXXXPWD
-Dweblogic.security.CustomTrustKeyStoreType=jks
I have understood following things which i have kept in Note: of -Dweblogic.security.TrustKeyStoreparameter.
我已经理解了我在-Dweblogic.security.TrustKeyStore参数中保留的以下内容。
Note 1:-Dweblogic.security.TrustKeyStorewill have following options and internal interpretation
注 1:-Dweblogic.security.TrustKeyStore将有以下选项和内部解释
-Dweblogic.security.TrustKeyStore=JavaStandardTrust(We should use when the trusted CAs in the JDK's cacerts, specify this)-Dweblogic.security.TrustKeyStore=DemoTrust(We should use when the trusted CAs in DemoTrust.jks and in the JDK's cacerts, specify this)-Dweblogic.security.TrustKeyStore=CustomTrust(We should use when the trusted CAs from another keystore, specify this).
-Dweblogic.security.TrustKeyStore=JavaStandardTrust(我们应该在 JDK 的 cacerts 中使用受信任的 CA 时,指定此项)-Dweblogic.security.TrustKeyStore=DemoTrust(我们应该在 DemoTrust.jks 和 JDK 的 cacerts 中的受信任 CA 时使用,指定此项)-Dweblogic.security.TrustKeyStore=CustomTrust(当来自另一个密钥库的可信 CA 时,我们应该使用,指定 this)。
Note 2:
注2:
Any time if you got below Exception, it means your java application is not finding certificate in the specified trust-store.
任何时候如果您低于异常,这意味着您的 Java 应用程序没有在指定的信任库中找到证书。
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target,It is telling the same.
Note 3:
Important things try to cogfigured -Djavax.net.debug=sslfor seeing more detail view of logs. Normally without that parameter we wont be able to see more details log.
注意 3:重要的事情尝试配置以-Djavax.net.debug=ssl查看日志的更多详细信息视图。通常没有该参数,我们将无法查看更多详细信息日志。
