我们有这有望使HTTPS调用不同的端点的WebSphere自由曲线运行的OSGi应用程序。
有些端点有共同导入到服务器信任他们的SSL证书。此前,证书将被添加到信任,并重新启动,以皮卡的变化应用。
这是所使用的配置的信任(在$ {}是占位符从属性读文件):
<keyStore id="defaultKeyStore" location="${keystore.location}"
password="${keystore.password}" type="${keystore.type}" />
<keyStore id="trustStore" location="${truststore.location}"
password="${truststore.password}"
type="${truststore.type}" />
<ssl clientAuthentication="false"
clientAuthenticationSupported="true"
id="defaultSSLConfig"
keyStoreRef="defaultKeyStore"
sslProtocol="SSL_TLSv2"
trustStoreRef="trustStore" />
<sslDefault sslRef="defaultSSLConfig" />
最近这已修改为使用密钥库轮询通过进行以下更改的信任:
<keyStore id="trustStore" location="${truststore.location}"
password="${truststore.password}"
type="${truststore.type}" pollingRate="5s" updateTrigger="polled"/>
所使用的属性描述如下:
密钥库文件可以由服务器如果updateTrigger属性设置为轮询或MBean的重新加载。如果调查被启用,则服务器监视基于pollingRate属性设置的变动的密钥存储文件。
现在,如果我将证书导入到运行中的服务器的信任,我在控制台中以下信息:
[审计] CWPKI0811I:密钥库文件资源\安全\ trust.jks已被修改。密钥库文件将被重新加载,因此更新的密钥库文件都可以使用。
但是,HTTPS调用终端仍然不能与证书例外,直至服务器重新启动(重新启动与端点调用成功,没有其他变化后,那么证书本身是正确的,终点是有效的):
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: unable to find valid certification path to requested target
at com.ibm.jsse2.k.a(k.java:15)
at com.ibm.jsse2.av.a(av.java:531)
at com.ibm.jsse2.D.a(D.java:68)
at com.ibm.jsse2.D.a(D.java:628)
at com.ibm.jsse2.E.a(E.java:803)
at com.ibm.jsse2.E.a(E.java:447)
at com.ibm.jsse2.D.r(D.java:139)
at com.ibm.jsse2.D.a(D.java:485)
at com.ibm.jsse2.av.a(av.java:717)
at com.ibm.jsse2.av.i(av.java:869)
at com.ibm.jsse2.av.a(av.java:19)
at com.ibm.jsse2.av.startHandshake(av.java:672)
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:46)
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:35)
在配置上面我已经不正确使用或者我应该如何配置Liberty配置文件来加载正确的证书?
一些额外的事情,我曾尝试:
SSLContext.getDefault()
并重新初始化它 - 这工作,因为自由本身替换它自己原来的,一成不变的信任。然而,如果可能的话我想避免这种方法,并使用Liberty标准之一。编辑:有趣的是,如果我用信任的绝对路径在server.xml中,事情开始工作。相对路径不工作。
随着相对路径:
[11/5/18 13:17:07:870 IST] 00000084 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory > performFileBasedAction Entry
[resources\security\trust.jks]
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Clearing standard javax.net.ssl.SSLContext cache.
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager > resetDefaultSSLContext Entry
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager > getDefaultSSLConfig Entry
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager 3 getGlobalProperty -> com.ibm.ssl.defaultAlias=defaultSSLConfig
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager 3 defaultAlias: defaultSSLConfig
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager < defaultAlias not null, getDefaultSSLConfig for: defaultSSLConfig Exit
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager > keyStoreModified Entry
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager < keyStoreModified false Exit
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager 3 Modified keystore file are not part of the default SSL configuration.
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager < resetDefaultSSLContext Exit
[11/5/18 13:17:07:872 IST] 00000084 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory A CWPKI0811I: The keystore file resources\security\trust.jks has been modified. The keystore file will be reloaded so the updated keystore file can be used.
[11/5/18 13:17:07:872 IST] 00000084 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory < performFileBasedAction Exit
使用绝对路径:
[11/5/18 13:11:32:720 IST] 00000086 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory > performFileBasedAction Entry
[D:\programs\WebSphere\wlp-webProfile7-18.0.0.1\wlp\usr\servers\defaultServer\resources\security\trust.jks]
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Clearing standard javax.net.ssl.SSLContext cache.
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager > resetDefaultSSLContext Entry
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager > getDefaultSSLConfig Entry
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager 3 getGlobalProperty -> com.ibm.ssl.defaultAlias=defaultSSLConfig
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager 3 defaultAlias: defaultSSLConfig
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager < defaultAlias not null, getDefaultSSLConfig for: defaultSSLConfig Exit
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager > keyStoreModified Entry
[11/5/18 13:11:32:726 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager < keyStoreModified true Exit
[11/5/18 13:11:32:726 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory > getInstance: null Entry
[11/5/18 13:11:32:726 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory < getInstance: com.ibm.ws.ssl.provider.IBMJSSEProvider@50d8b2eb Exit
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider > setServerDefaultSSLContext Entry
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider > getSSLContext Entry
null
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.config.ThreadContext 3 setOutboundConnectionInfoInternal :null
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 outboundConnectionInfo: null
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider > getSSLContextInstance Entry
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider < getSSLContextInstance Exit
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider > getKeyTrustManagers Entry
null
SSLConfig.toString() {
com.ibm.ssl.clientAuthenticationSupported=false
com.ibm.ssl.contextProvider=IBMJSSE2
config.displayId=keyStore[defaultKeyStore]
com.ibm.ssl.protocol=SSL_TLS
com.ibm.ssl.keyStoreReadOnly=false
com.ibm.ssl.alias=defaultSSLConfig
com.ibm.ssl.keyStoreCreateCMSStash=false
com.ibm.ssl.securityLevel=HIGH
com.ibm.ssl.trustStoreName=jvmTrustStore
com.ibm.ssl.trustStorePassword=********
service.pid=com.ibm.ws.ssl.keystore_21
com.ibm.ssl.trustManager=PKIX
com.ibm.ssl.validationEnabled=false
com.ibm.ssl.trustStoreInitializeAtStartup=false
com.ibm.ssl.keyManager=IbmX509
com.ibm.ssl.keyStoreFileBased=true
com.ibm.ssl.keyStoreType=jks
com.ibm.ssl.trustStoreFileBased=true
com.ibm.ssl.trustStoreCreateCMSStash=false
com.ibm.ssl.trustStore=D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
config.overrides=true
com.ibm.ssl.daysBeforeExpireWarning=60
sslRef=defaultSSLConfig
id=defaultKeyStore
config.id=com.ibm.ws.ssl.keystore[defaultKeyStore]
com.ibm.ssl.clientAuthentication=false
com.ibm.ssl.keyStore=resources/security/key.jks
com.ibm.ssl.trustStoreReadOnly=false
config.source=file
alias=defaultSSLConfig
com.ibm.ssl.tokenEnabled=false
com.ibm.ssl.keyStoreName=defaultKeyStore
com.ibm.ssl.keyStorePassword=********
com.ibm.ssl.keyStoreInitializeAtStartup=false
service.factoryPid=com.ibm.ws.ssl.keystore
com.ibm.ssl.trustStoreType=jks
}
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.config.KeyStoreManager 3 Returning a keyStore for name: jvmTrustStore
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore > do_getKeyStore Entry
false
false
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Initializing KeyStore: jvmTrustStore
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Password was not decoded.
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 File path for store: D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Loading keyStore (filebased)
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory > getInstance: null Entry
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory < getInstance: com.ibm.ws.ssl.provider.IBMJSSEProvider@50d8b2eb Exit
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 KeyStore.getInstance(jks, null)
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 alias: p13
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 alias: p12
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 do_getKeyStore (initialized)
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore < do_getKeyStore Exit
java.security.KeyStore@7be5d76a
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.KeyStoreManager 3 Returning a keyStore for name: defaultKeyStore
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore > do_getKeyStore Entry
false
false
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Initializing KeyStore: defaultKeyStore
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Password was not decoded.
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 File path for store: resources/security/key.jks
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Loading keyStore (filebased)
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory > getInstance: null Entry
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory < getInstance: com.ibm.ws.ssl.provider.IBMJSSEProvider@50d8b2eb Exit
[11/5/18 13:11:32:733 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 KeyStore.getInstance(jks, null)
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 alias: default
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 do_getKeyStore (initialized)
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore < do_getKeyStore Exit
java.security.KeyStore@941dcba8
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 getLocation -> D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Using trust store: D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 getTrustManagerFactory.getInstance(PKIX, IBMJSSE2)javax.net.ssl.TrustManagerFactory@c99b19d6
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 certStoreHost: null
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 certStorePort: 389
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 trustManagerAlgorithm: PKIX
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 getLocation -> resources/security/key.jks
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Using software keystore: resources/security/key.jks
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 getKeyManagerFactory.getInstance(IbmX509, IBMJSSE2) javax.net.ssl.KeyManagerFactory@df035ba8
[11/5/18 13:11:32:737 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Password was not decoded.
[11/5/18 13:11:32:737 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Entering synchronized block around key manager factory init.
[11/5/18 13:11:32:739 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Exiting synchronized block around key manager factory init.
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.WSX509KeyManager > WSX509KeyManager Entry
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.CertMappingKeyManager > <init> Entry
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.CertMappingKeyManager > parseSSLCertFile Entry
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.CertMappingKeyManager < parseSSLCertFile Exit
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.CertMappingKeyManager < <init> Exit
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.config.KeyStoreManager 3 Returning a keyStore for name: defaultKeyStore
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.WSX509KeyManager < WSX509KeyManager Exit
[11/5/18 13:11:32:741 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Initializing WSX509KeyManager.
null
null
null
[11/5/18 13:11:32:741 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 getLocation -> D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:741 IST] 00000086 id= com.ibm.ws.ssl.core.WSX509TrustManager > WSX509TrustManager Entry
null
D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:742 IST] 00000086 id= com.ibm.ws.ssl.core.WSX509TrustManager < WSX509TrustManager Exit
[11/5/18 13:11:32:742 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider < getKeyTrustManagers Exit
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 SSLContext cache size: 1
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider < getSSLContext -> (new) Exit
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Default SSLContext set to defaultSSLConfig
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider < setServerDefaultSSLContext Exit
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager < resetDefaultSSLContext Exit
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory A CWPKI0811I: The keystore file D:\programs\WebSphere\wlp-webProfile7-18.0.0.1\wlp\usr\servers\defaultServer\resources\security\trust.jks has been modified. The keystore file will be reloaded so the updated keystore file can be used.
[11/5/18 13:11:32:744 IST] 00000086 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory < performFileBasedAction Exit
这是通过使用提供到信任每次的绝对路径的解决方法解决。这似乎是一个错误,因为我无法找到这表明只有绝对路径该属性支持的任何文件。