我在WAS 8中安裝了兩個Web應用程序,它們需要使用HTTPS相互通信(這可能不是處理WAS中通信的最佳方式,但這些應用程序按原樣提供,我通常在Tomcat中運行它,不會造成任何問題)。配置WebSphere 8 SSL(應用程序之間的HTTPS)
在Tomcat中,我只需爲服務器設置證書,然後從Web瀏覽器保存客戶端證書並將其添加到執行Tomcat的JVM。我必須在密鑰存儲區和信任存儲區都有certiface信息,因爲tomcat服務器既充當客戶端又充當服務器(因爲它是應用程序間通信)。
我需要在WAS中設置類似的東西。到目前爲止,我已進入管理控制檯並將缺省密鑰庫中的默認證書導入默認信任庫。
重新啓動服務器,並試圖在應用程序之間進行溝通後,我得到以下異常:
R javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr R at com.ibm.jsse2.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:167)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr R at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr R at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr R at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr R at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr R at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr R at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:562)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr R at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr R at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr R at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr R at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:732)
更新/更多數據:
我加了一些SSL調試參數的VM和得到如下:
[5/22/13 8:40:46:002 EDT] 00000094 SystemOut O %% Invalidated: [Session-10, SSL_RSA_WITH_RC4_128_MD5]
[5/22/13 8:40:46:002 EDT] 00000094 SystemOut O pool-3-thread-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown
[5/22/13 8:40:46:002 EDT] 00000094 SystemOut O pool-3-thread-1, WRITE: TLSv1 Alert, length = 2
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut O WebContainer : 5, READ: TLSv1 Alert, length = 2
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut O WebContainer : 5, RECV TLSv1 ALERT: fatal, certificate_unknown
[5/22/13 8:40:46:003 EDT] 00000094 SystemOut O pool-3-thread-1, called closeSocket()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut O WebContainer : 5, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut O WebContainer : 5, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut O WebContainer : 5, called closeOutbound()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut O WebContainer : 5, closeOutboundInternal()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut O WebContainer : 5, SEND TLSv1 ALERT: warning, description = close_notify
[5/22/13 8:40:46:003 EDT] 00000094 SystemOut O pool-3-thread-1, handling exception: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=rothbard, OU=Root Certificate, OU=rothbardNode01Cell, OU=rothbardNode01, O=IBM, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut O WebContainer : 5, WRITE: TLSv1 Alert, length = 2
[5/22/13 8:40:46:003 EDT] 00000094 SystemOut O pool-3-thread-1, IOException in getSession(): javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=rothbard, OU=Root Certificate, OU=rothbardNode01Cell, OU=rothbardNode01, O=IBM, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut O WebContainer : 5, called closeInbound()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut O WebContainer : 5, closeInboundInternal()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut O WebContainer : 5, closeOutboundInternal()
[5/22/13 8:40:46:004 EDT] 00000094 SystemOut O pool-3-thread-1, called close()
[5/22/13 8:40:46:004 EDT] 00000094 SystemOut O pool-3-thread-1, called closeInternal(true)
更多: 我已經使用http-client重現了WAS之外的問題,或者至少是類似的問題,這可能是實際問題所在。所以,問題可能是如何正確獲取http-client使用來自WAS的鏈接證書。