我正在使用Tomcat託管的Web應用程序。此應用程序使用需要客戶端證書的SOAP WS(託管在IIS上)。我已經準備好了一切,但在生產環境中,握手只是不會發生。JavaSSL雙向認證證書未發送
下面是javax.net.debug = SSL
1)客戶端證書和私鑰輸出的相對部分發現
found key for : authentication service client company2
chain [0] = [
[
Version: V3
Subject: [email protected], CN=EXAMPLE1, OU=Web Service App, O=My Company, ST=Czech Republic, C=CZ
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: ......
public exponent: 65537
Validity: [From: Mon Nov 04 17:55:55 CET 2013,
To: Sun Nov 04 17:55:55 CET 2018]
Issuer: [email protected], CN=CA, OU=Web Service App, O=My Company, L=Prague, ST=Czech Republic, C=CZ
SerialNumber: [ ...... ]
Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string = ......
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [ ..... ]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
[[email protected], CN=CA, OU=Web Service App, O=My Company, L=Prague, ST=Czech Republic, C=CZ]
SerialNumber: [ .... ]
]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [SHA1withRSA]
Signature: .......
]
2)信任存儲初始化
trustStore is: ......
trustStore type is : jks
trustStore provider is :
init truststore
...
adding as trusted cert:
Subject: [email protected], CN=CA, OU=Web Service App, O=My Company, L=Prague, ST=Czech Republic, C=CZ
Issuer: [email protected], CN=CA, OU=Web Service App, O=My Company, L=Prague, ST=Czech Republic, C=CZ
Algorithm: RSA; Serial number: 0x......
Valid from Mon Nov 04 15:35:23 CET 2013 until Sat Nov 04 15:35:23 CET 2023
...
3)在WS服務器端點找到可信證書
Found trusted certificate:
[
[
Version: V3
Subject: CN=Thawte SSL CA, O="Thawte, Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: .....
public exponent: 65537
Validity: [From: Mon Feb 08 01:00:00 CET 2010,
To: Sat Feb 08 00:59:59 CET 2020]
Issuer: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
SerialNumber: [ ..... ]
4)服務器要求客戶端證書
CertificateRequest
Cert Types: RSA, DSS, ECDSA
Cert Authorities:
...
<[email protected], CN=CA, OU=Web Service App, O=My Company, L=Prague, ST=Czech Republic, C=CZ>
5)客戶端通過HTTP 403 WS服務器上提供NOTHING :-(
ServerHelloDone
Certificate chain
ClientKeyExchange, RSA PreMasterSecret, TLSv1
...
整個事情結束了(不提供正確的行爲客戶端證書),沒有關於握手的例外。客戶端是由wsimport生成的javax.xml.ws.Service。
在開發/測試環境中,最讓我困惑的是,同樣的證書傳遞得很好(使用完全相同的trustore和WS客戶端)。所以客戶端應用程序和證書似乎工作正常。
也許有對其他與環境相關的故障一些Java還是我失去了一些東西?
任何幫助非常感謝。經過幾天的研究,我有點迷失在這裏。
我會附加任何相關的輸入,將被要求。
謝謝。
附加信息:
- 學嘗試通過瀏覽器導致證書 選擇對話框訪問web服務。選擇完成後(使用正確的證書),顯示標準頁面「當前禁用此服務的元數據發佈」
如果您將證書導入瀏覽器,然後手動點擊WS服務器端點,會發生什麼情況?瀏覽器是否提示您輸入客戶端證書? – artbristol
是的。選擇證書後,我可以看到「禁用元數據發佈信息」頁面。感謝您的評論。 –