p12文件在Firefox RestClient中工作,但在WebSphere中不工作 [英] `p12` file work in Firefox RestClient but not work in WebSphere
问题描述
我有一个在WebSphere中运行的Java Web应用程序,需要调用第三方服务(IBM)以获得一些响应.
I have a java web application that runs in WebSphere that need to call to third party service (IBM) to get some response.
起初,IBM给我一个p12文件,该文件包含客户端证书,然后在Firefox RestClient中对其进行测试,测试成功,并且在RestClient中得到响应代码200.否则,我将被禁止403.因此,可以证明第三方提供的p12是正确的.如果我的说法有误,请纠正我.
At first IBM give me a p12 file, which is contain client certificate, and I test it in Firefox RestClient, the call success and I am getting response code 200 in the RestClient. Else, I will get 403 forbidden. So this is proof that the p12 provided by third party is correct. Please correct me if my statement is wrong.
因此,我很乐意将此p12文件导入到CellDefaultKeyStore中,以测试应用程序上的连接.不幸的是,导入此p12文件后,节点状态变为未知",甚至无法同步"它们.当我检查服务器日志时,我不断看到
Thus, I happily import this p12 file into my CellDefaultKeyStore to test the connection on my application. Unfortunately, after I import this p12 file, the nodes status become "unknown", and I cant even "synchronize" them. And when I check server log, I keep seeing
com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by xxx is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
之后,我将其从CellDefaultKeyStore中删除,尝试将其导入到NodeDefaultKeyStore中,节点问题消失了,该节点可以同步回去,并且我的应用程序可以成功调用第三方.我认为这已经完成了我今天的工作,但是,这种解决方案并不稳定,它只能工作几次,而不是每次都起作用.稍后,节点状态仍将变为未知",或者,如果我运行./stopManager.sh和./startManager.sh,则节点问题将立即再次出现.
After that I remove it from CellDefaultKeyStore try to import it into NodeDefaultKeyStore, the node issue gone, the node can sync back and my app can call to the third party successfully. I think this is done of my job today, however, this solution is not stable, its only work some times, not every time. The node status will still become "unknown" after a moment, or, if I run ./stopManager.sh and ./startManager.sh, the node issue will immediately come back.
我尝试运行./stopNode.sh和./startNode.sh,这2个shell脚本的日志中没有错误.但是WAS Console UI仍然显示状态为unknown,我什至无法停止通过WAS Console启动服务器.
I have try run ./stopNode.sh and ./startNode.sh, there are no error in the log of this 2 shell script. But the WAS Console UI there still showing status is unknown, and I cant even stop start my server through WAS Console.
起初,我考虑的可能是显示问题,但是如果我从NodeDefaultKeyStore中删除p12文件,则可以解决此问题.
At first I am thinking its maybe display issue, but this issue will solve if I delete the p12 file from my NodeDefaultKeyStore.
我尝试使用google,但最终仍然找不到任何线索.我不确定是我的配置还是p12文件出了问题.
I try google around but end up still cant find any clue. I am not sure is it my configuration or the p12 file having problem.
我应该参考哪个日志,以查看节点状态为何变为unknown的原因,或者我还能继续对此进行调试/疑难解答吗?
Which log should I refer to see why the node status will become unknown, or what else I can continue to debug/troubleshoot on this?
推荐答案
您已收到外部服务的证书,并且希望Websphere中的代码连接到该服务吗?默认的单元存储库不是放置外部连接的证书的地方.
You received the certificate for an external service and you want code in Websphere to connect to that service right? The default cell store is not the place to put external connection`s certificates.
将其放置在Trusted密钥库中.这将告诉WebSphere信任该外部连接证书,从而使您的代码能够与其连接.
Put it in the Trusted keystore. This will tell WebSphere to trust that external connections certificate, enabling your code to connect to it.
您可以通过控制台进行操作,也可以直接在文件上使用iKeyman.
You can do it via the console, or using iKeyman directly on the file.
话虽如此,请不要与默认密钥库中的默认证书混为一谈. @dbreaux在评论中是正确的.
That being said, do not mess with the default certificate in the default keystore. @dbreaux is right on that in the comments.
这篇关于p12文件在Firefox RestClient中工作,但在WebSphere中不工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
