ESB 和不安全的后端服务之间的相互 SSL,“空证书链" [英] Mutual SSL between ESB and unsecured back-end services , "Null cert chain"
问题描述
我收到以下错误:
ERROR {org.apache.synapse.transport.passthru.SourceHandler} - I/O 错误:空证书链 {org.apache.synapse.transport.passthru.SourceHandler}尝试在我的(自定义)代理服务和 2 个不安全的后端服务之间启用相互 SSL 时.
这是我到目前为止所做的:
- 已启用
require - 使用 Java 密钥工具在 [carbon_home]/respository/resources/security/wso2carbon.jks 中提取 2 个后端服务器的公共证书:
<块引用>
keytool -export -keystore C:\I_T\WS02\wso2as-5.2.1\repository\resources\security\client-truststore.jks -file C:\wssecurity\wso2\wso2ASpublic.cert
将这些证书导入 ESB 信任库:
keytool -import -file C:\wssecurity\wso2\wso2DSSpublic.cert -keystore C:\I_T\WS02\wso2esb-4.8.1\repository\resources\security\client-truststore.jks -storepass wso2carbon -alias wso2carbonDSS
将 ESB 证书放入服务器的 client-truststores 中.
我怀疑步骤 2-4 是不必要的,因为信任库已经包含这些证书.
也许这是造成问题的原因?
如果有人想知道如何实现,我解决了这个问题:
SOAP_CLIENT||||----------- 单SSL(一)||_ENTERPRISE_SERVICE_BUS_________________||||||||||||(b) 相互 SSL--------------||||--------------相互 SSL (c)||||||||||||APPLICATION_SERVER DATA_SERVICE_SERVER========================================================================
密钥存储:Soap(客户端):soapui_ks.jks - 密钥库 - 密码:soapuiESB:wso2esb_ks.jks-密钥库-密码:wso2esb--------------- wso2esb_ks - 密钥条目别名 - 密码:wso2esbwso2esb_ts.jks - 信任存储 - 密码:wso2esb--------------- wso2esb_ts - 密钥条目别名 - 密码:wso2esb--------------- as - 从 wso2as_ks.jks 导入的可信证书--------------- dss - 从 wso2dss_ks.jks 导入的可信证书--------------- soapclient - 从soapui_ks.jks 导入的可信证书AS:wso2as_ks.jks - 密钥库 - 密码:wso2as--------------- wso2as_ks - 密钥条目别名 - 密码:wso2aswso2as_ts.jks - 信任存储 - 密码:wso2as--------------- wso2as_ts - 密钥条目别名 - 密码:wso2as--------------- esb - 从 wso2esb_ks.jks 导入的可信证书DSS:wso2dss_ks.jks-密钥库-密码:wso2dss--------------- wso2dss_ks - 密钥条目别名 - 密码:wso2dsswso2dss_ts.jks - 信任存储 - 密码:wso2dss--------------- wso2dss_ts - 密钥条目别名 - 密码:wso2dss--------------- esb - 从 wso2esb_ks.jks 导入的可信证书==================================================================================================================================================================配置 :(a) 在服务器(server_home)中更改以下内容以指向新的密钥库/信任库.在 esb 中:更改了以下文件的配置文件以指向新的密钥库及其密码(如上):[server_home]/repository/conf/carbon.xml[server_home]/repository/conf/axis2/axis2.xml - 还设置<参数名称="SSLVerifyClient">需要[server_home]/repository/conf/security/cipher-text.properties[server_home]/repository/conf/security/secret-conf.properties[server_home]/repository/conf/sec.policy重启服务器.在soap 中,双击根项目文件夹,导航到WS-Security Configurations 选项卡,然后使用soapui 作为密码添加soapui_ts.jks 作为信任存储.然后,当您在该项目中打开请求时,在 Request Properties 面板中,将之前配置的 soapui_ts.jks 设置为 SSL Keystore 属性的值.应该都很好.I am getting the following error :
ERROR {org.apache.synapse.transport.passthru.SourceHandler} - I/O error: null cert chain {org.apache.synapse.transport.passthru.SourceHandler}
while trying to enable mutual SSL between my (custom)Proxy service and 2 unsecured back-end services.
Here's what I've done so far :
- Enabled
<parameter name="SSLVerifyClient">require</parameter> - Extracted public certs of 2 back-end servers in [carbon_home]/respository/resources/security/wso2carbon.jks using Java Key Tool :
keytool -export -keystore C:\I_T\WS02\wso2 as-5.2.1\repository\resources\security\client-truststore.jks -file C:\wssecurity \wso2\wso2ASpublic.cert
Imported these certs into ESB trust store :
keytool -import -file C:\wssecurity\wso2\wso2DSSpublic.cert -keystore C:\I_T\WS02\wso2esb-4.8.1\repository\resources\security\client-truststore.jks -storepass wso2carbon -alias wso2carbonDSS
Done the same with the ESB cert into the servers' client-truststores .
I suspect step 2-4 were unnecessary because the trust stores already contained these certs.
Perhaps this is causing the problems?
I solved this if any one wants to know how to achieve :
SOAP_CLIENT
|
|
|
|----------- Single SSL (a)
|
|
________________ENTERPRISE_SERVICE_BUS_________________
|| ||
|| ||
|| ||
(b) Mutual SSL--------------|| ||--------------Mutual SSL (c)
|| ||
|| ||
|| ||
APPLICATION_SERVER DATA_SERVICE_SERVER
======================================================================
Key stores :
Soap(client) : soapui_ks.jks - Key store - Password : soapui
ESB : wso2esb_ks.jks - Key store - Password : wso2esb
--------------- wso2esb_ks - Key entry alias - Password : wso2esb
wso2esb_ts.jks - Trust store - Password : wso2esb
--------------- wso2esb_ts - Key entry alias - Password : wso2esb
--------------- as - Imported trusted certificate from wso2as_ks.jks
--------------- dss - Imported trusted certificate from wso2dss_ks.jks
--------------- soapclient - Imported trusted certificate from soapui_ks.jks
AS : wso2as_ks.jks - Key store - Password : wso2as
--------------- wso2as_ks - Key entry alias - Password : wso2as
wso2as_ts.jks - Trust store - Password : wso2as
--------------- wso2as_ts - Key entry alias - Password : wso2as
--------------- esb - Imported trusted certificate from wso2esb_ks.jks
DSS : wso2dss_ks.jks - Key store - Password : wso2dss
--------------- wso2dss_ks - Key entry alias - Password : wso2dss
wso2dss_ts.jks - Trust store - Password : wso2dss
--------------- wso2dss_ts - Key entry alias - Password : wso2dss
--------------- esb - Imported trusted certificate from wso2esb_ks.jks
=================================================================================================================================================================
Configuration :
(a) Change the following in the servers(server_home) to point to the new keystores/trustores.
In esb : Changed configuration files of the following files to point to the new keystores and their passwords (as above) :
[server_home]/repository/conf/carbon.xml
[server_home]/repository/conf/axis2/axis2.xml - also set <parameter name="SSLVerifyClient">require</parameter>
[server_home]/repository/conf/security/cipher-text.properties
[server_home]/repository/conf/security/secret-conf.properties
[server_home]/repository/conf/sec.policy
Restart server.
In soap , double click on the root project folder , navigate to WS-Security Configurations tab , then add the soapui_ts.jks as a TRUST store using soapui as the password. Then when you open a request in that project, in the Request Properties panel , set the previously configured soapui_ts.jks as the value for the SSL Keystore property.
Should all be good.
这篇关于ESB 和不安全的后端服务之间的相互 SSL,“空证书链"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
