[英]Reload truststore in WebSphere Liberty
我们有一个运行在WebSphere Liberty概要文件上的OSGI应用程序,该应用程序有望对不同的端点进行HTTPS调用。
这些端点中的一些已经共享了要导入服务器信任库的SSL证书。 以前,证书将被添加到信任库,并且应用程序重新启动以获取更改。
这是用于信任库的配置($ {}是从属性文件读取的占位符):
<keyStore id="defaultKeyStore" location="${keystore.location}"
password="${keystore.password}" type="${keystore.type}" />
<keyStore id="trustStore" location="${truststore.location}"
password="${truststore.password}"
type="${truststore.type}" />
<ssl clientAuthentication="false"
clientAuthenticationSupported="true"
id="defaultSSLConfig"
keyStoreRef="defaultKeyStore"
sslProtocol="SSL_TLSv2"
trustStoreRef="trustStore" />
<sslDefault sslRef="defaultSSLConfig" />
最近,通过进行以下更改,已对此进行了修改以将密钥库轮询用于信任库:
<keyStore id="trustStore" location="${truststore.location}"
password="${truststore.password}"
type="${truststore.type}" pollingRate="5s" updateTrigger="polled"/>
此处描述了使用的属性:
如果将updateTrigger属性设置为polled或mbean,则密钥库文件可以由服务器重新加载。 如果启用了轮询,则服务器将根据pollingRate属性中设置的速率监视密钥库文件中的更改。
现在,如果将证书导入到正在运行的服务器的信任库中,则会在控制台中收到以下消息:
[AUDIT] CWPKI0811I:密钥库文件resources \\ security \\ trust.jks已被修改。 密钥库文件将被重新加载,以便可以使用更新的密钥库文件。
但是对端点的HTTPS调用仍然会失败,并带有证书异常,直到服务器重新启动为止(在没有其他更改的情况下重新启动之后,端点调用成功,因此证书本身正确,并且端点有效):
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: unable to find valid certification path to requested target
at com.ibm.jsse2.k.a(k.java:15)
at com.ibm.jsse2.av.a(av.java:531)
at com.ibm.jsse2.D.a(D.java:68)
at com.ibm.jsse2.D.a(D.java:628)
at com.ibm.jsse2.E.a(E.java:803)
at com.ibm.jsse2.E.a(E.java:447)
at com.ibm.jsse2.D.r(D.java:139)
at com.ibm.jsse2.D.a(D.java:485)
at com.ibm.jsse2.av.a(av.java:717)
at com.ibm.jsse2.av.i(av.java:869)
at com.ibm.jsse2.av.a(av.java:19)
at com.ibm.jsse2.av.startHandshake(av.java:672)
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:46)
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:35)
我上面使用的配置是否不正确,或者应该如何配置Liberty配置文件以正确地重新加载证书?
我尝试过的一些其他操作:
SSLContext.getDefault()获取默认的sslcontext并使用信任库重新初始化它-之所以起作用,是因为Liberty本身用其自身替换了原始的,不变的信任库。 但是,如果可能的话,我想避免这种方法,而使用Liberty标准方法。 编辑:有趣的是,如果我在server.xml中使用信任库的绝对路径,则事情开始起作用。 相对路径不起作用。
用相对路径:
[11/5/18 13:17:07:870 IST] 00000084 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory > performFileBasedAction Entry
[resources\security\trust.jks]
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Clearing standard javax.net.ssl.SSLContext cache.
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager > resetDefaultSSLContext Entry
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager > getDefaultSSLConfig Entry
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager 3 getGlobalProperty -> com.ibm.ssl.defaultAlias=defaultSSLConfig
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager 3 defaultAlias: defaultSSLConfig
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager < defaultAlias not null, getDefaultSSLConfig for: defaultSSLConfig Exit
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager > keyStoreModified Entry
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager < keyStoreModified false Exit
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager 3 Modified keystore file are not part of the default SSL configuration.
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager < resetDefaultSSLContext Exit
[11/5/18 13:17:07:872 IST] 00000084 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory A CWPKI0811I: The keystore file resources\security\trust.jks has been modified. The keystore file will be reloaded so the updated keystore file can be used.
[11/5/18 13:17:07:872 IST] 00000084 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory < performFileBasedAction Exit
使用绝对路径:
[11/5/18 13:11:32:720 IST] 00000086 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory > performFileBasedAction Entry
[D:\programs\WebSphere\wlp-webProfile7-18.0.0.1\wlp\usr\servers\defaultServer\resources\security\trust.jks]
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Clearing standard javax.net.ssl.SSLContext cache.
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager > resetDefaultSSLContext Entry
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager > getDefaultSSLConfig Entry
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager 3 getGlobalProperty -> com.ibm.ssl.defaultAlias=defaultSSLConfig
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager 3 defaultAlias: defaultSSLConfig
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager < defaultAlias not null, getDefaultSSLConfig for: defaultSSLConfig Exit
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager > keyStoreModified Entry
[11/5/18 13:11:32:726 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager < keyStoreModified true Exit
[11/5/18 13:11:32:726 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory > getInstance: null Entry
[11/5/18 13:11:32:726 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory < getInstance: com.ibm.ws.ssl.provider.IBMJSSEProvider@50d8b2eb Exit
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider > setServerDefaultSSLContext Entry
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider > getSSLContext Entry
null
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.config.ThreadContext 3 setOutboundConnectionInfoInternal :null
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 outboundConnectionInfo: null
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider > getSSLContextInstance Entry
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider < getSSLContextInstance Exit
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider > getKeyTrustManagers Entry
null
SSLConfig.toString() {
com.ibm.ssl.clientAuthenticationSupported=false
com.ibm.ssl.contextProvider=IBMJSSE2
config.displayId=keyStore[defaultKeyStore]
com.ibm.ssl.protocol=SSL_TLS
com.ibm.ssl.keyStoreReadOnly=false
com.ibm.ssl.alias=defaultSSLConfig
com.ibm.ssl.keyStoreCreateCMSStash=false
com.ibm.ssl.securityLevel=HIGH
com.ibm.ssl.trustStoreName=jvmTrustStore
com.ibm.ssl.trustStorePassword=********
service.pid=com.ibm.ws.ssl.keystore_21
com.ibm.ssl.trustManager=PKIX
com.ibm.ssl.validationEnabled=false
com.ibm.ssl.trustStoreInitializeAtStartup=false
com.ibm.ssl.keyManager=IbmX509
com.ibm.ssl.keyStoreFileBased=true
com.ibm.ssl.keyStoreType=jks
com.ibm.ssl.trustStoreFileBased=true
com.ibm.ssl.trustStoreCreateCMSStash=false
com.ibm.ssl.trustStore=D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
config.overrides=true
com.ibm.ssl.daysBeforeExpireWarning=60
sslRef=defaultSSLConfig
id=defaultKeyStore
config.id=com.ibm.ws.ssl.keystore[defaultKeyStore]
com.ibm.ssl.clientAuthentication=false
com.ibm.ssl.keyStore=resources/security/key.jks
com.ibm.ssl.trustStoreReadOnly=false
config.source=file
alias=defaultSSLConfig
com.ibm.ssl.tokenEnabled=false
com.ibm.ssl.keyStoreName=defaultKeyStore
com.ibm.ssl.keyStorePassword=********
com.ibm.ssl.keyStoreInitializeAtStartup=false
service.factoryPid=com.ibm.ws.ssl.keystore
com.ibm.ssl.trustStoreType=jks
}
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.config.KeyStoreManager 3 Returning a keyStore for name: jvmTrustStore
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore > do_getKeyStore Entry
false
false
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Initializing KeyStore: jvmTrustStore
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Password was not decoded.
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 File path for store: D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Loading keyStore (filebased)
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory > getInstance: null Entry
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory < getInstance: com.ibm.ws.ssl.provider.IBMJSSEProvider@50d8b2eb Exit
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 KeyStore.getInstance(jks, null)
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 alias: p13
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 alias: p12
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 do_getKeyStore (initialized)
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore < do_getKeyStore Exit
java.security.KeyStore@7be5d76a
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.KeyStoreManager 3 Returning a keyStore for name: defaultKeyStore
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore > do_getKeyStore Entry
false
false
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Initializing KeyStore: defaultKeyStore
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Password was not decoded.
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 File path for store: resources/security/key.jks
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Loading keyStore (filebased)
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory > getInstance: null Entry
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory < getInstance: com.ibm.ws.ssl.provider.IBMJSSEProvider@50d8b2eb Exit
[11/5/18 13:11:32:733 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 KeyStore.getInstance(jks, null)
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 alias: default
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 do_getKeyStore (initialized)
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore < do_getKeyStore Exit
java.security.KeyStore@941dcba8
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 getLocation -> D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Using trust store: D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 getTrustManagerFactory.getInstance(PKIX, IBMJSSE2)javax.net.ssl.TrustManagerFactory@c99b19d6
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 certStoreHost: null
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 certStorePort: 389
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 trustManagerAlgorithm: PKIX
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 getLocation -> resources/security/key.jks
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Using software keystore: resources/security/key.jks
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 getKeyManagerFactory.getInstance(IbmX509, IBMJSSE2) javax.net.ssl.KeyManagerFactory@df035ba8
[11/5/18 13:11:32:737 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Password was not decoded.
[11/5/18 13:11:32:737 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Entering synchronized block around key manager factory init.
[11/5/18 13:11:32:739 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Exiting synchronized block around key manager factory init.
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.WSX509KeyManager > WSX509KeyManager Entry
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.CertMappingKeyManager > <init> Entry
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.CertMappingKeyManager > parseSSLCertFile Entry
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.CertMappingKeyManager < parseSSLCertFile Exit
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.CertMappingKeyManager < <init> Exit
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.config.KeyStoreManager 3 Returning a keyStore for name: defaultKeyStore
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.WSX509KeyManager < WSX509KeyManager Exit
[11/5/18 13:11:32:741 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Initializing WSX509KeyManager.
null
null
null
[11/5/18 13:11:32:741 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 getLocation -> D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:741 IST] 00000086 id= com.ibm.ws.ssl.core.WSX509TrustManager > WSX509TrustManager Entry
null
D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:742 IST] 00000086 id= com.ibm.ws.ssl.core.WSX509TrustManager < WSX509TrustManager Exit
[11/5/18 13:11:32:742 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider < getKeyTrustManagers Exit
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 SSLContext cache size: 1
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider < getSSLContext -> (new) Exit
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Default SSLContext set to defaultSSLConfig
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider < setServerDefaultSSLContext Exit
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager < resetDefaultSSLContext Exit
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory A CWPKI0811I: The keystore file D:\programs\WebSphere\wlp-webProfile7-18.0.0.1\wlp\usr\servers\defaultServer\resources\security\trust.jks has been modified. The keystore file will be reloaded so the updated keystore file can be used.
[11/5/18 13:11:32:744 IST] 00000086 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory < performFileBasedAction Exit
通过使用一种变通方法来解决此问题,该变通方法每次都提供到信任库的绝对路径。 这似乎是一个错误,因为我找不到任何说明该属性仅支持绝对路径的文档。
HttpsUrlConnection 使用 KeyStore 而不是 TrustStore 和 WebSphere Liberty Profile
[英]HttpsUrlConnection using KeyStore instead of TrustStore with WebSphere Liberty Profile
验证期间的Websphere Liberty ClassNotFoundException
[英]Websphere Liberty ClassNotFoundException during validation
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.