我想配置WebSphere的自由服務器使用的所有出站連接(實際上REST調用)和入站使用自定義的默認密鑰庫和trustore關鍵和信任商店。但嘗試調用外部REST服務時,SSLHandshakeException會失敗。在日誌中,我可以看到它使用我的自定義信任庫而不是默認信任庫。
下面是我的server.xml出站連接的SSL配置不WebSphere的自由工作17.0.0.2
<?xml version="1.0" encoding="UTF-8"?>
<server description="Default server">
<featureManager>
<feature>appSecurity-2.0</feature>
<feature>transportSecurity-1.0</feature>
<feature>jaxrs-2.0</feature>
<feature>json-1.0</feature>
<feature>javaMail-1.5</feature>
<!--<feature>ssl-1.0</feature>-->
</featureManager>
<sslDefault sslRef="saasSSLConfig" outboundSSLRef="outboundSSLConfig" />
<ssl id="saasSSLConfig" keyStoreRef="saasKeyStore" trustStoreRef="saasTrustStore" clientAuthentication="true" sslProtocol="TLSv1" />
<keyStore id="saasKeyStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/sbs_endpoint_keystore.jks" password="pwd" />
<keyStore id="saasTrustStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/serverTruststore.jks" password="pwd" />
<ssl id="outboundSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" />
<basicRegistry id="basic" realm="BasicRealm">
<!-- <user name="yourUserName" password="" /> -->
</basicRegistry>
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" httpsPort="9443" />
<applicationManager autoExpand="true"/>
</server>
BTW,如果改變saasSSLConfig使用defaultTrustStore而不是saasTrustStore然後一切工作正常。
Server版本:
WebSphere Application Server 17.0.0.2 (1.0.17.cl170220170523-1818) on IBM J9 VM, version pxa6480sr4fp7-20170627_02 (SR4 FP7) (en_US)
錯誤:
[ERROR] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.api.ibm.com, O=International Business Machines, L=Armonk, ST=New York, C=US was sent from the target host. The signer might need to be added to local trust store /opt/ibm/wlp/output/defaultServer/resources/security/serverTruststore.jks, located in SSL configuration alias saasSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.;
SSLHandshakeException invoking https://dev.api.ibm.com/scx/test/sbs/customer/222222222: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.
它的工作原理是這樣的,但我不明白爲什麼它也可以工作,如果刪除出站SSL設置並使用'trustStoreRef ='defaultTrustStore''爲'saasSSLConfig'?我會期待一些錯誤(比如'defaultTrustStore'未定義)或者回退以使用'saasKeyStore'作爲一個trustStore,但它取得了成功(用java的defaul cacerts文件)。 –
也許應該有某種錯誤信息說你的配置是無效的,所以它只是被忽略。但是在你解釋的場景中會發生什麼:「defaultTrustStore」是一個有效的配置,不存在,所以「saasSSLConfig」也是一個無效的配置。因此,如果您的Liberty服務器沒有使用Liberty SSL配置,那麼您的服務器入站端口https端口可能不會啓動。在這種情況下,jaxrs只會傳遞給JSSE的默認SSLContext。 – Alaine