需要帮助在tomcat中调试SSL握手 [英] need help Debugging SSL handshake in tomcat
问题描述
我有一个非常奇怪的问题,并寻找一些提示。我有一个客户端发送的证书,我需要安装,所以我可以访问HTTPS webservice。 certifcate已经安装,在Windows和Linux操作系统。使用keytool命令
keytool -import -alias ca -file somecert.cer -keystore cacerts -storepass changeit
我在Windows中部署我的应用程序tomcat我可以与HTTPS Web服务器通信。但是Linux tomcat给了我错误:
造成:sun.security.provider.certpath.SunCertPathBuilderException:
无法找到请求目标的有效认证路径
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
在java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
这意味着它找不到certifcate。 certifcate是在java安全cacerts。我已经使用 keytool -list
命令,它就在那里。
我不知道为什么它在窗口中工作,不是linux。我已经尝试设置我的servlet中的参数
System.setProperty(javax.net.debug,all) ;
System.setProperty(javax.net.ssl.trustStore,/usr/java/jdk1.5.0_14/jre/lib/security/cacerts);
System.setProperty(javax.net.ssl.trustStorePassword,changeit);
它仍然无法工作。
我的问题是:
1.任何人都知道为什么这不工作,我累了一切?
2.如何为tomcat.Ss设置SSL调试 System.setProperty(javax.net.debug,all)
工作原理?由于某种原因,我在Catalina.out中没有看到任何SSL调试信息。我需要更改任何其他。我应该看到什么样的调试信息。
任何帮助是非常appericated我的想法。
$ b $为了解决这个问题,您可以从google下载SSLPoke.java
p>编译:
javac SSLPoke .java
编译代码后调用SSLPoke
java -Djavax.net.debug =所有SSLPoke [您的https主机] 443
在输出中你会看到java正在寻找cacerts的地方。
一旦你知道确切的位置使用keytool导入你的文件到cacerts
keytool -import -alias [您的https主机] -keystore [返回的位置] / cacerts -file [your.crt]
这就是所有的,重新启动tomcat,它必须工作正常。
有时候,如果你在同一台Linux机器上有很多java版本,甚至将[your.crt]添加到由debug返回的cacerts不起作用,如果这是case添加[your.crt]到Linux机器上的所有cacerts你可以找到他们:
找到cacert $ b $一旦Linux机器返回cacerts的所有位置,例如:
$ b $ <$ p $ b $
b
/ home / xuser / NetBeansProjects / porjectx / conf / cacerts
/opt/otherlocation/j2sdkee1.3.1/lib/security/cacerts.jks
/ opt / icedtea-bin-6.1.12.7 / jre / lib / security / cacerts
/opt/icedtea-bin-6.1.13.5/jre/lib/security/cacerts
/ opt / icedtea- 7.2.4.1/jre/lib/security/cacerts
/opt/oracle-jdk-bin-1.7.0.76/jre/lib/security/cacerts
/opt/sun-j2ee-1.3.1/ lib / security / cacerts.jks
使用keytool将[your.crt]
如果您没有文件your.crt,您可以使用命令获取
openssl s_client -connect [your https host]:443< / dev / null
并从----- BEGIN CERTIFICATE -----复制到 - ---- END CERTIFICATE -----
我希望这可以帮助您
I have a very weird issue and looking for some tips. I have a certificate sent by client that I need to install so I can access HTTPS webservice. The certifcate has been installed, in both windows and Linux OS. using keytool command
keytool -import -alias ca -file somecert.cer -keystore cacerts –storepass changeit
when i deploy my application in windows tomcat I can communicate with HTTPS web server. However Linux tomcat gives me and error:
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
This means it couldn't find the certifcate. The certifcate is at java security cacerts. I have used keytool -list
command and it is there.
I have no idea why it works in windows and not linux. I have tried setting the paramaters in the My servlet
System.setProperty("javax.net.debug", "all");
System.setProperty("javax.net.ssl.trustStore", "/usr/java/jdk1.5.0_14/jre/lib/security/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
It still doesn't work.
My questions are:
1.Anyone has any idea why this isn't working, I have tired everything?
2.How do you enbale SSL debuging for tomcat.Ss setting System.setProperty("javax.net.debug", "all")
works ? For some reason I don't see any SSL debug Info in Catalina.out. Do I need to change anything else.What kind of debug info should i see.
Any help is greatly appericated I am out of ideas.
To solve this problem you could try the following
Download SSLPoke.java from google
Compile it:
javac SSLPoke.java
Once you compile code call SSLPoke as
java -Djavax.net.debug=all SSLPoke [your https host] 443
In the output you will see where java is looking for cacerts.
Once you know the exact location use keytool to import your file to cacerts
keytool -import -alias [your https host] -keystore [the location returned]/cacerts -file [your.crt]
And that is all, restart tomcat and it must be working right.
Some times when you have lot of java versions on the same Linux machine even adding [your.crt] to the cacerts returned by debug does not work, if this is the case add [your.crt] to all cacerts on the Linux machine you can find them all with:
locate cacert
once the Linux machine return all the locations of cacerts for example:
/home/xuser/NetBeansProjects/porjectx/conf/cacerts
/opt/otherlocation/j2sdkee1.3.1/lib/security/cacerts.jks
/opt/icedtea-bin-6.1.12.7/jre/lib/security/cacerts
/opt/icedtea-bin-6.1.13.5/jre/lib/security/cacerts
/opt/icedtea-bin-7.2.4.1/jre/lib/security/cacerts
/opt/oracle-jdk-bin-1.7.0.76/jre/lib/security/cacerts
/opt/sun-j2ee-1.3.1/lib/security/cacerts.jks
add [your.crt] to all of them with keytool and restart tomcat.
If you dont have the file your.crt you can get it with command
openssl s_client -connect [your https host]:443 < /dev/null
and copy from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----
I hope this help you
这篇关于需要帮助在tomcat中调试SSL握手的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!