有没有一种方法可以在不直接访问Java中的Websphere密钥库的情况下进行Mutual SSL? [英] Is there a way that I can do Mutual SSL without direct acces to the Websphere keystore in Java?
问题描述
我正在尝试在2个Websphere 8.5.5服务器之间建立相互SSL.我只称它们为ServerA和ServerB.
I'm trying to establish Mutual SSL between 2 Websphere 8.5.5 servers. I'll just call them ServerA and ServerB.
ServerA:客户端,将ServerB的SSL证书添加到DefaultTrustKeyStore中.
ServerA: Client side, added ServerB's SSL certificate into DefaultTrustKeyStore.
ServerB:服务器端,将ServerA的SSL证书添加到DefaultTrustKeyStore中.我还安装了一个WAR,该WAR提供了一个Servlet,它可以接收HTTP POST消息,对其进行记录并向客户端响应确定".客户端身份验证模式设置为必需".
ServerB: Server side, added ServerA's SSL certificate into DefaultTrustKeyStore. I also installed a WAR which provide a servlet that could receive HTTP POST message, log it, and response "OK" to client. Client Auth mode set to "Required".
现在我遇到了一个问题:相互SSL客户端的传统方式必须直接读取密钥库以检索私钥,因此我们可以使用它来设置SSLContext来进行客户端身份验证.但是它可能具有直接访问密钥库的安全漏洞.因此,我需要找到一种方法让我让ServerA的websphere为我做这件事(或可以命令Websphere做到这一点的Java代码).
Now I got a problem: traditional way of Mutual SSL client side MUST read the keystore directly to retrieve private key, so we can use it to set our SSLContext to do client authentication. But it might have security flaw for accessing keystore directly. So I need to find a way if I can let my ServerA's websphere to do this for me(or Java code that could command Websphere to do this).
请问有人可以教我如何直接访问密钥库吗?
Can anyone teach me how to do this without accessing keystore directly, please?
更新:
嗨dbreaux.
我尝试了建立环回连接的方法,但似乎不起作用.
I tried your way to do a loop-back connection, but it seem like not working.
这是SSL调试日志的最后一部分:
Here's the SSL debug log last section:
[2017/9/3 21:06:25:284 CST] 00000099 SystemOut O JsseJCE: Using KeyGenerator IbmTlsPrf from provider TBD via init
[2017/9/3 21:06:25:284 CST] 00000099 SystemOut O HandshakeMessage: TLS Keygenerator IbmTlsPrf from provider from init IBMJCE version 1.8
[2017/9/3 21:06:25:284 CST] 00000099 SystemOut O WebContainer : 3, WRITE: TLSv1 Change Cipher Spec, length = 1
[2017/9/3 21:06:25:285 CST] 00000099 SystemOut O JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
[2017/9/3 21:06:25:285 CST] 00000099 SystemOut O CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.8
[2017/9/3 21:06:25:285 CST] 00000099 SystemOut O JsseJCE: Using MAC HmacSHA1 from provider TBD via init
[2017/9/3 21:06:25:285 CST] 00000099 SystemOut O MAC: Using MessageDigest HmacSHA1 from provider IBMJCE version 1.8
[2017/9/3 21:06:25:285 CST] 00000099 SystemOut O *** Finished
[2017/9/3 21:06:25:285 CST] 00000099 SystemOut O verify_data: { 226, 248, 159, 68, 107, 196, 76, 219, 134, 227, 129, 58 }
[2017/9/3 21:06:25:285 CST] 00000099 SystemOut O ***
[2017/9/3 21:06:25:285 CST] 00000099 SystemOut O WebContainer : 3, WRITE: TLSv1 Handshake, length = 48
[2017/9/3 21:06:25:285 CST] 00000099 SystemOut O WebContainer : 3, waiting for close_notify or alert: state 1
[2017/9/3 21:06:25:285 CST] 00000099 SystemOut O WebContainer : 3, Exception while waiting for close java.net.SocketException: Software caused connection abort: recv failed
[2017/9/3 21:06:25:285 CST] 00000099 SystemOut O %% Invalidated: [Session-27, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA]
[2017/9/3 21:06:25:285 CST] 00000099 SystemOut O WebContainer : 3, SEND TLSv1 ALERT: fatal, description = handshake_failure
[2017/9/3 21:06:25:285 CST] 00000099 SystemOut O WebContainer : 3, WRITE: TLSv1 Alert, length = 32
[2017/9/3 21:06:25:285 CST] 00000099 SystemOut O WebContainer : 3, Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
[2017/9/3 21:06:25:285 CST] 00000099 SystemOut O WebContainer : 3, called closeSocket()
[2017/9/3 21:06:25:285 CST] 00000099 SystemOut O WebContainer : 3, handling exception: javax.net.ssl.SSLHandshakeException: java.net.SocketException: Software caused connection abort: recv failed
我正在使用WAS生成的DefaultKeyStores.由于动态出站端点"页面始终显示CWPKI0681E错误,因此我采用了第一种方法.
I'm using the DefaultKeyStores that WAS generated. Since the Dynamic Outbound Endpoint page keep giving me CWPKI0681E error, so I applied your first way.
这对您有用吗?还是因为我使用的是WAS生成的默认CA?
Does this work on yours? or it's because I'm using the default CA that WAS generated?
11/06更新:
我发现一些线索可能有助于解决此问题.我尝试使用OpenSSL建立与服务器的客户端连接,并且有一些有趣的东西.
I found some clues might help to solve this. I tried to uses OpenSSL to establish client side connection to server, and there are some interesting stuff.
首先,我使用客户端WAS连接到服务器端WAS,最后遇到此异常,服务器刚刚断开了连接.这是服务器端日志:
First, I use my client-side WAS to connect to the Server-side WAS, I end up with this exception and Server just dropped my connection. Here's server side log:
[2017/11/3 18:07:19:349 CST] 00000070 SystemOut O WebContainer : 0, WRITE: TLSv1 Handshake, length = 2765
[2017/11/3 18:07:19:355 CST] 00000070 SystemOut O WebContainer : 0, READ: TLSv1 Handshake, length = 77
[2017/11/3 18:07:19:355 CST] 00000070 SystemOut O *** Certificate chain
[2017/11/3 18:07:19:355 CST] 00000070 SystemOut O ***
[2017/11/3 18:07:19:357 CST] 00000070 SystemOut O WebContainer : 0, fatal error: 40: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
[2017/11/3 18:07:19:357 CST] 00000070 SystemOut O %% Invalidated: [Session-1, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA]
[2017/11/3 18:07:19:357 CST] 00000070 SystemOut O WebContainer : 0, SEND TLSv1 ALERT: fatal, description = handshake_failure
[2017/11/3 18:07:19:358 CST] 00000070 SystemOut O WebContainer : 0, WRITE: TLSv1 Alert, length = 2
[2017/11/3 18:07:19:358 CST] 00000070 SystemOut O WebContainer : 0, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
现在,我尝试使用以下命令将服务器与OpenSSL连接,ClientCA.key是我的私钥:
Now I try to connect Server with OpenSSL with following command, ClientCA.key is my private key:
openssl s_client -tls1 -connect 192.168.1.20:9443 -key ClientCA.key -state
CONNECTED(00000168)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
depth=1 C = US, O = IBM, OU = TestNode01, OU = TestNode01Cell, OU = Root Certificate, CN = Test
verify error:num=19:self signed certificate in certificate chain
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server certificate request
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client certificate
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL_connect:error in SSLv3/TLS write finished
write:errno=0
...
我掉线了,在日志末尾也看到了相同的异常.但是,如果我用证书发出命令:
I got dropped and see same exception at the end of log too. But if I give command with my certificate:
openssl s_client -tls1 -connect 192.168.1.20:9443 -cert ClientCA.crt -key ClientCA.pfx -state
CONNECTED(00000150)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
depth=1 C = US, O = IBM, OU = SAGE-AD2Node01, OU = SAGE-AD2Node01Cell, OU = Root Certificate, CN = SAGE-AD2
verify error:num=19:self signed certificate in certificate chain
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server certificate request
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client certificate
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write certificate verify
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS read change cipher spec
SSL_connect:SSLv3/TLS read finished
...
我已连接到服务器!和服务器日志看起来也不同:
I connected to Server! and server log look different too:
[2017/11/6 16:19:55:246 CST] 00000073 SystemOut O WebContainer : 0, WRITE: TLSv1 Handshake, length = 2765
[2017/11/6 16:19:55:309 CST] 00000073 SystemOut O WebContainer : 0, READ: TLSv1 Handshake, length = 853
[2017/11/6 16:19:55:309 CST] 00000073 SystemOut O *** Certificate chain
[2017/11/6 16:19:55:309 CST] 00000073 SystemOut O chain [0] = [
[
Version: V1
...
所以我怀疑我必须错过客户端WAS上的某些设置,因此它没有将我的证书发送到P12文件内部的服务器.您能否描述有关其实现方式的更多细节? @Alaine @dbreaux
So I suspect I must missed some setup on my Client-Side WAS, so it didn't send my certificate to Server which is inside of my P12 file. Can you describe more details about how you achieved it? @Alaine @dbreaux
推荐答案
在WebSphere配置中,您似乎需要从密钥库中指定客户端证书,以在建立出站连接时出示该证书. (老实说,我不知道您是否可以编辑Keystore来设置其默认值.我看不到从管理控制台执行此操作的方法,但是您可以从外部进行操作.或者它已经设置好了,但是这还不够.)
In the WebSphere configuration, it appears you need to specify a client certificate from the Keystore to present when making the outbound connection. (I honestly don't know if you can edit the Keystore to set its default. I don't see a way to do that from the admin console, but you might be able to from outside that. Or maybe it's already set, but this isn't sufficient.)
但是,可以在SSL配置中明确设置此方法.我相信所有这些级别都应该起作用,但是要坦白我还没有亲自尝试过.
But a way you can set this explicitly is in the SSL Configurations. I believe all of these levels should work, but confess I haven't tried them personally.
您可以在小区/节点默认SSL设置"中进行设置:
You can set it in the Cell/Node Default SSL Settings:
或者对于像单元,节点或服务器这样的作用域:
Or for a scope, like Cell, Node, or Server:
或者您可以根据要连接的目的地进行设置:
Or you can set it based on the destination you're connecting to:
这篇关于有没有一种方法可以在不直接访问Java中的Websphere密钥库的情况下进行Mutual SSL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
