[英]Java SSL connect, add server cert to keystore programmatically
[英]JMXConnector failed to connect with ssl keystore
我试图连接到另一台机器上的MBean服务器与ssl密钥库,但我看到这个错误。 我在另一台服务器上也有一个密钥库和信任库。 我还注意到两台机器都有不同的java版本。 我不确定这是不是问题,或者我是否遗漏了什么。
java.rmi.ConnectIOException: Exception creating connection to: 10.1.7.259; nested exception is:
java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:631)
at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:216)
at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:130)
at javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source)
at javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2432)
at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:308)
at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
at com.stop.monitor.giab.JMXListenerClient.connect(JMXListenerClient.java:153)
at com.stop.monitor.giab.JMXListenerClient.main(JMXListenerClient.java:72)
Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
at javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:248)
at javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:262)
at javax.rmi.ssl.SslRMIClientSocketFactory.createSocket(SslRMIClientSocketFactory.java:121)
at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:613)
... 9 more
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
at java.security.Provider$Service.newInstance(Provider.java:1617)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:122)
at javax.rmi.ssl.SslRMIClientSocketFactory.getDefaultClientSocketFactory(SslRMIClientSocketFactory.java:207)
at javax.rmi.ssl.SslRMIClientSocketFactory.createSocket(SslRMIClientSocketFactory.java:117)
at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:613)
at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:216)
at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:342)
at sun.rmi.transport.DGCImpl_Stub.dirty(Unknown Source)
at sun.rmi.transport.DGCClient$EndpointEntry.makeDirtyCall(DGCClient.java:361)
at sun.rmi.transport.DGCClient$EndpointEntry.registerRefs(DGCClient.java:303)
at sun.rmi.transport.DGCClient.registerRefs(DGCClient.java:139)
at sun.rmi.transport.ConnectionInputStream.registerRefs(ConnectionInputStream.java:94)
at sun.rmi.transport.StreamRemoteCall.releaseInputStream(StreamRemoteCall.java:157)
at sun.rmi.transport.StreamRemoteCall.done(StreamRemoteCall.java:313)
at sun.rmi.server.UnicastRef.done(UnicastRef.java:451)
at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
at com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java:118)
at com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:205)
at javax.naming.InitialContext.lookup(InitialContext.java:417)
at javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1957)
at javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1924)
at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:287)
... 3 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.ssl.TrustManagerFactoryImpl.getCacertsKeyStore(TrustManagerFactoryImpl.java:226)
at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultTrustManager(SSLContextImpl.java:767)
at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:733)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
at java.security.Provider$Service.newInstance(Provider.java:1595)
... 29 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
... 39 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
来自TrustManagerFactoryImpl
来自SSLContextImpl$DefaultSSLContext.getDefaultTrustManager
通过使用密码执行keytool -list
确保您的信任库有效(不要点击返回以绕过它)。 我不认为在JKS中创建在Java版本之间不兼容的trustedcert条目(在某些情况下是私钥条目),但是为了安全起见,使用有问题的客户端使用的JRE的keytool
- 和当然是同一个文件。
确保系统属性javax.net.ssl.trustStore
具有文件名(如果不是默认值,JRE / lib / security / [jsse] cacerts)并且javax.net.ssl.trustStorePassword
具有正确的密码(始终)。
此外,如果信任库格式不是JKS(或者在最近的Java 8 JRE中使用默认情况下保留了keystore.type.compat
PKCS12),请指定javax.net.ssl.trustStoreType
。 但是那些知道如何创建这样不寻常的商店的人不会问你的问题。
问题是防火墙的问题。 这是因为用于连接的url没有指定第二个端口。 所以,它只使用了一个随机端口。
//did not use second port. resulted in using random second port
String url = "service:jmx:rmi://somehost:9010/jndi/rmi://somehost/jmxrmi";
final JMXConnector jmxConnector = JMXConnectorFactory.connect(url);
//this worked because now we are using 1 port
String url="service:jmx:rmi://somehost:9010/jndi/rmi://somehost:9010/jmxrmi";
final JMXConnector jmxConnector = JMXConnectorFactory.connect(url);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.