我需要能夠爲SOAP服務執行「客戶端證書」身份驗證。Spring WS客戶端 - 使用服務器和客戶端證書進行身份驗證
我正在使用Spring WS。我有:my.key
,myCA.pem
和myClient.crt
。
這是我的Java相關的代碼(我知道它仍然混亂,但我只是想得到它的工作在前):
public TheResponse doIt(TheRequest request) {
log.info("Sending request...");
try {
InputStream is = new FileInputStream(new File("src/main/resources/keystore.jks"));
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(is, "keystore!passwd".toCharArray());
is.close();
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keyStorePassword.toCharArray());
InputStream is1 = new FileInputStream(new File("src/main/resources/truststore.jks"));
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(is1, "truststore!passwd".toCharArray());
is1.close();
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
HttpsUrlConnectionMessageSender messageSender = new HttpsUrlConnectionMessageSender();
messageSender.setKeyManagers(keyManagerFactory.getKeyManagers());
messageSender.setTrustManagers(trustManagerFactory.getTrustManagers());
setMessageSender(messageSender);
return (TheResponse) getWebServiceTemplate().marshalSendAndReceive(request,
new SoapActionCallback("https://domain/tld/icc/SomePathDownTheLine"));
} catch (Throwable e) {
log.error("Sh*t didn't work due to:", e);
throw new GatewayConnectionException(String.format("Unexpected error while sending request [%s]", e.getMessage()));
}
}
這是我如何建立信任 - 和鍵盤專賣店:
# KeyStore
$ openssl pkcs12 -export -in myClient.crt -inkey my.key -out keystore.p12 -name my_key -CAfile myCA.pem -caname root
$ keytool -importkeystore -deststorepass keystore!passwd -destkeypass keystore!passwd -destkeystore keystore.jks \
-srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass keystore!passwd -alias my_key
# Trustore (using truststore!passwd)
$ keytool -import -trustcacerts -alias my_ca -file myCA.pem -keystore truststore.jks
$ keytool -import -trustcacerts -alias my_cc -file myClient.crt -keystore truststore.jks
......而這些都是驗證步驟:
$ keytool -list -keystore keystore.jks -storepass ********
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
my_key, Oct 17, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 1A:9D:6A:65:. . .:E6:C1:90
$ keytool -list -keystore truststore.jks -storepass ********
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
my_cc, Oct 17, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): 1A:9D:6A:65:. . .:E6:C1:90
my_ca, Oct 17, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): 36:82:F7:AB:. . .:70:B2:6C
......但是,每當我請求SOAP操作時,我都會收到HTTP 401(未經授權) - org.springframework.ws.client.WebServiceTransportException: Unauthorized [401]
。
任何線索?順便說一句,我幾乎遵循this指南。我對SSL證書和所有這些東西不是很熟悉。
UPDATE
SSL握手工作正常。我可以通過設置-Djavax.net.debug=all
VM選項來了解它是如何工作的。現在發生的事情是,無論這種安全性如何,服務器還需要用戶名和密碼。