如何在Websphere 8.5.5.9中为mSSL设置客户端证书? [英] How do you set a client side certificate in Websphere 8.5.5.9 for mSSL?

问题描述

我有一个当前在WAS 8.5.5.9中部署的应用程序.此应用程序通过Web服务连接到另一台服务器，并且另一台服务器的主机要求我使用TLS 1.2和相互SSL连接进行连接.

I have an application that is currently deployed in WAS 8.5.5.9. This application connects to another server via webservice and the host of the other server requires me to connect using TLS 1.2 and through a mutual SSL connection.

我已经成功地将(另一台)服务器的主机证书导入了我的WAS的信任库中，但是由于这是mSSL而不是常规的单向SSL，我还需要设置客户端证书以发送回另一台服务器验证连接.

I have already successfully imported the (other) server's host certificate in the truststore of my WAS but as this is mSSL and not regular 1 way SSL, I also need to set up the client certificate to be sent back to the other server to verify the connection.

我该怎么做?我似乎在WAS管理控制台中找不到任何选项，该选项指定要发送到mSSL的远程服务器的客户端证书.

How do I do this? I cannot seem to find any options in the WAS admin console that specifies a client certificate to be sent to a remote server for mSSL.

需要考虑的几点:

• 我已经在WAS的SSL配置中选择了TLSv1.2，它似乎正在工作
• 客户端证书是由远程主机的所有者根据我在IKEYMAN中完成的CSR创建提供给我的.
• 我曾尝试在WAS信任和密钥存储区中导入客户端证书，但是当我尝试处理事务时，仍然会遇到handhake_failure异常.
• 远程服务器端的TCP转储指示服务器在收到客户端证书时长度为0
• 在我这边的日志表明初始握手已成功. ClientHello和ServerHello消息将通过.但最后我得到了此消息(尽管并不能说明很多问题):

• I have already selected TLSv1.2 in the SSL configuration in WAS and it seems to be working
• The client certificate was provided to me by the owner of the remote host based on a CSR creation done in IKEYMAN by us.
• I have tried importing the client certificate in the WAS trust and key stores but I still get a handshake_failure exception when I try to process a transaction.
• A TCP dump on the remote server side indicates that the server is getting 0 length when receiving the client certificate
• Logs on my side indicates that initial handshake is successful. ClientHello and ServerHello messages pushes through. But at the very end I get this message (although it does not tell much):

[11/28/16 20:57:15:836 CST] 000000e9 SystemOut     O [Raw read]: length = 5
[11/28/16 20:57:15:836 CST] 000000e9 SystemOut     O 0000: 15 03 03 00 02                                     .....

[11/28/16 20:57:15:836 CST] 000000e9 SystemOut     O [Raw read]: length = 2
[11/28/16 20:57:15:836 CST] 000000e9 SystemOut     O 0000: 02 28                                              ..


[11/28/16 20:57:15:836 CST] 000000e9 SystemOut     O Thread-142, READ: TLSv1.2 Alert, length = 2
[11/28/16 20:57:15:836 CST] 000000e9 SystemOut     O Thread-142, RECV TLSv1.2 ALERT:  fatal, handshake_failure

推荐答案

您可以使用动态出站终结点"功能将证书与到目标服务器的连接相关联.要设置动态出站端点，请参阅:

You can use the 'Dynamic outbound endpoint' functionality to associate a certificate with connections to the target server. To set up the Dynamic outbound endpoint, see: Associating a Secure Sockets Layer configuration dynamically with an outbound protocol and remote secure endpoint.

连接信息的格式为*,hostname,port.选择现有的SSL配置(CellDefaultSSLSettings)后，单击获取证书别名"按钮.然后从下拉列表中选择您的客户端证书.

The connection information is of the form *,hostname,port. Once you select your existing SSL configuration (CellDefaultSSLSettings), click on the 'Get certificate aliases' button. Then select your client-side certificate from the drop-down.

这应该使您能够正确执行相互身份验证.请注意，您的客户端证书也必须存在于目标服务器的信任库中.

This should allow you to perform mutual authentication correctly. Note that your client-side certificate must also be present in the trust store of your target server.

这篇关于如何在Websphere 8.5.5.9中为mSSL设置客户端证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！