[英]Weblogic/Java not sending Client Certificate in Mutual SSL Integration with IIS
I'm having trouble understanding why Weblogic/Java are not sending the Client certificate requested by the server(IIS server) during SSL Handshake via the CertificateRequest message.我无法理解为什么 Weblogic/Java 在 SSL 握手期间没有通过 CertificateRequest 消息发送服务器(IIS 服务器)请求的客户端证书。
I have already checked and tried all the other questions/answer in SO such as : Java not providing client certificate for mutual SSL?我已经检查并尝试了 SO 中的所有其他问题/答案,例如: Java 未为相互 SSL 提供客户端证书? and similar.
和类似的。
I have created a custom keystore called Identity.jks with only one Certificate entry and I've follwed the WL guides (and everything else I could find on the Internet) to do the right settings.我创建了一个名为 Identity.jks 的自定义密钥库,只有一个证书条目,并且我已经按照 WL 指南(以及我在 Internet 上可以找到的所有其他内容)进行了正确的设置。
Here are the debug logs for the SSL handshake:以下是 SSL 握手的调试日志:
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, SHA512withECDSA, SHA256withRSA, SHA384withRSA, SHA1withRSA, SHA256withECDSA, SHA384withECDSA, SHA1withECDSA, SHA1withDSA
Cert Authorities:
<Empty>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
As you can see the server sends a CertificateRequest
message but for some reasons the Cert Authorities
is Empty
.正如您所看到的,服务器发送了一个
CertificateRequest
消息,但由于某些原因, Cert Authorities
为Empty
。 The client (Weblogic) in this case doesn't send the certificate.在这种情况下,客户端 (Weblogic) 不会发送证书。 As you can see there is a warning message by the developers saying:
如您所见,开发人员有一条警告消息说:
no suitable certificate found - continuing without client authentication
When I use SoapUI
instead of Weblogic to communicate with the server the handshake succeeds.当我使用
SoapUI
而不是 Weblogic 与服务器通信时,握手成功。 SoapUI sends the certificate contained in the Identity.jks
keystore. SoapUI 发送包含在
Identity.jks
密钥库中的证书。
Can it be that SoapUI
is less restrictive and sends the only certificate present in the keystore anyway while Weblogic is expecting from the server to find something in the Cert Authorities: <Empty>
? SoapUI
是否限制较少,并且无论如何都会发送密钥库中存在的唯一证书,而 Weblogic 期望服务器在Cert Authorities: <Empty>
找到某些内容?
Since I've setup weblogic to use only that key with that alias I expect it to send it...由于我已将 weblogic 设置为仅使用具有该别名的密钥,因此我希望它发送它...
Anyone knows what are the criteria that Weblogic uses to find a matching client certificate?任何人都知道 Weblogic 用来查找匹配客户端证书的标准是什么?
Is my interpretation of the logs correct?我对日志的解释是否正确?
Any idea/help is welcome.欢迎任何想法/帮助。
I've had a similar problem with a Java HTTP client.我在 Java HTTP 客户端上遇到了类似的问题。 Depending on your IIS version the server may or may not be sending the certificate list back.
根据您的 IIS 版本,服务器可能会或可能不会发回证书列表。 Newer version don't.
新版本没有。
Ensure that you have the full certificate chain and your client certificate in the keystore.确保您在密钥库中拥有完整的证书链和客户端证书。
Since there seems to be an interest, I'm answering my own question on how we fixed it.由于似乎有兴趣,我正在回答我自己关于如何修复它的问题。
When writing Java clients
to communicate with other servers via Two-Way SSL
we need to make sure that the SSL Context used to initiate the communication has been set with the Custom Identity Keystore
and the Custom Trust keystore
.在编写
Java clients
以通过Two-Way SSL
与其他服务器通信时,我们需要确保已使用Custom Identity Keystore
和Custom Trust keystore
设置用于启动通信的 SSL 上下文。
One convenient way to do this is to pass the Identity and Trust keystores as JVM options when a JVM process starts (on start of WebLogic or other web app server).一种方便的方法是在 JVM 进程启动时(在启动 WebLogic 或其他 Web 应用程序服务器时)将身份和信任密钥库作为 JVM 选项传递。 JVM arguments can be passed in the server startup script (if present) or as command line argument.
JVM 参数可以通过服务器启动脚本(如果存在)或作为命令行参数传递。
The following is an example:下面是一个例子:
-Djavax.net.ssl.keyStore=D:\Path-to\identity.jks -Djavax.net.ssl.keyStoreType=JKS -Djavax.net.ssl.keyStorePassword=MyReallyComplexPassword -Djavax.net.ssl.trustStore=D:\Path-to\trust_keystore.jks -Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStorePassword=MyTrustStorePassword
Where the value of javax.net.ssl.keyStore
is what we called the Custom Identity Keystore
and the value of javax.net.ssl.trustStore
is what we called the Custom Trust Keystore
.其中
javax.net.ssl.keyStore
的值就是我们所说的Custom Identity Keystore
,而javax.net.ssl.trustStore
的值就是我们所说的Custom Trust Keystore
。
Note: Another way to accomplish the same thing would be to load-and-set the Identity & Trust keystores directly in the client's code itself, before firing the request to the server.
注意:完成同样事情的另一种方法是在向服务器发出请求之前,直接在客户端的代码中加载和设置 Identity & Trust 密钥库。 There are multiple examples on-line that explain how to do this.
网上有多个例子解释了如何做到这一点。
Important: When writing a client that should communicate via Two-Way SSL make sure to never blindly trust all certificates.重要提示:在编写应通过双向 SSL 进行通信的客户端时,请确保永远不要盲目信任所有证书。 Many client libraries give you a boolean option
TrustAllCerts
that can be useful during development however if you leave it in production Two-Way SSL
will NOT work.许多客户端库给你一个布尔选项
TrustAllCerts
开发过程中非常有用但是如果你把它在生产Two-Way SSL
将无法工作。 This is because by telling the SSL context to trust any certificate, the Server Certificate Exchange Key is not checked (since you trust it anyway) and thus the CertificateRequest
from the server is ignored.这是因为通过告诉 SSL 上下文信任任何证书,不会检查服务器证书交换密钥(因为您无论如何都信任它),因此来自服务器的
CertificateRequest
被忽略。 The client will continue without sending its client certificates but, because the server expects the client to send one, the handshake process will end in failure.客户端将继续而不发送其客户端证书,但是,因为服务器希望客户端发送一个,握手过程将以失败告终。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.