2

我在 WAS 8 中安装了两个 Web 应用程序,它们需要使用 HTTPS 相互通信(这可能不是在 WAS 中处理通信的最佳方式,但这些应用程序按原样提供,我通常在其中运行它们Tomcat不会导致任何问题)。

在 Tomcat 中,我只需为服务器设置一个证书,然后从 Web 浏览器保存客户端证书并将其添加到执行 Tomcat 的 JVM 中。我必须在密钥库和信任库中都有证书信息,因为 tomcat 服务器既充当客户端又充当服务器(因为它是应用程序间通信)。

我需要在 WAS 中设置类似的东西。到目前为止,我已经进入管理控制台并将默认证书从默认密钥库导入到默认信任库中。

重新启动服务器并尝试在应用程序之间进行通信后,出现以下异常:

R javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr     R  at com.ibm.jsse2.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:167)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr     R  at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr     R  at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr     R  at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr     R  at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr     R  at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr     R  at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:562)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr     R  at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr     R  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr     R  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr     R  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:732)

更新/更多数据:

我为 VM 添加了一些 ssl 调试参数并得到以下信息:

[5/22/13 8:40:46:002 EDT] 00000094 SystemOut     O %% Invalidated:  [Session-10, SSL_RSA_WITH_RC4_128_MD5]
[5/22/13 8:40:46:002 EDT] 00000094 SystemOut     O pool-3-thread-1, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
[5/22/13 8:40:46:002 EDT] 00000094 SystemOut     O pool-3-thread-1, WRITE: TLSv1 Alert, length = 2
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, READ: TLSv1 Alert, length = 2
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, RECV TLSv1 ALERT:  fatal, certificate_unknown
[5/22/13 8:40:46:003 EDT] 00000094 SystemOut     O pool-3-thread-1, called closeSocket()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, called closeOutbound()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, closeOutboundInternal()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, SEND TLSv1 ALERT:  warning, description = close_notify
[5/22/13 8:40:46:003 EDT] 00000094 SystemOut     O pool-3-thread-1, handling exception: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
    java.security.cert.CertPathValidatorException: The certificate issued by CN=rothbard, OU=Root Certificate, OU=rothbardNode01Cell, OU=rothbardNode01, O=IBM, C=US is not trusted; internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, WRITE: TLSv1 Alert, length = 2
[5/22/13 8:40:46:003 EDT] 00000094 SystemOut     O pool-3-thread-1, IOException in getSession():  javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
    java.security.cert.CertPathValidatorException: The certificate issued by CN=rothbard, OU=Root Certificate, OU=rothbardNode01Cell, OU=rothbardNode01, O=IBM, C=US is not trusted; internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, called closeInbound()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, closeInboundInternal()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, closeOutboundInternal()
[5/22/13 8:40:46:004 EDT] 00000094 SystemOut     O pool-3-thread-1, called close()
[5/22/13 8:40:46:004 EDT] 00000094 SystemOut     O pool-3-thread-1, called closeInternal(true)

更多: 我已经在 WAS 之外使用 http-client 重现了这个问题,或者至少是一个类似的问题,这可能是实际问题所在。因此,问题可能是如何正确让 http-client 使用来自 WAS 的链式证书。

4

1 回答 1

0

我的特殊问题最终是由于我需要将整个证书链导入到 JVM 可信证书中,而不仅仅是 Web 应用程序的证书。

于 2013-05-28T23:51:30.670 回答