Documentum Rest 服务 - 信任来自 Java 客户端的 SSL 证书 [英] Documentum Rest Service - Trusting SSL certificate from Java Client
问题描述
我的需要是接受来自独立 Java 应用程序(将捆绑为 JAR)在 REST Web 服务 URL (https://:/dctm-rest) 上启用的 SSL 证书.
My Need is to accept the SSL certificate enabled on REST Webservice URL ( https:/:/dctm-rest) from standalone Java application(which will be bundled as JAR).
据我所知,最好的方法是使用 Keytool 创建 KeyStore/TrustStore,从浏览器/openssl 下载证书并将其添加到 TrustStore.这样,我们正在创建一个依赖项,并且必须有人在每次续订时不断更新证书.
To my knowledge best way is to create KeyStore/TrustStore using Keytool, download the certificate from browser/openssl and add it to TrustStore.With this we are creating a dependency and someone has to keep on updating the certificate for every renewal.
有人可以指导我通过删除手动依赖来实现这个吗?
Can someone guide me to get this implemented by removing the manual dependency?
推荐答案
您必须将 https://dctm-rest
处的服务器证书包含在您的 JRE(信任库)的白名单中
You have to include the server certificate at https://dctm-rest
into the whitelist of your JRE (the truststore)
1) 在 JRE trustore 中包含服务器证书(jre/lib/security/cacerts
)(不推荐)
要下载服务器证书,用浏览器打开站点,右键单击绿色锁,选择查看证书"并下载
To download the server certificate, open site with browser, right-click on green lock, select 'view certificate' and download
探索 cacerts 和导入可信证书的最简单方法是使用 GUI 工具,例如 portecle (http://portecle.sourceforge.net/).你也可以使用keytool
The simplest way to explore cacerts and import trusted certificate is to use a GUI tool like portecle (http://portecle.sourceforge.net/). You can also use keytool
keytool -import -trustcacerts -keystore /opt/java/jre/lib/security/cacerts -alias mycert -noprompt -storepass changeit -file /tmp/examplecert.crt
请参阅 如何将自签名证书正确导入默认情况下可供所有 Java 应用程序使用的 Java 密钥库?
2) 使用您自己的信任库并包含服务器证书(推荐)
2) Use your own truststore and include the server certificate (recommended)
System.setProperty ("javax.net.ssl.trustStore", path_to_your_trustore_jks_file);
System.setProperty ("javax.net.ssl.trustStorePassword", "password");
您还可以创建 SSLSocketFactory 并在连接之前添加到您的连接或使用静态方法应用于所有连接
You can also create an SSLSocketFactory and add to your connection before connecting or apply to all connections using the static method
HttpsURLConnection.setDefaultSSLSocketFactory(sslFactory);
这是一个创建套接字工厂的例子
This is an example to create the socket factory
//Load JKS keystore that includes the server certificate or the root
KeyStore keyStore = ...
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, tmf.getTrustManagers(), null);
sslFactory = ctx.getSocketFactory();
3) 根本不使用信任库(完全不推荐)
请参阅为单个连接禁用 SSLHandshakeException(我不会复制解决方案)
See Disable SSLHandshakeException for a single connection (I will not copy the solution)
这篇关于Documentum Rest 服务 - 信任来自 Java 客户端的 SSL 证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!