Java Websphere 不信任的证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/21336145/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
certificate not trusted by Websphere
提问by Nabil
I have a web application that call a SOAP Web service secured via SSL .(https://zzzzzzzzzzzz/xxxxx).
我有一个 Web 应用程序,它调用通过 SSL 保护的 SOAP Web 服务。(https://zzzzzzzzzzzz/xxxxx)。
The server send two certificates (Root and Leaf) so i import the two certificate using the property : com.ibm.websphere.ssl.retrieveLeafCert.
服务器发送两个证书(根和叶),所以我使用属性导入这两个证书:com.ibm.websphere.ssl.retrieveLeafCert。
To enable ssl validation on websphere i just add the certificates Into websphere :
要在 websphere 上启用 ssl 验证,我只需将证书添加到 websphere 中:
SSL certificate and key management -> key stores and certificate -> NodeDefaultTrustStore -> Signer cerificates -> Retrieve from port :
SSL 证书和密钥管理 -> 密钥库和证书 -> NodeDefaultTrustStore -> 签名者证书 -> 从端口检索:
- host : hostname
- port : 443
- alias : alias
- 主机:主机名
- 端口:443
- 别名:别名
The problem is that webshphere not trust the certificate and give me this stacktrace,
问题是 webshphere 不信任证书并给我这个堆栈跟踪,
used by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking `https://------------------------------` : com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: T`he certificate issued by CN=-------------------------------------------------------------------- is not trusted`; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.6.0]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:56) ~[na:1.6.0]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:39) ~[na:1.6.0]
at java.lang.reflect.Constructor.newInstance(Constructor.java:527) ~[na:1.6.0]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1338) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1322) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.endpoint.ClientImpl.invokeWrapped(ClientImpl.java:354) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.jaxws.DispatchImpl.invoke(DispatchImpl.java:385) ~[cxf-rt-frontend-jaxws-2.7.4.jar:2.7.4]
... 100 common frames omitted
`Caused by: javax.net.ssl.SSLHandshakeException`: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: `The certificate issued by CN=--------------------------------------------------------- is not trusted`; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.o.a(o.java:8) ~[na:6.0 build_20130515]
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:549) ~[na:6.0 build_20130515]
at com.ibm.jsse2.kb.a(kb.java:355) ~[na:6.0 build_20130515]
at com.ibm.jsse2.kb.a(kb.java:130) ~[na:6.0 build_20130515]
at com.ibm.jsse2.lb.a(lb.java:135) ~[na:6.0 build_20130515]
at com.ibm.jsse2.lb.a(lb.java:368) ~[na:6.0 build_20130515]
at com.ibm.jsse2.kb.s(kb.java:442) ~[na:6.0 build_20130515]
at com.ibm.jsse2.kb.a(kb.java:136) ~[na:6.0 build_20130515]
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:495) ~[na:6.0 build_20130515]
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:223) ~[na:6.0 build_20130515]
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:724) ~[na:6.0 build_20130515]
at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:81) ~[na:6.0 build_20130515]
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:8) ~[na:6.0 build_20130515]
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:20) ~[na:6.0 build_20130515]
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1043) ~[na:1.6.0]
at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:85) ~[na:6.0 build_20130515]
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:168) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1282) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1233) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1295) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
... 110 common frames omitted
`Caused by: com.ibm.jsse2.util.j: PKIX path building failed:` java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: T`he certificate issued by CN=-------------------------------------------- is not trusted`; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.util.h.b(h.java:39) ~[na:6.0 build_20130515]
at com.ibm.jsse2.util.h.b(h.java:21) ~[na:6.0 build_20130515]
at com.ibm.jsse2.util.g.a(g.java:1) ~[na:6.0 build_20130515]
at com.ibm.jsse2.pc.a(pc.java:36) ~[na:6.0 build_20130515]
at com.ibm.jsse2.pc.checkServerTrusted(pc.java:19) ~[na:6.0 build_20130515]
at com.ibm.jsse2.pc.b(pc.java:51) ~[na:6.0 build_20130515]
at com.ibm.jsse2.lb.a(lb.java:65) ~[na:6.0 build_20130515]
... 128 common frames omitted
Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:411) ~[na:na]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:258) ~[na:na]
at com.ibm.jsse2.util.h.b(h.java:107) ~[na:6.0 build_20130515]
... 134 common frames omitted
Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=-------------------------------------------------------
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111) ~[na:na]
at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:178) ~[na:na]
at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:737) ~[na:na]
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:649) ~[na:na]
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:595) ~[na:na]
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:357) ~[na:na]
... 136 common frames omitted
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:298) ~[na:na]
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108) ~[na:na]
... 141 common frames omitted
The same code is tested in my local environement with the simple use of Installcert.javaand running my tests with -Djavax.net.ssl.trustStore=jssecacerts (jssecacerts is the file generated by InstallCert.java).
在我的本地环境中测试了相同的代码,简单地使用Installcert.java并使用 -Djavax.net.ssl.trustStore=jssecacerts 运行我的测试(jssecacerts 是由 InstallCert.java 生成的文件)。
采纳答案by Nabil
I test a million websphere configuration .
我测试了一百万个 websphere 配置。
The only procedure that work is the procedure described in this link :
唯一有效的程序是此链接中描述的程序:
By defining the cxf intercpter :
通过定义 cxf intercpter :
<cxf:bus>
<cxf:outInterceptors>
<bean class="---------------------.WebsphereSslOutInterceptor" />
</cxf:outInterceptors>
</cxf:bus>
For more details , please see :
欲知更多详情,请参阅:
https://github.com/vlussenburg/websphere-cxf-extensions#websphere-cxf-extensions
https://github.com/vlussenburg/websphere-cxf-extensions#websphere-cxf-extensions
Thanks a lot for your helps guys .
非常感谢你们的帮助。
回答by Anton Novopashin
You should add all certificate chain in your configuration. Usually certificate has at least root certificate of Authorization Center or chain similar certificates.
您应该在配置中添加所有证书链。通常证书至少有授权中心的根证书或链式类似证书。
WAS requires signed certificate by default.
默认情况下,WAS 需要签名证书。
回答by Robert H?glund
The problem here is that the certificate path builder (A part of the Java Cert path API) cannot build the certificate chain during the SSL handshake. During the handshake the SSL peer host send its certificate (identity) to the client, for the client to trust that particular certificate a chain of trust must be built on the client side, that what is happening when you get the fault. The problem here is that the chain of trust cannot be created since you are missing either the signer certificate and/or the root certificate in your truststore (trust anchor).
这里的问题是证书路径构建器(Java Cert 路径 API 的一部分)无法在 SSL 握手期间构建证书链。在握手期间,SSL 对等主机将其证书(身份)发送给客户端,为了让客户端信任该特定证书,必须在客户端建立信任链,当您遇到故障时会发生什么。这里的问题是无法创建信任链,因为您缺少信任库(信任锚)中的签名者证书和/或根证书。
Note that the PKIX trustmanager performs a "scope of trust" validation which means that you do not need a complete certificate chain on the client side to fulfill the trust relationship with the SSL peer, you will only need the signer/intermediate certificates in your truststore. In fact, if you should put the leaf certificate in the truststore, that should also make things work, since that states that you have explicit trust of that particular certificate and a certificate chain validation is not needed.
请注意,PKIX 信任管理器执行“信任范围”验证,这意味着您不需要客户端的完整证书链来实现与 SSL 对等方的信任关系,您只需要信任库中的签名者/中间证书. 事实上,如果您应该将叶证书放在信任库中,那也应该可以使事情正常进行,因为这表明您对该特定证书具有明确的信任,并且不需要证书链验证。
回答by trikelef
Maybe you should look at the following technote.
也许你应该看看下面的技术说明。
If you are at a certain fix pack level you can set the value com.ibm.websphere.ssl.retrieveLeafCertto trueand get the leaf certificate when Retrieving from Port.
如果您处于某个修订包级别,您可以将值com.ibm.websphere.ssl.retrieveLeafCert设置为true并在Retrieving from Port时获取叶证书。
回答by user3458628
Thanks for all the above response. Able to resolve the issue java.security.cert.CertPathValidatorException: Certificate chaining error with following configuration.
感谢以上所有回复。能够通过以下配置解决 java.security.cert.CertPathValidatorException: Certificate chaining error 问题。
- Found that the following javax properties returned null value in the WebSphere.
- javax.net.ssl.trustStore,
- javax.net.ssl.trustStorePassword
- javax.net.ssl.trustStoreType
- 在WebSphere 中发现以下javax 属性返回空值。
- javax.net.ssl.trustStore,
- javax.net.ssl.trustStorePassword
- javax.net.ssl.trustStoreType
For more details, please see this link,
有关更多详细信息,请参阅此链接,
java - path to trustStore - set property doesn't work?
java - trustStore 的路径 - 设置属性不起作用?
Configured the properties as below in the WebSphere
Select Servers > Application Servers > server_name > Process Definition > Java Virtual Machine > Custom Properties > New.
在 WebSphere 中配置如下属性
选择服务器 > 应用程序服务器 > server_name > 进程定义 > Java 虚拟机 > 定制属性 > 新建。
a) javax.net.ssl.trustStore = jre_install_dir\lib\security\cacerts
a) javax.net.ssl.trustStore = jre_install_dir\lib\security\cacerts
Example: C:\Program Files\WebSphere\AppServer\java\jre\lib\security\cacerts
示例:C:\Program Files\WebSphere\AppServer\java\jre\lib\security\cacerts
b) javax.net.ssl.trustStorePassword = changeit (default)
b) javax.net.ssl.trustStorePassword = changeit(默认)
c) javax.net.ssl.trustStoreType = jks
c) javax.net.ssl.trustStoreType = jks
For more details, please see this link,
有关更多详细信息,请参阅此链接,
After the configuration was able to see in the logs that certificates being added to the trust store.
配置后能够在日志中看到证书被添加到信任库。
Thanks, Uday Nilajkar
谢谢, Uday Nilajkar
回答by edubriguenti
Here are the steps to import a certificate to the JVMfor a HTTPS WS call:
以下是将证书导入JVM以进行HTTPS WS 调用的步骤:
A) Obtain the Certificate to be Imported
A) 取得要进口的证书
- Each browser displays certificates in different ways, but they are usually quite similar. On the browser's URL bar, there is usually a zone that you can click on to display SSL certificate information. For example, you may see a padlock in the status bar, and clicking on the padlock opens the certificate information. Once the certificate information is open, click on the "Certification Path" information. There normally will be a way to export each of the signing certificates (trusted roots). Export the certifiers in the "Base-64 encoded X.509 (.CER)"format. The exported file in this format will be an ASCII text file that has "BEGIN CERTIFICATE" and "END CERTIFICATE" lines at the top and bottom. Once you have exported the certificates that signed the remote server's SSL certificate you can then import them into the JVM.
- 每个浏览器以不同的方式显示证书,但它们通常非常相似。在浏览器的 URL 栏上,通常会有一个区域,您可以单击该区域来显示 SSL 证书信息。例如,您可能会在状态栏中看到一个挂锁,单击挂锁会打开证书信息。打开证书信息后,点击“证书路径”信息。通常有一种方法可以导出每个签名证书(受信任的根)。导出“Base-64 编码的 X.509 (.CER)”中的验证者格式。以这种格式导出的文件将是一个 ASCII 文本文件,在顶部和底部具有“BEGIN CERTIFICATE”和“END CERTIFICATE”行。导出签署远程服务器 SSL 证书的证书后,您可以将它们导入 JVM。
B) Import the certificate
B) 导入证书
- Start the ikeyman utility. The utility (ikeyman.bat or ikeyman.sh) is in the WAS_HOME\bin.
- From the Key Database File menu, select Open.
- In the key database type, select JKS.
- In the File Name field, type cacerts.
- In the Location field, type WAS_HOME\java\jre\lib\security.
- In the Password Prompt window, type the password for the keystore in the Password and Confirm Password window. The default password is changeit. Click OK.
- Add the certificate you created for the LDAP server into this certificate store.
- In the main window, in the Key database content area, select Signer Certificates from the list. Click Add.
- In the Certificate file name field, browse and locate the server certificate file that was created for the LDAP server, which is in Binary Der data. Verify that the appropriate directory is displayed in the Location field. Click OK.
- In the prompt, type a label for this certificate. For example, type LDAPCA. Click OK.
- 启动 ikeyman 实用程序。实用程序(ikeyman.bat 或 ikeyman.sh)位于 WAS_HOME\bin 中。
- 从密钥数据库文件菜单中,选择打开。
- 在密钥数据库类型中,选择 JKS。
- 在文件名字段中,输入 cacerts。
- 在位置字段中,输入 WAS_HOME\java\jre\lib\security。
- 在密码提示窗口中,在密码和确认密码窗口中键入密钥库的密码。默认密码是changeit。单击确定。
- 将您为 LDAP 服务器创建的证书添加到此证书存储中。
- 在主窗口的密钥数据库内容区域中,从列表中选择签名者证书。单击添加。
- 在证书文件名字段中,浏览并找到为 LDAP 服务器创建的服务器证书文件,该文件位于 Binary Der 数据中。验证位置字段中是否显示了适当的目录。单击确定。
- 在提示中,键入此证书的标签。例如,键入 LDAPCA。单击确定。
