[英]certificate not trusted by Websphere
I have a web application that call a SOAP Web service secured via SSL . 我有一个Web应用程序调用通过SSL保护的SOAP Web服务。
(https://zzzzzzzzzzzz/xxxxx
). (https://zzzzzzzzzzzz/xxxxx
)。
The server send two certificates (Root and Leaf) so i import the two certificate using the property : com.ibm.websphere.ssl.retrieveLeafCert
. 服务器发送两个证书(Root和Leaf),因此我使用以下属性导入两个证书:
com.ibm.websphere.ssl.retrieveLeafCert
。
To enable ssl validation on websphere i just add the certificates Into websphere : 要在websphere上启用ssl验证,我只需将证书添加到websphere:
SSL certificate and key management -> key stores and certificate -> NodeDefaultTrustStore -> Signer cerificates -> Retrieve from port : SSL证书和密钥管理 - >密钥库和证书 - > NodeDefaultTrustStore - >签名者证书 - >从端口检索:
The problem is that webshphere not trust the certificate and give me this stacktrace, 问题是webshphere不信任证书并给我这个堆栈跟踪,
used by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking `https://------------------------------` : com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: T`he certificate issued by CN=-------------------------------------------------------------------- is not trusted`; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.6.0]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:56) ~[na:1.6.0]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:39) ~[na:1.6.0]
at java.lang.reflect.Constructor.newInstance(Constructor.java:527) ~[na:1.6.0]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1338) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1322) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.endpoint.ClientImpl.invokeWrapped(ClientImpl.java:354) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.jaxws.DispatchImpl.invoke(DispatchImpl.java:385) ~[cxf-rt-frontend-jaxws-2.7.4.jar:2.7.4]
... 100 common frames omitted
`Caused by: javax.net.ssl.SSLHandshakeException`: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: `The certificate issued by CN=--------------------------------------------------------- is not trusted`; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.o.a(o.java:8) ~[na:6.0 build_20130515]
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:549) ~[na:6.0 build_20130515]
at com.ibm.jsse2.kb.a(kb.java:355) ~[na:6.0 build_20130515]
at com.ibm.jsse2.kb.a(kb.java:130) ~[na:6.0 build_20130515]
at com.ibm.jsse2.lb.a(lb.java:135) ~[na:6.0 build_20130515]
at com.ibm.jsse2.lb.a(lb.java:368) ~[na:6.0 build_20130515]
at com.ibm.jsse2.kb.s(kb.java:442) ~[na:6.0 build_20130515]
at com.ibm.jsse2.kb.a(kb.java:136) ~[na:6.0 build_20130515]
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:495) ~[na:6.0 build_20130515]
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:223) ~[na:6.0 build_20130515]
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:724) ~[na:6.0 build_20130515]
at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:81) ~[na:6.0 build_20130515]
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:8) ~[na:6.0 build_20130515]
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:20) ~[na:6.0 build_20130515]
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1043) ~[na:1.6.0]
at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:85) ~[na:6.0 build_20130515]
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:168) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1282) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1233) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) ~[cxf-api-2.7.4.jar:2.7.4]
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1295) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4]
... 110 common frames omitted
`Caused by: com.ibm.jsse2.util.j: PKIX path building failed:` java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: T`he certificate issued by CN=-------------------------------------------- is not trusted`; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.util.h.b(h.java:39) ~[na:6.0 build_20130515]
at com.ibm.jsse2.util.h.b(h.java:21) ~[na:6.0 build_20130515]
at com.ibm.jsse2.util.g.a(g.java:1) ~[na:6.0 build_20130515]
at com.ibm.jsse2.pc.a(pc.java:36) ~[na:6.0 build_20130515]
at com.ibm.jsse2.pc.checkServerTrusted(pc.java:19) ~[na:6.0 build_20130515]
at com.ibm.jsse2.pc.b(pc.java:51) ~[na:6.0 build_20130515]
at com.ibm.jsse2.lb.a(lb.java:65) ~[na:6.0 build_20130515]
... 128 common frames omitted
Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:411) ~[na:na]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:258) ~[na:na]
at com.ibm.jsse2.util.h.b(h.java:107) ~[na:6.0 build_20130515]
... 134 common frames omitted
Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=-------------------------------------------------------
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111) ~[na:na]
at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:178) ~[na:na]
at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:737) ~[na:na]
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:649) ~[na:na]
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:595) ~[na:na]
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:357) ~[na:na]
... 136 common frames omitted
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:298) ~[na:na]
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108) ~[na:na]
... 141 common frames omitted
The same code is tested in my local environement with the simple use of Installcert.java and running my tests with -Djavax.net.ssl.trustStore=jssecacerts (jssecacerts is the file generated by InstallCert.java). 通过简单地使用Installcert.java并使用-Djavax.net.ssl.trustStore = jssecacerts(jssecacerts是InstallCert.java生成的文件)运行我的测试,在我的本地环境中测试相同的代码。
Thanks for all the above response. 感谢上述所有回复。 Able to resolve the issue java.security.cert.CertPathValidatorException: Certificate chaining error with following configuration.
能够解决问题java.security.cert.CertPathValidatorException:证书链接错误,具有以下配置。
For more details, please see this link, 有关详细信息,请参阅此链接,
java - path to trustStore - set property doesn't work? java - trustStore的路径 - set属性不起作用?
Configured the properties as below in the WebSphere 在WebSphere中配置如下的属性
Select Servers > Application Servers > server_name > Process Definition > Java Virtual Machine > Custom Properties > New. 选择服务器>应用程序服务器> server_name>进程定义> Java虚拟机>自定义属性>新建。
a) javax.net.ssl.trustStore = jre_install_dir\\lib\\security\\cacerts a)javax.net.ssl.trustStore = jre_install_dir \\ lib \\ security \\ cacerts
Example: C:\\Program Files\\WebSphere\\AppServer\\java\\jre\\lib\\security\\cacerts 示例:C:\\ Program Files \\ WebSphere \\ AppServer \\ java \\ jre \\ lib \\ security \\ cacerts
b) javax.net.ssl.trustStorePassword = changeit (default) b)javax.net.ssl.trustStorePassword = changeit(默认)
c) javax.net.ssl.trustStoreType = jks c)javax.net.ssl.trustStoreType = jks
For more details, please see this link, 有关详细信息,请参阅此链接,
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.isim.doc_6.0%2Finstalling%2Ftsk%2Ftsk_ic_ins_first_security_truststore.htm http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.isim.doc_6.0%2Finstalling%2Ftsk%2Ftsk_ic_ins_first_security_truststore.htm
After the configuration was able to see in the logs that certificates being added to the trust store. 配置后能够在日志中看到要添加到信任库的证书。
Thanks, Uday Nilajkar 谢谢,Uday Nilajkar
I test a million websphere configuration . 我测试了一百万个websphere配置。
The only procedure that work is the procedure described in this link : 唯一有效的程序是此链接中描述的过程:
http://blog.xebia.com/2012/10/01/mutual-ssl-authentication-using-websphere-application-server-and-cxf/ http://blog.xebia.com/2012/10/01/mutual-ssl-authentication-using-websphere-application-server-and-cxf/
By defining the cxf intercpter : 通过定义cxf intercpter:
<cxf:bus>
<cxf:outInterceptors>
<bean class="---------------------.WebsphereSslOutInterceptor" />
</cxf:outInterceptors>
</cxf:bus>
For more details , please see : 有关详细信息,请参阅:
https://github.com/vlussenburg/websphere-cxf-extensions#websphere-cxf-extensions https://github.com/vlussenburg/websphere-cxf-extensions#websphere-cxf-extensions
Thanks a lot for your helps guys . 非常感谢您的帮助。
You should add all certificate chain in your configuration. 您应该在配置中添加所有证书链。 Usually certificate has at least root certificate of Authorization Center or chain similar certificates.
通常证书至少具有授权中心的根证书或链类似的证书。
WAS requires signed certificate by default. WAS默认需要签名证书。
The problem here is that the certificate path builder (A part of the Java Cert path API) cannot build the certificate chain during the SSL handshake. 这里的问题是证书路径构建器(Java证书路径API的一部分)无法在SSL握手期间构建证书链。 During the handshake the SSL peer host send its certificate (identity) to the client, for the client to trust that particular certificate a chain of trust must be built on the client side, that what is happening when you get the fault.
在握手期间,SSL对等主机将其证书(标识)发送到客户端,以使客户端信任必须在客户端建立信任链的特定证书,即当您收到故障时发生的情况。 The problem here is that the chain of trust cannot be created since you are missing either the signer certificate and/or the root certificate in your truststore (trust anchor).
这里的问题是无法创建信任链,因为您缺少信任库中的签署者证书和/或根证书(信任锚)。
Note that the PKIX trustmanager performs a "scope of trust" validation which means that you do not need a complete certificate chain on the client side to fulfill the trust relationship with the SSL peer, you will only need the signer/intermediate certificates in your truststore. 请注意,PKIX信任管理器执行“信任范围”验证,这意味着您不需要客户端上的完整证书链来实现与SSL对等方的信任关系,您只需要信任库中的签名者/中间证书。 In fact, if you should put the leaf certificate in the truststore, that should also make things work, since that states that you have explicit trust of that particular certificate and a certificate chain validation is not needed.
实际上,如果您应该将叶证书放在信任库中,这也应该使事情有效,因为这表明您明确信任该特定证书并且不需要证书链验证。
Maybe you should look at the following technote . 也许你应该看看下面的技术说明 。
If you are at a certain fix pack level you can set the value com.ibm.websphere.ssl.retrieveLeafCert to true and get the leaf certificate when Retrieving from Port . 如果您处于某个修订包级别,则可以将值com.ibm.websphere.ssl.retrieveLeafCert设置为true,并在从端口检索时获取叶证书。
Here are the steps to import a certificate to the JVM for a HTTPS WS call: 以下是将证书导入JVM以进行HTTPS WS调用的步骤:
A) Obtain the Certificate to be Imported A)获得要导入的证书
B) Import the certificate B)导入证书
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.