如何在Weblogic或Java中启用对链证书的信任
[英]how to enable trust for chain certs in weblogic or java
问题描述
I have an Oracle service Bus domain running on weblogic 10.3.6 with 2 managed servers in cluster. 
我有一个运行在weblogic 10.3.6上的Oracle服务总线域,群集中有2个托管服务器。 We have a proxy service deployed on this domain which goes to an external Business service for validating address. 我们在此域上部署了代理服务,该代理服务会转到外部业务服务以验证地址。 This Business Service is listening on SSL port and SSL cert has EntrustCACert>IntermidateCert1>IntermidateCert2>ServerCert 此业务服务正在侦听SSL端口,并且SSL证书具有EntrustCACert> IntermidateCert1> IntermidateCert2> ServerCert
Issue: Getting below error during connectivity testing - 问题:在连接测试期间遇到错误-
General runtime error: [Security:090548]The certificate chain received from ws2.site1.com - 197.109.80.xxx contained a V3 CA certificate which was missing the basic constraints. 常规运行时错误:[安全性:090548]从ws2.site1.com-197.109.80.xxx收到的证书链包含缺少基本约束的V3 CA证书。
Solutions i have tried: 我尝试过的解决方案:
1) added JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.enforceConstraints=off " in the startup script and it resolve the issue. 1)在启动脚本中添加了JAVA_OPTIONS =“ $ {JAVA_OPTIONS} -Dweblogic.security.SSL.enforceConstraints = off”,它可以解决此问题。 But i was told this is not the prefered way and use trust keystore to implement. 但是我被告知这不是使用信任密钥库来实现的首选方法。
2)to implement trust, I copied all the 4 certs in following reverse order EntrustCACert>IntermidateCert1>IntermidateCert2>ServerCert in one file named DSperian.pem and imported in Jrockit cacerts file( /apps/Oracle/jrockit-jdk1.6.0_31-R28.2.3-4.1.0/jre/lib/security/cacerts ) using below command but getting the same above error. 2)为了实现信任,我按照以下相反的顺序复制了全部4个证书:EntrustCACert> IntermidateCert1> IntermidateCert2> ServerCert到一个名为DSperian.pem的文件中,并导入到Jrockit cacerts文件中(/apps/Oracle/jrockit-jdk1.6.0_31-R28 .2.3-4.1.0 / jre / lib / security / cacerts),使用以下命令,但出现相同的上述错误。 keytool -import -alias DSperian -trustcacerts -file DSperian.pem -keystore cacerts
Question: Please let me know if im doing the right way to import cert to create trust. 问题:请让我知道我是否在正确地导入证书以建立信任。 so my OSB domain will blindly trust the Business service ( web-service) and ignore the "basic constraints" error. 因此我的OSB域将盲目地信任业务服务(Web服务),而忽略“基本约束”错误。 Do i need to utilize weblogic specific trust keystore file but this OSB weblogic is running on non-ssl port ? 我是否需要利用特定于Weblogic的信任密钥库文件,但是此OSB Weblogic在非SSL端口上运行? are there any other options available ? 还有其他选择吗? Asking Business-service to update their cert to include "basic constraints" is not an option. 不能要求Business-service更新其证书以包括“基本约束”。
1 个解决方案
解决方案1
1 2013-12-07 23:10:18
There is actually a problem with your certificate. 您的证书实际上存在问题。
Security certificates have a set of constraints that allow them to perform certain functions (or restrict them to certain functions). 安全证书具有一组约束,使它们可以执行某些功能(或将其限制为某些功能)。
Have a look at each of the certificates and ensure that they have constraints assigned to them that are suitable for the task. 查看每个证书,并确保为它们分配了适合该任务的约束。
To get more details on the error enable SSL debugging in your web logic server add the following to your server startup script 要获取有关错误的更多详细信息,请在Web逻辑服务器中启用SSL调试,然后将以下内容添加到服务器启动脚本中
-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true
More information in Configure SSL in WebLogic server 有关在WebLogic服务器中配置SSL的详细信息
Use the following command to validate your keystone 使用以下命令来验证您的梯形失真
java utils.ValidateCertChain -jks my key mykeystore
Then, whoever provided the root certificate needs to fix up your issues. 然后,提供根证书的人都需要解决您的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.