为什么java使用JAVA_HOME / lib / security / cacerts的默认位置keystore / truststore虽然我提供了-Djavax.net.ssl.trustStore属性 [英] Why java uses default location keystore/truststore of JAVA_HOME/lib/security/cacerts though I have supplied -Djavax.net.ssl.trustStore properties

问题描述

在我的java应用程序中，我运行提供的 -Djavax.net.ssl.trustStore 系统属性，如下所示。

  -Djavax.net.ssl.trustStore = / myapp / app.jks -Djavax.net.ssl.trustStorePassword = XXXXX  - Djavax.net.ssl.trustStoreType = jks -Djavax.net.debug = ssl 
  

这是我的完整命令行：

  $ JAVA_HOME / bin / java -XX：+ HeapDumpOnOutOfMemoryError -XX：HeapDumpPath = / tmp -Xms512m -Xmx1024m  - XX：MaxPermSize = 192m -Djavax.net.ssl.trustStore = / myapp / app.jks -Djavax.net.ssl.keyStore = / myapp / app.jks -Djavax.net.ssl.trustStorePassword = XXXXX -Djavax.net。 ssl.keyStorePassword = XXXXX -Dweblogic.security.SSL.ignoreHostnameVerification = true -Djavax.net.debug = ssl -Djavax.net.ssl.trustStoreType = jks -cp / Oracle / Middleware / Oracle_Home / wlserver / server / lib / wlfullclient。 jar：/ myapp / stand alone / lib / asm-5.0.3.jar：/myapp/standalone/lib/castor-1.3.2-core.jar：/ myapp / standa lone / lib / myAPP_final.jar 
  

但是java没有使用来自自定义路径的自定义keyStore的证书。默认情况下会转到 $ JAVA_HOME / lib / security / cacerts ，我会遇到以下异常：

  java.net.ConnectException：t3s：//myapphost.com：7500：Destination 10.243.155.222，7900 unreachable;嵌套异常是：
 javax.net.ssl.SSLHandshakeException：一般SSLEngine问题;没有可用的路由器到目的地
  

当我在 $ JAVA_HOME / lib / security / cacerts 它不会给任何异常。

href =http://stackoverflow.com/questions/663890/how-to-set-up-java-to-use-user-specific-certificates-for-eclipse>帖子，并尝试配置相同的并在 $ JAVA_HOME / jre / lib / security / java.security 中添加以下条目：

  javax.net.ssl.trustStore = / myapp / app.jks 
 javax.net.ssl.trustStorePassword = XXXXX 
 javax.net.ssl.trustStoreType = jks 
  

仍然面临同样的问题。

问题这里是，为什么java总是去java默认keyStore位置： $ JAVA_HOME / lib / security / cacerts 虽然我已经提供和配置自己的自定义keyStore使用： -Djavax.net.ssl.trustStore = / myapp / app.jks -Djavax.net.ssl.trustStorePassword = XXXXX -Djavax.net.ssl.trustStoreType = jks -Djavax.net.debug = ssl

如果我导入相同的证书在默认java keyStore loation它是正常工作对我来说。

在哪里，我需要改变什么来配置不同的密钥库，以避免上面的异常。

解决方案

查看此帖子后我配置并提供以下系统属性 -D 选项它解决了我的问题。希望它会帮助别人，所以我发布它。

  -Dweblogic.security.CustomTrustKeyStoreFileName = / myapp / app.jks 
 -Dweblogic.security.TrustKeyStore = CustomTrust 
 -Dweblogic.security.CustomTrustKeyStorePassPhrase = XXXXXPWD 
 -Dweblogic.security.CustomTrustKeyStoreType = jks 
  

我已经理解了以下我注意的事情： -Dweblogic.security.TrustKeyStore 参数。 p>

注意1： - ** Dweblogic.security.TrustKeyStore ** 将有以下选项和内部解释

  1：`-Dweblogic.security.TrustKeyStore = JavaStandardTrust`（**当受信任的CA JDK的cacerts，指定这个**）
 2：`-Dweblogic.security.TrustKeyStore = DemoTrust`（**我们应该使用当DemoTrust.jks中的受信任的CA和在JDK的cacerts，指定此**） 
 3：`-Dweblogic.security.TrustKeyStore = CustomTrust`（**我们应该使用来自另一个密钥库的可信CA时，指定此**）。 
  

注2 ：

$ b b

任何时候，如果你低于异常，这意味着你的java应用程序没有在指定的信任库中找到证书。

  sun.security.validator.ValidatorException：PKIX路径构建失败：sun.security.provider.certpath.SunCertPathBuilderException：无法找到有效的证书路径请求目标
在sun.security.validator.PKIXValidator.doBuild（PKIXValidator .java：385）
 at sun.security.validator.PKIXValidator.engineValidate（PKIXValidator.java:292）
 at sun.security.validator.Validator.validate（Validator.java:260）
 

PKIX路径构建失败：sun.security.provider.certpath.SunCertPathBuilderException：无法找到请求目标的有效认证路径

注3 ：
重要的事情尝试配置 -Djavax。 net.debug = ssl 以查看日志的更多详细信息视图。通常没有该参数，我们将无法看到更多详细信息日志。

In my java application I am running with supplied -Djavax.net.ssl.trustStore System properties as below.

-Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.trustStoreType=jks -Djavax.net.debug=ssl

This is my Complete command line :

$JAVA_HOME/bin/java -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp -Xms512m -Xmx1024m -XX:MaxPermSize=192m -Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.keyStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.keyStorePassword=XXXXX -Dweblogic.security.SSL.ignoreHostnameVerification=true -Djavax.net.debug=ssl -Djavax.net.ssl.trustStoreType=jks -cp /Oracle/Middleware/Oracle_Home/wlserver/server/lib/wlfullclient.jar:/myapp/stand‌​alone/lib/asm-5.0.3.jar:/myapp/standalone/lib/castor-1.3.2-core.jar:/myapp/standa‌​lone/lib/myAPP_final.jar

But java is not using that certificate from custom keyStore from the custom path. It is by default going to $JAVA_HOME/lib/security/cacerts with that I am getting below exception :

java.net.ConnectException: t3s://myapphost.com:7500: Destination 10.243.155.222, 7900 unreachable; nested exception is:
        javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination

When i am importing and adding same certificate in the $JAVA_HOME/lib/security/cacerts it not giving any Exception.

I have refer and this post and try to configured same things in $JAVA_HOME/jre/lib/security/java.security and added following entry:

javax.net.ssl.trustStore=/myapp/app.jks
javax.net.ssl.trustStorePassword=XXXXX
javax.net.ssl.trustStoreType=jks

Still i am facing same problem.

My Question and problem here is, why java always goes java default keyStore location: $JAVA_HOME/lib/security/cacerts though i have supplied and configured my own custom keyStore using : -Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.trustStoreType=jks -Djavax.net.debug=ssl

And if i am importing same certificate in default java keyStore loation it is working fine for me.

where and what all i need to change to configure different keystore to avoid to above exception.

解决方案

After seeing this Post I have configured and supplied following system properties -D option it resolved the problem for me. Hope it will help to others so i am posting it.

-Dweblogic.security.CustomTrustKeyStoreFileName=/myapp/app.jks 
 -Dweblogic.security.TrustKeyStore=CustomTrust 
 -Dweblogic.security.CustomTrustKeyStorePassPhrase=XXXXXPWD
 -Dweblogic.security.CustomTrustKeyStoreType=jks 

I have understood following things which i have kept in Note: of -Dweblogic.security.TrustKeyStore parameter.

Note 1: -**Dweblogic.security.TrustKeyStore** will have following options and internal interpretation

1: `-Dweblogic.security.TrustKeyStore=JavaStandardTrust` (**We should use when the trusted CAs in the JDK's cacerts, specify this**) 
2: `-Dweblogic.security.TrustKeyStore=DemoTrust`   (**We should use when the trusted CAs in DemoTrust.jks and in the JDK's cacerts, specify this**) 
3: `-Dweblogic.security.TrustKeyStore=CustomTrust`  (**We should use when the trusted CAs from another keystore, specify this**).

Note 2:

Any time if you got below Exception, it means your java application is not finding certificate in the specified trust-store.

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
        at sun.security.validator.Validator.validate(Validator.java:260)

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target,It is telling the same.

Note 3: Important things try to cogfigured -Djavax.net.debug=ssl for seeing more detail view of logs. Normally without that parameter we wont be able to see more details log.

这篇关于为什么java使用JAVA_HOME / lib / security / cacerts的默认位置keystore / truststore虽然我提供了-Djavax.net.ssl.trustStore属性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！