简体繁体 English

Spring Boot调用HTTPS端点

[英]Spring Boot calling HTTPS endpoint

原文 2016-05-27 16:06:33 6 1 ssl/ spring-boot/ tomcat8

I've created a Spring Boot application that I'm running as a poor man's daemon to call another Java service on another tomcat instance. 我创建了一个Spring Boot应用程序，我作为穷人的守护进程运行，在另一个tomcat实例上调用另一个Java服务。 I'm getting an SSL error when connecting to the other Java service but if I hit the other service with something like SoapUi(or Postman) using the same URL and headers I get an OK response. 我在连接到其他Java服务时遇到SSL错误，但是如果我使用相同的URL和标题使用SoapUi（或Postman）之类的其他服务，我会得到一个OK响应。 So something must be wrong with my Spring Boot configuration. 所以我的Spring Boot配置肯定有问题。

I'm using the same JKS for Spring Boot and SoapUI. 我在Spring Boot和SoapUI上使用相同的JKS。 I've tried using the cert in the application.properties as well as specifying it on the command line using -Djavax.net.ssl.keyStore as well as the related password parameter. 我尝试在application.properties中使用cert，并使用-Djavax.net.ssl.keyStore在命令行中指定它以及相关的password参数。

When I run the other service locally without SSL I can connect just fine via my Spring Boot application. 当我在没有SSL的情况下在本地运行其他服务时，我可以通过我的Spring Boot应用程序正常连接。

The SSL error I'm getting is: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server 我得到的SSL错误是： sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server

Best I can think is that SoapUI(or Postman) identify's itself as a client application and my Spring Boot identifies itself as a server? 我能想到的最好的是SoapUI（或Postman）将自己识别为客户端应用程序，我的Spring Boot将自己标识为服务器？ So I think I'm asking how can I make Spring Boot identify itself as a client but I'm still not sure I understand the SSL error to begin with. 所以我想我问我怎么能让Spring Boot将自己标识为客户端，但我仍然不确定我是否理解SSL错误。

1 个解决方案

You have a multitude of problems. 你有很多问题。 First off, soapui doesn't do verification of the server SSL certificate when it connects, java by default does not. 首先，soapui在连接时不会验证服务器SSL证书，默认情况下不会。 You can however configure java client to also ignore server cert verification. 但是，您可以将java客户端配置为忽略服务器证书验证。

How to ignore depends on what client you use, apache httpclient is the most common one and you can find details on that in this thread . 如何忽略取决于你使用的客户端，apache httpclient是最常见的，你可以在这个帖子中找到相关的详细信息。

Now, you should not really do that. 现在，你不应该那样做。 Instead, you should have a trust store that contains the certificates that would validate the server cert. 相反，您应该拥有一个信任存储，其中包含将验证服务器证书的证书。 In that case you would be interested in truststore configuration, not a keystore - keystore is for other way around, when you're identifying yourself to some other party. 在这种情况下，您会对信任库配置感兴趣，而不是密钥库 - 当您将自己标识给其他方时，密钥库就是其他方式。 You'd need to import the root CA and intermediate certificates to your trust store, then point to that in your configuration. 您需要将根CA和中间证书导入信任库，然后指向配置中的CA和中间证书。