WSO2 MDM配置:证书问题 [英] WSO2 MDM configuration : certificate problems
问题描述
一旦我将带有keytool的第一个密钥导入wso2carbon.jks文件(并且重新启动服务),我的服务就无法正常启动并记录以下错误:
As soon as I import the first key with keytool into the wso2carbon.jks file (and I restart the service) my service already fails to launch properly and logs the following error:
TID: [0] [EMM] [2014-03-06 23:46:42,106] ERROR
{org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiverDS} - Can not
create and start Agent Server
{org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiverDS}
org.wso2.carbon.databridge.core.exception.DataBridgeException: Cannot start agent server
on port 7711
at
org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.startSecureEventTransmission(ThriftDataReceiver.java:129)
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.start(ThriftDataReceiver.java:101)
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiverDS.activate(ThriftDataReceiverDS.java:96)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.eclipse.equinox.internal.ds.model.ServiceComponent.activate(ServiceComponent.java:260)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.activate(ServiceComponentProp.java:146)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.build(ServiceComponentProp.java:347)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponent(InstanceProcess.java:620)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponents(InstanceProcess.java:197)
at org.eclipse.equinox.internal.ds.Resolver.getEligible(Resolver.java:343)
at org.eclipse.equinox.internal.ds.SCRManager.serviceChanged(SCRManager.java:222)
at org.eclipse.osgi.internal.serviceregistry.FilteredServiceListener.serviceChanged(FilteredServiceListener.java:107)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.dispatchEvent(BundleContextImpl.java:861)
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)
at org.eclipse.osgi.framework.eventmgr.ListenerQueue.dispatchEventSynchronous(ListenerQueue.java:148)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEventPrivileged(ServiceRegistry.java:819)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEvent(ServiceRegistry.java:771)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistrationImpl.register(ServiceRegistrationImpl.java:130)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.registerService(ServiceRegistry.java:214)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.registerService(BundleContextImpl.java:433)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.registerService(BundleContextImpl.java:451)
at org.wso2.carbon.core.init.CarbonServerManager.initializeCarbon(CarbonServerManager.java:517)
at org.wso2.carbon.core.init.CarbonServerManager.start(CarbonServerManager.java:219)
at org.wso2.carbon.core.internal.CarbonCoreServiceComponent.activate(CarbonCoreServiceComponent.java:77)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.eclipse.equinox.internal.ds.model.ServiceComponent.activate(ServiceComponent.java:260)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.activate(ServiceComponentProp.java:146)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.build(ServiceComponentProp.java:347)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponent(InstanceProcess.java:620)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponents(InstanceProcess.java:197)
at org.eclipse.equinox.internal.ds.Resolver.getEligible(Resolver.java:343)
at org.eclipse.equinox.internal.ds.SCRManager.serviceChanged(SCRManager.java:222)
at org.eclipse.osgi.internal.serviceregistry.FilteredServiceListener.serviceChanged(FilteredServiceListener.java:107)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.dispatchEvent(BundleContextImpl.java:861)
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)
at org.eclipse.osgi.framework.eventmgr.ListenerQueue.dispatchEventSynchronous(ListenerQueue.java:148)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEventPrivileged(ServiceRegistry.java:819)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEvent(ServiceRegistry.java:771)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistrationImpl.register(ServiceRegistrationImpl.java:130)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.registerService(ServiceRegistry.java:214)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.registerService(BundleContextImpl.java:433)
at org.eclipse.equinox.http.servlet.internal.Activator.registerHttpService(Activator.java:81)
at org.eclipse.equinox.http.servlet.internal.Activator.addProxyServlet(Activator.java:60)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.init(ProxyServlet.java:40)
at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.init(DelegationServlet.java:38)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1267)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1186)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1081)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5027)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5314)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1559)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1549)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
Caused by: org.wso2.carbon.databridge.commons.exception.TransportException: Thrift transport exception occurred
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.startSecureEventTransmission(ThriftDataReceiver.java:150)
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.startSecureEventTransmission(ThriftDataReceiver.java:127)
... 63 more
Caused by: org.apache.thrift.transport.TTransportException: Error creating the transport
at org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:201)
at org.apache.thrift.transport.TSSLTransportFactory.getServerSocket(TSSLTransportFactory.java:102)
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.startSecureEventTransmission(ThriftDataReceiver.java:146)
... 64 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)
at java.security.KeyStore.getKey(KeyStore.java:792)
at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:131)
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:68)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:259)
at org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:187)
... 66 more
我已经尝试使用证书进行各种操作了几个星期,但是我未能成功设置完全运行的服务. 任何人都可以逐步帮助我完成证书处理,因为遵循手册显然由于某些原因没有成功. 备注:我没有iOS证书,并且按照wso2手册使用openSSL生成了所有证书. 我执行了此命令以生成此特定的(KEYSTORE)p12文件,以导入到wso2carbon.jks中. 我是否首先需要手动删除该文件夹中的所有jks文件,还是应该将其导入到现有文件中? 我还能做错什么? 感谢您的支持.
I've tried to do all sorts of things with the certificates for weeks now but I failed to succeed to setup a completely running service. Can anyone please help me through the certificate handling step by step, because following the manual apparently has no success for some reason. Remark : I don't have an iOS certificate and I generated all my certificates with openSSL by following the wso2 manual. I executed this command to generate this specific (KEYSTORE)p12 file for import in wso2carbon.jks. Do I first need to manually delete all jks files in that folder, or should I import into the existing files for one? What else might I be doing wrong? Thanks for the support.
推荐答案
根据您的旧问题,我假设您正在尝试配置Android管理部分.文档中大多数与证书相关的内容都与iOS相关联.如果您想试用Android配置,则可以跳过其中的大部分内容.只需跳过CA/RA的几代.
Based on your older questions I assume you are trying to configure the Android management part. Most of the certificate related stuff in the document is associated with iOS. If you want to try out the Android configuration you can skip most of the parts in that. Simply skip the CA/RA generations.
在配置Android时,您唯一需要的密钥库就是配置Android代理应用.您可以在 Android客户端配置中找到分步配置.在此链接中,它指出了iOS CA的生成,因为如果同时配置iOS和Android,则已经执行了此步骤.否则,您只需要执行这些命令即可.
When configuring Android, only place you need a keystore is to configure the Android agent app. You can find the step by step configuration at Android client configurations. In this link it has pointed to the iOS CA generation since this step is already followed if you configure both iOS and Android. Otherwise you just have to execute these commands.
openssl genrsa -out <CA PRIVATE KEY> 4096
For example: openssl genrsa -out ca_private.key 4096
openssl req -new -key <CA PRIVATE KEY> -out <CA CSR>
For example: openssl req -new -key ca_private.key -out ca.csr
openssl x509 -req -days <DAYS> -in <CA CSR> -signkey <CA PRIVATE KEY> -out <CA CRT> -extensions v3_ca
For example: openssl x509 -req -days 365 -in ca.csr -signkey ca_private.key -out ca.crt -extensions v3_ca
openssl rsa -in <CA PRIVATE KEY> -text > <CA PRIVATE PEM>
For example: openssl rsa -in ca_private.key -text > ca_private.pem
openssl x509 -in <CA CRT> -out <CA CERT PEM>
For example: openssl x509 -in ca.crt -out ca_cert.pem
在以下命令末尾,您应该拥有一个ca_cert.pem.
End of the following commands you should have a ca_cert.pem with you.
现在,您需要将此ca文件导出到pkcs12中.命令如下.
Now you need to export this ca file into pkcs12. Command is as follows.
openssl pkcs12 -export -out ca.p12 -inkey ca_private.pem -in ca_cert.pem -name "cacert"
现在您将获得ca.p12文件.
Now you get the ca.p12 file.
只需执行以下命令即可创建密钥库文件.
Just exectue following command to create a keystore file.
keytool -importkeystore -srckeystore ca.p12 -srcstoretype PKCS12 -destkeystore wso2mobilemdm.jks
如我的其他主题所述 wso2-mdm-android-agent-issue 您可以将其重命名为bks文件格式,也可以使用 portecle 将此文件转换为bks因为Android要求您以bouncycastle格式制作密钥库文件.然后如文档中所述嵌入此bks并重新编译Android代理代码.
As mentioned in my other thread wso2-mdm-android-agent-issue you can either rename this to bks file format or you can use portecle to convert this to bks since Android expect you to make the keystore file in bouncycastle format. Then embed this bks as mentioned in the doc and recompile the Android agent code.
为了更好地开始工作,请清除所有内容并获取新的WSO2 EMM zip文件.提取它并从头开始.从您的日志中,我感觉到您现有的wso2carbon.jks已损坏.如上一步所述,生成时不要将生成的CA导入到其中,并使用新的密钥库文件.
In order to start its better you clear everything and get a fresh WSO2 EMM zip file. Extract it and start from the scratch. From you log what I feel is your existing wso2carbon.jks is corrupted. When generating do not import your generated CA to it and use a new keystore file as I mentioned in the last step.
希望这会有所帮助.
这篇关于WSO2 MDM配置:证书问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
