使用Cloudant的Liberty應用程序的SSL握手失敗

Question

我一直堅持這一點比我想承認的要長。我想使用WebSphere Liberty連接到cloudant/couchdb。

我對Java應用程序開發，Liberty，Cloudant和Bluemix相當陌生。

我相信我需要爲本地信任存儲庫中的cloudant添加SSL證書，但唯一的辦法似乎是使用Websphere Application Server集成解決方案控制檯，而我無法使用Liberty運行該控制檯？

如果任何人都可以指引我朝着正確的方向，我將非常感激！

[ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.cloudant.com, OU=Engineering, O="Cloudant, Inc.", L=Boston, ST=Massachusetts, C=US was sent from the target host. The signer might need to be added to local trust store C:/Users/user/Liberty/usr/servers/simplespring2/resources/security/key.jks, located in SSL configuration alias defaultSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
[ERROR ] Failed to read cookie response header 
java.security.cert.CertificateException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
[ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.cloudant.com, OU=Engineering, O="Cloudant, Inc.", L=Boston, ST=Massachusetts, C=US was sent from the target host. The signer might need to be added to local trust store C:/Users/user/Liberty/usr/servers/simplespring2/resources/security/key.jks, located in SSL configuration alias defaultSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
[ERROR ] Failed to get response code from request 
java.security.cert.CertificateException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
[ERROR ] SRVE0777E: Exception thrown by application class 'db.CloudantClientMgr.getDB:128' 
java.lang.RuntimeException: DB Not found 
    at db.CloudantClientMgr.getDB(CloudantClientMgr.java:128) 
    at servlets.LocationServlet.setLocation(LocationServlet.java:180) 
    at servlets.LocationServlet.doPost(LocationServlet.java:170) 
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) 
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) 
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1287) 
    at [internal classes] 
Caused by: com.cloudant.client.org.lightcouch.CouchDbException: Error retrieving server response 
    at com.cloudant.client.org.lightcouch.CouchDbClient.execute(CouchDbClient.java:535) 
    at com.cloudant.client.org.lightcouch.CouchDbClient.executeToInputStream(CouchDbClient.java:550) 
    at com.cloudant.client.org.lightcouch.CouchDbClient.put(CouchDbClient.java:361) 
    at com.cloudant.client.org.lightcouch.CouchDbClient.put(CouchDbClient.java:351) 
    at com.cloudant.client.org.lightcouch.CouchDatabaseBase.create(CouchDatabaseBase.java:437) 
    at com.cloudant.client.org.lightcouch.CouchDatabaseBase.<init>(CouchDatabaseBase.java:61) 
    at com.cloudant.client.org.lightcouch.CouchDatabase.<init>(CouchDatabase.java:26) 
    at com.cloudant.client.org.lightcouch.CouchDbClient.database(CouchDbClient.java:165) 
    at com.cloudant.client.api.CloudantClient.database(CloudantClient.java:216) 
    at db.CloudantClientMgr.getDB(CloudantClientMgr.java:126) 
    ... 6 more 
Caused by (repeated) ... : javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) 
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) 
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) 
    at java.lang.reflect.Constructor.newInstance(Unknown Source) 
    at sun.net.www.protocol.http.HttpURLConnection$10.run(Unknown Source) 
    at sun.net.www.protocol.http.HttpURLConnection$10.run(Unknown Source) 
    at java.security.AccessController.doPrivileged(Native Method) 
    at sun.net.www.protocol.http.HttpURLConnection.getChainedException(Unknown Source) 
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) 
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) 
    at java.net.HttpURLConnection.getResponseCode(Unknown Source) 
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source) 
    at com.cloudant.client.org.lightcouch.CouchDbClient.execute(CouchDbClient.java:483) 
    ... 15 more 
Caused by: java.security.cert.CertificateException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
    at com.ibm.ws.ssl.core.WSX509TrustManager.checkServerTrusted(WSX509TrustManager.java:290) 
    at [internal classes] 
    at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source) 
    ... 32 more 

Answer 1

您需要添加遠程服務器證書WAS的trustStore

獲取遠程證書（如：使用Linux/Mac上）： echo "" | openssl s_client -connect YOUR_REMOTE_SERVER:443 -showcerts 2>/dev/null | openssl x509 -out certfile.txt

導入證書trustStore文件： keytool -import -alias ca -file certfile.txt -keystore trust.jks -storepass changeit

在您的WAS server.xml中使用此JKS信託商店，將其複製到您的WAS（{WLP}/usr/servers/{YOUR_SERVER}/resources/security）中並將其添加到您的server.xml e.g：

<ssl id="defaultSSLSettings" sslProtocol="TLSv1.2" keyStoreRef="defaultKeyStore" 
    trustStoreRef="defaultTrustStore" /> 
<keyStore id="defaultKeyStore" location="${server.config.dir}/resources/security/key.jks" 
    password="changeit" /> 
<keyStore id="defaultTrustStore" 
    location="${server.config.dir}/resources/security/trust.jks" password="changeit" />