登录
当前位置: 首页 > 知识库问答 >
问题:

SSLHandshakeException从websphere-自由度16迁移到版本17后

叶恩
2023-03-14

最近,我们开始将应用程序从 websphere-liberty 16.0.0.2 迁移到版本 17.0.0.2(在这两种情况下都使用 javaee7 配置文件)。在服务器中使用相同的 SSL 配置.xml由于 SSL 握手失败,应用程序无法通过 https 调用远程静止服务。这是我的服务器.xml

<?xml version="1.0" encoding="UTF-8"?>
<server description="Default server">

    <featureManager>
        <feature>appSecurity-2.0</feature>
        <feature>transportSecurity-1.0</feature>
        <feature>jaxrs-2.0</feature>
        <feature>json-1.0</feature>
        <feature>javaMail-1.5</feature>
        <feature>ssl-1.0</feature>
    </featureManager>

    <sslDefault sslRef="defaultSSLSettings" />
    <ssl id="defaultSSLSettings" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" clientAuthentication="true" sslProtocol="TLSv1" />
    <keyStore id="defaultKeyStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/key.jks" password="**********" />
    <keyStore id="defaultTrustStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/trust.jks" password="***********" />

    <basicRegistry id="basic" realm="BasicRealm">
        <!-- <user name="yourUserName" password="" />  -->
    </basicRegistry>

    <variable name="defaultHostName" value="default-host.com" />

    <!-- To allow access to this server from a remote client host="*" has been added to the following element -->
    <httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" httpsPort="9443" />

    <!-- Automatically expand WAR files and EAR files -->
    <applicationManager autoExpand="true"/>

    <logging logDirectory="/var/log/wlp" traceSpecification="*=INFO:SSL=all" traceFileName="trace.log" consoleLogLevel="info" copySystemStreams="true"/>

</server>

websphere-free v.16server.xml的唯一区别是没有启用transportSecurity-1.0功能。

应用程序通过https调用的其余服务提供由“GeoTrust Global CA”签名的SSL证书。如果将证书导入信任库“trust.jks”,则一切正常,但我希望在握手期间自动接受证书,因为它不是自签名的。

WebSphere-liberty 17.0.0.2在SSL方面做了哪些改变?在server.xml中还需要进行其他安全配置吗?

服务器版本:

WebSphere Application Server 17.0.0.2 (1.0.17.cl170220170523-1818) on IBM J9 VM, version pxa6480sr4fp10-20170727_01 (SR4 FP10) (en_US)
WebSphere Application Server 16.0.0.2 (1.0.13.cl160220160526-2258) on IBM J9 VM, version pxa6480sr3fp10-20160720_02 (SR3 FP10) (en_US)

错误堆栈跟踪:

server_1  | [INFO    ] FFDC1015I: An FFDC Incident has been created: "java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
server_1  |     java.security.cert.CertPathValidatorException: The certificate issued by CN=GeoTrust Global CA, O=GeoTrust Inc., C=US is not trusted; internal cause is: 
server_1  |     java.security.cert.CertPathValidatorException: Certificate chaining error com.ibm.ws.ssl.core.WSX509TrustManager checkServerTrusted" at ffdc_17.08.09_14.50.00.0.log
server_1  | [ERROR   ] CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN CN=*.api.ibm.com, O=International Business Machines, L=Armonk, ST=New York, C=US was sent from the target host.  The signer might need to be added to local trust store /opt/ibm/wlp/output/defaultServer/resources/security/trust.jks, located in SSL configuration alias defaultSSLSettings.  The extended error message from the SSL handshake exception is: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
server_1  |     java.security.cert.CertPathValidatorException: The certificate issued by CN=GeoTrust Global CA, O=GeoTrust Inc., C=US is not trusted; internal cause is: 
server_1  |     java.security.cert.CertPathValidatorException: Certificate chaining error
server_1  | [WARNING ] Interceptor for {https://dev.api.ibm.com/scx/test}WebClient has thrown exception, unwinding now
server_1  | Could not send Message.
server_1  | [ERROR   ] 2017-08-09 14:50:00 ExceptionMapper:23 - javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://dev.api.ibm.com/scx/test/customer/321321321: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.
server_1  | javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://dev.api.ibm.com/scx/test/customer/321321321: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.
server_1  |     at org.apache.cxf.jaxrs.client.AbstractClient.checkClientException(AbstractClient.java:632)
server_1  |     at org.apache.cxf.jaxrs.client.AbstractClient.preProcessResult(AbstractClient.java:608)
server_1  |     at org.apache.cxf.jaxrs.client.WebClient.doResponse(WebClient.java:1105)
server_1  |     at org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:1042)
server_1  |     at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:895)
server_1  |     at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:863)
server_1  |     at org.apache.cxf.jaxrs.client.WebClient.invoke(WebClient.java:426)
server_1  |     at org.apache.cxf.jaxrs.client.WebClient$SyncInvokerImpl.method(WebClient.java:1554)
server_1  |     at org.apache.cxf.jaxrs.client.WebClient$SyncInvokerImpl.method(WebClient.java:1549)
server_1  |     at org.apache.cxf.jaxrs.client.WebClient$SyncInvokerImpl.get(WebClient.java:1469)
server_1  |     at org.apache.cxf.jaxrs.client.spec.InvocationBuilderImpl.get(InvocationBuilderImpl.java:80)
server_1  |     at com.ibm.si.saas.sbs.service.SBSApiService.getCustomer(SBSApiService.java:84)
server_1  |     at com.ibm.si.saas.sbs.resource.SbsEndpointApiResource.getConsoles(SbsEndpointApiResource.java:49)
server_1  |     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
server_1  |     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
server_1  |     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
server_1  |     at java.lang.reflect.Method.invoke(Method.java:508)
server_1  |     at com.ibm.ws.jaxrs20.server.LibertyJaxRsServerFactoryBean.performInvocation(LibertyJaxRsServerFactoryBean.java:632)
server_1  |     at com.ibm.ws.jaxrs20.server.LibertyJaxRsInvoker.performInvocation(LibertyJaxRsInvoker.java:118)
server_1  |     at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
server_1  |     at com.ibm.ws.jaxrs20.server.LibertyJaxRsInvoker.invoke(LibertyJaxRsInvoker.java:252)
server_1  |     at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:189)
server_1  |     at com.ibm.ws.jaxrs20.server.LibertyJaxRsInvoker.invoke(LibertyJaxRsInvoker.java:423)
server_1  |     at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:99)
server_1  |     at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:61)
server_1  |     at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:99)
server_1  |     at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
server_1  |     at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:124)
server_1  |     at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:274)
server_1  |     at com.ibm.ws.jaxrs20.endpoint.AbstractJaxRsWebEndpoint.invoke(AbstractJaxRsWebEndpoint.java:134)
server_1  |     at com.ibm.websphere.jaxrs.server.IBMRestServlet.handleRequest(IBMRestServlet.java:149)
server_1  |     at com.ibm.websphere.jaxrs.server.IBMRestServlet.doGet(IBMRestServlet.java:115)
server_1  |     at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
server_1  |     at com.ibm.websphere.jaxrs.server.IBMRestServlet.service(IBMRestServlet.java:99)
server_1  |     at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1290)
server_1  |     at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:778)
server_1  |     at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:475)
server_1  |     at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1161)
server_1  |     at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:4983)
server_1  |     at com.ibm.ws.webcontainer31.osgi.webapp.WebApp31.handleRequest(WebApp31.java:528)
server_1  |     at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.handleRequest(DynamicVirtualHost.java:315)
server_1  |     at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1025)
server_1  |     at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:280)
server_1  |     at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:967)
server_1  |     at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:359)
server_1  |     at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:318)
server_1  |     at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:471)
server_1  |     at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:405)
server_1  |     at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:285)
server_1  |     at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:256)
server_1  |     at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:174)
server_1  |     at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:83)
server_1  |     at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:504)
server_1  |     at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:574)
server_1  |     at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:929)
server_1  |     at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1018)
server_1  |     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
server_1  |     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
server_1  |     at java.lang.Thread.run(Thread.java:785)
server_1  | Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://dev.api.ibm.com/scx/test/customer/321321321: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.
server_1  |     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
server_1  |     at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:83)
server_1  |     at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:57)
server_1  |     at java.lang.reflect.Constructor.newInstance(Constructor.java:437)
server_1  |     at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1385)
server_1  |     at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1369)
server_1  |     at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
server_1  |     at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:653)
server_1  |     at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
server_1  |     at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
server_1  |     at org.apache.cxf.jaxrs.client.AbstractClient.doRunInterceptorChain(AbstractClient.java:704)
server_1  |     at org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:1041)
server_1  |     ... 55 more
server_1  | Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.
server_1  |     at com.ibm.jsse2.k.a(k.java:17)
server_1  |     at com.ibm.jsse2.at.a(at.java:851)
server_1  |     at com.ibm.jsse2.D.a(D.java:333)
server_1  |     at com.ibm.jsse2.D.a(D.java:113)
server_1  |     at com.ibm.jsse2.E.a(E.java:79)
server_1  |     at com.ibm.jsse2.E.a(E.java:107)
server_1  |     at com.ibm.jsse2.D.r(D.java:610)
server_1  |     at com.ibm.jsse2.D.a(D.java:372)
server_1  |     at com.ibm.jsse2.at.a(at.java:558)
server_1  |     at com.ibm.jsse2.at.i(at.java:73)
server_1  |     at com.ibm.jsse2.at.a(at.java:357)
server_1  |     at com.ibm.jsse2.at.startHandshake(at.java:723)
server_1  |     at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:215)
server_1  |     at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:34)
server_1  |     at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1561)
server_1  |     at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1489)
server_1  |     at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:491)
server_1  |     at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:80)
server_1  |     at org.apache.cxf.transport.http.URLConnectionHTTP
server_1  | Conduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:370)
server_1  |     at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1586)
server_1  |     at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1615)
server_1  |     at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1559)
server_1  |     at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1356)
server_1  |     ... 61 more
server_1  | Caused by: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.
server_1  |     at com.ibm.ws.ssl.core.WSX509TrustManager.checkServerTrusted(WSX509TrustManager.java:322)
server_1  |     at com.ibm.jsse2.az.checkServerTrusted(az.java:78)
server_1  |     at com.ibm.jsse2.E.a(E.java:5)
server_1  |     ... 79 more

下面是尝试使用openssl连接时的输出:

openssl s_client -CAfile /opt/ibm/java/jre/lib/security/cacerts -connect dev.api.ibm.com:443
Certificate chain
 0 s:/C=US/ST=New York/L=Armonk/O=International Business Machines/CN=*.api.ibm.com
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2859 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 9509AB7194AB9DE0ABE219ECAE442C5D2C93145946FC2285CB9C4F5CCC81514F
    Session-ID-ctx: 
    Master-Key: 335D047C41E5FE75096E53C9CBACC7C1CC8F6254872599EFE93C7AD5935638181AAF9240656BD44A858723C38108BB31
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1502310152
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

共有1个答案

柯乐池
2023-03-14

你描述事情的方式听起来就像你在运行Liberty16.0.0.2JSSE SSL上下文在你的场景中被使用。如果cacerts文件被用于信任,那么它一定是。老实说,如果你在代码中没有提供ssl引用,我认为jaxrs应该回到Liberty SSLContext。我可能错了,必须进行调查。

因此,在17.0.0.2和使用transportSecurity-1.0特性时,您现在使用的是Liberty SSLContext。这是transportSecurity-1.0的正确行为,如果服务器中没有ssl配置,jaxr只会返回到JSSE默认SSLContext。xml文件。transportSecurity-1.0特性的工作方式与此类似,https://www.ibm.com/support/knowledgecenter/en/was_beta_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_config_ssl_outbound.html和出站SSL过滤器功能,https://www.ibm.com/support/knowledgecenter/en/was_beta_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/rwlp_config_ssl_outbound_filter.html.

因此,如果您使用transportSecurity-1.0特性,您需要将签名者添加到您的Liberty信任库,Liberty不会自动接受签名者。

我将不得不研究如果使用ssl-1.0特性,行为应该是什么。

 类似资料:
  • 迁移PHP版本到PHP7

    本文向大家介绍迁移PHP版本到PHP7,包括了迁移PHP版本到PHP7的使用技巧和注意事项,需要的朋友参考一下 今天看到微博上说phpng也就是php7合并到master上了,大家都知道我是比较喜欢探讨最新版本的东西,看看有什么特性,我就忍不住升级去了,以前我的PHP版本是5.5.19,然后我就开始了。 然后编译配置参数,我的博客服务器是腾讯云服务器,因为是博客配置比较低。如下: 下边是针对php

  • Java Axon从2.4.2版本到4.0.3的迁移

    可悲的是,这些来源中引用的大多数轴突迁移指南和文档已经过时或被删除。 外面还有移民指南吗?另外,哪种方法更好--一次迁移还是两步迁移?有Axon经验的人可以分享他们的来源或见解吗?

  • 迁移CVS版本库到Subversion

    迁移CVS版本库到Subversion 或许让CVS用户熟悉Subversion最好的办法就是让他们的项目继续在新系统下工作,这可以简单得通过平淡的把CVS版本库的导出数据导入到Subversion完成,或者是更加完全的方案,不仅仅包括最新数据快照,还包括所有的历史,从一个系统到另一个系统。这是一个非常困难的问题,包括推导保持原子性的修改集,转化两个系统完全不同的分支政策。但是我们还是有许多工具声

  • Weblogic 8.1到Websphere 8.5的迁移

    我正在将我的项目从 Weblogic 8.1 迁移到 IBM Websphere 8.5。 java文件中使用了许多类来引用weblogic.jar. 现在,随着迁移到Websphere,这些需要被替换或更改,代码也需要如此。 所以我的问题是,我能得到weblogic.jar的准确或相似的替换jar吗。如果没有,是否有其他方法用websphere类替换java代码中的weblogic类。 类似we

  • 将EJB 2.1从WebSphere 6.1迁移到JBoss EAP 6.1

    我正在尝试从WS 6.1迁移到JBoss EAP 6.1。我很难让EJB 2.1在JBoss 6.1中工作。 (注意:@GatewayEjbJndiName@在编译时被ant替换。) 这是最初的ejb jar。xml: 这是(经过许多小时的研究)我为JBoss EAP 6.1(ejb-jar.xml)提出的: 但是每次尝试启动JBoss服务器时,我都会出现这个错误: EJBBean/EJBRemo

  • websphere portlet factory到liferay portal的迁移

    嗨, 我刚开始生活。我正在尝试将WebSphere6.1(JSR286)中开发的portlet迁移到Liferay6.1。暂时,我开发了一个显示一些文本的门户(pa_test.war),并将其部署在Liferay上。 .WAR文件被选择为-“上载WAR文件以安装布局模板、portlet或主题。” 信息:取消部署上下文[/pa_test]Jul 30 2012 7:54:05 AM org.apac

相关问答

从mapbox-sdk版本6.7.0迁移到7.3.2、mapbox-core 0.2.0迁移到1.3和mapbox导航0.18.0迁移到0.36.0的问题dropwizard版本迁移和DIFlyway迁移模式版本Websphere自由:异步调度过程从版本3更新到4schema_versionFlyway更新不会迁移表

相关文章

从C#迁移到Java的技巧?将数据从Solr迁移到elasticsearch从MySQL将数据迁移到FirebaseJava-从JSF 1.2迁移到JSF 2.0将项目从C#迁移到Java

相关阅读

迁移科技面试2022-09-17-度小满后端三面38minJira版本ECMAScript/ES6版本百度 移动端 一面

相关工具

《自由软件,自由社会》(第三版)WebSphereWebSphere MQWebSphere sMashWebSphere eXtreme Scale

相关文档

迁移到云原生应用架构Phinx 数据库迁移中文文档Java 从小白到大牛 精简版百度移动统计帮助手册Java API 版本的 Vert.x Core 手册
快捷导航: 新手教程 算法原理 架构设计 Java进阶 数据库进阶 大厂专栏 面试经验 编程笔记 编程问答 所有专题 文档资料 工具软件 电子书籍 小牛导航
在线工具: 房贷计算器 个税计算器 Linux命令查询 Json格式化 正则表达式 颜色转换 AES加解密 SHA1加密 MD5加密 毒鸡汤 字数统计 随机密码生成 进制转换 Base64编解码 励志句子
Copyright © 2019-2024 小牛知识库@xnip.cn. All Rights Reserved.