为什么java使用JAVA_HOME / lib / security / cacerts的默认位置keystore / truststore虽然我提供了-Djavax.net.ssl.trustStore属性 [英] Why java uses default location keystore/truststore of JAVA_HOME/lib/security/cacerts though I have supplied -Djavax.net.ssl.trustStore properties
问题描述
在我的java应用程序中,我运行提供的 -Djavax.net.ssl.trustStore 系统属性,如下所示。
-Djavax.net.ssl.trustStore = / myapp / app.jks -Djavax.net.ssl.trustStorePassword = XXXXX - Djavax.net.ssl.trustStoreType = jks -Djavax.net.debug = ssl
这是我的完整命令行:
$ JAVA_HOME / bin / java -XX:+ HeapDumpOnOutOfMemoryError -XX:HeapDumpPath = / tmp -Xms512m -Xmx1024m - XX:MaxPermSize = 192m -Djavax.net.ssl.trustStore = / myapp / app.jks -Djavax.net.ssl.keyStore = / myapp / app.jks -Djavax.net.ssl.trustStorePassword = XXXXX -Djavax.net。 ssl.keyStorePassword = XXXXX -Dweblogic.security.SSL.ignoreHostnameVerification = true -Djavax.net.debug = ssl -Djavax.net.ssl.trustStoreType = jks -cp / Oracle / Middleware / Oracle_Home / wlserver / server / lib / wlfullclient。 jar:/ myapp / stand alone / lib / asm-5.0.3.jar:/myapp/standalone/lib/castor-1.3.2-core.jar:/ myapp / standa lone / lib / myAPP_final.jar
但是java没有使用来自自定义路径的自定义keyStore的证书。默认情况下会转到 $ JAVA_HOME / lib / security / cacerts
,我会遇到以下异常:
java.net.ConnectException:t3s://myapphost.com:7500:Destination 10.243.155.222,7900 unreachable;嵌套异常是:
javax.net.ssl.SSLHandshakeException:一般SSLEngine问题;没有可用的路由器到目的地
当我在 $ JAVA_HOME / lib / security / cacerts
它不会给任何异常。
href =http://stackoverflow.com/questions/663890/how-to-set-up-java-to-use-user-specific-certificates-for-eclipse>帖子,并尝试配置相同的并在 $ JAVA_HOME / jre / lib / security / java.security
中添加以下条目:
javax.net.ssl.trustStore = / myapp / app.jks
javax.net.ssl.trustStorePassword = XXXXX
javax.net.ssl.trustStoreType = jks
仍然面临同样的问题。
问题这里是,为什么java总是去java默认keyStore位置: $ JAVA_HOME / lib / security / cacerts
虽然我已经提供和配置自己的自定义keyStore使用: -Djavax.net.ssl.trustStore = / myapp / app.jks -Djavax.net.ssl.trustStorePassword = XXXXX -Djavax.net.ssl.trustStoreType = jks -Djavax.net.debug = ssl
如果我导入相同的证书在默认java keyStore loation它是正常工作对我来说。
在哪里,我需要改变什么来配置不同的密钥库,以避免上面的异常。
查看此帖子后我配置并提供以下系统属性 -D 选项它解决了我的问题。希望它会帮助别人,所以我发布它。
-Dweblogic.security.CustomTrustKeyStoreFileName = / myapp / app.jks
-Dweblogic.security.TrustKeyStore = CustomTrust
-Dweblogic.security.CustomTrustKeyStorePassPhrase = XXXXXPWD
-Dweblogic.security.CustomTrustKeyStoreType = jks
我已经理解了以下我注意的事情: -Dweblogic.security.TrustKeyStore
参数。 p>
注意1: - ** Dweblogic.security.TrustKeyStore **
将有以下选项和内部解释
1:`-Dweblogic.security.TrustKeyStore = JavaStandardTrust`(**当受信任的CA JDK的cacerts,指定这个**)
2:`-Dweblogic.security.TrustKeyStore = DemoTrust`(**我们应该使用当DemoTrust.jks中的受信任的CA和在JDK的cacerts,指定此**)
3:`-Dweblogic.security.TrustKeyStore = CustomTrust`(**我们应该使用来自另一个密钥库的可信CA时,指定此**)。
注2 :
$ b b
任何时候,如果你低于异常,这意味着你的java应用程序没有在指定的信任库中找到证书。
sun.security.validator.ValidatorException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到有效的证书路径请求目标
在sun.security.validator.PKIXValidator.doBuild(PKIXValidator .java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效认证路径
注3 :重要的事情尝试配置
-Djavax。 net.debug = ssl
以查看日志的更多详细信息视图。通常没有该参数,我们将无法看到更多详细信息日志。 In my java application I am running with supplied -Djavax.net.ssl.trustStore System properties as below.
-Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.trustStoreType=jks -Djavax.net.debug=ssl
This is my Complete command line :
$JAVA_HOME/bin/java -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp -Xms512m -Xmx1024m -XX:MaxPermSize=192m -Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.keyStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.keyStorePassword=XXXXX -Dweblogic.security.SSL.ignoreHostnameVerification=true -Djavax.net.debug=ssl -Djavax.net.ssl.trustStoreType=jks -cp /Oracle/Middleware/Oracle_Home/wlserver/server/lib/wlfullclient.jar:/myapp/standalone/lib/asm-5.0.3.jar:/myapp/standalone/lib/castor-1.3.2-core.jar:/myapp/standalone/lib/myAPP_final.jar
But java is not using that certificate from custom keyStore from the custom path. It is by default going to $JAVA_HOME/lib/security/cacerts
with that I am getting below exception :
java.net.ConnectException: t3s://myapphost.com:7500: Destination 10.243.155.222, 7900 unreachable; nested exception is:
javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination
When i am importing and adding same certificate in the $JAVA_HOME/lib/security/cacerts
it not giving any Exception.
I have refer and this post and try to configured same things in $JAVA_HOME/jre/lib/security/java.security
and added following entry:
javax.net.ssl.trustStore=/myapp/app.jks
javax.net.ssl.trustStorePassword=XXXXX
javax.net.ssl.trustStoreType=jks
Still i am facing same problem.
My Question and problem here is, why java always goes java default keyStore location: $JAVA_HOME/lib/security/cacerts
though i have supplied and configured my own custom keyStore using : -Djavax.net.ssl.trustStore=/myapp/app.jks -Djavax.net.ssl.trustStorePassword=XXXXX -Djavax.net.ssl.trustStoreType=jks -Djavax.net.debug=ssl
And if i am importing same certificate in default java keyStore loation it is working fine for me.
where and what all i need to change to configure different keystore to avoid to above exception.
After seeing this Post I have configured and supplied following system properties -D option it resolved the problem for me. Hope it will help to others so i am posting it.
-Dweblogic.security.CustomTrustKeyStoreFileName=/myapp/app.jks
-Dweblogic.security.TrustKeyStore=CustomTrust
-Dweblogic.security.CustomTrustKeyStorePassPhrase=XXXXXPWD
-Dweblogic.security.CustomTrustKeyStoreType=jks
I have understood following things which i have kept in Note: of -Dweblogic.security.TrustKeyStore
parameter.
Note 1: -**Dweblogic.security.TrustKeyStore**
will have following options and internal interpretation
1: `-Dweblogic.security.TrustKeyStore=JavaStandardTrust` (**We should use when the trusted CAs in the JDK's cacerts, specify this**)
2: `-Dweblogic.security.TrustKeyStore=DemoTrust` (**We should use when the trusted CAs in DemoTrust.jks and in the JDK's cacerts, specify this**)
3: `-Dweblogic.security.TrustKeyStore=CustomTrust` (**We should use when the trusted CAs from another keystore, specify this**).
Note 2:
Any time if you got below Exception, it means your java application is not finding certificate in the specified trust-store.
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target,It is telling the same.
Note 3:
Important things try to cogfigured -Djavax.net.debug=ssl
for seeing more detail view of logs. Normally without that parameter we wont be able to see more details log.
这篇关于为什么java使用JAVA_HOME / lib / security / cacerts的默认位置keystore / truststore虽然我提供了-Djavax.net.ssl.trustStore属性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!