如何将Windows密钥库(MCS)与JDBC一起使用? [英] How to use the Windows Keystore (MCS) with JDBC?
问题描述
我正在尝试创建一个使用PKI进行身份验证的Java应用程序.我需要能够从Microsoft证书存储(MCS)检索证书并将其传递到Oracle数据库(11.2).
I am trying to create a java application that uses PKI for authentication. I need to be able to retrieve a certificate from the Microsoft Certificate Store (MCS) and pass it along to an Oracle database (11.2).
我正在使用jdbc:oracle:thin驱动程序进行连接.在Google上花费了相当长的时间后,我空了出来.
我发现有不同的属性可以更改(取决于文章):
I am connecting using the jdbc:oracle:thin driver. After spending quite some time on google I have come up empty.
I've found different properties to change (depending on the article):
- 设置属性
javax.net.ssl.keyStoreType = "Windows-MY" - 设置
javax.net.ssl.keyStore = "Windows-MY" -
javax.net.ssl.keyStore should be set to "None"(如果使用的是我不相信的自定义KeyManager,因为当它进入我的自定义KeyManager时,我已经从连接属性中指定的密钥库中获得了证书).
- set the property
javax.net.ssl.keyStoreType = "Windows-MY" - set the
javax.net.ssl.keyStore = "Windows-MY" javax.net.ssl.keyStore should be set to "None"(if using a custom KeyManager which I do not believe will work since by the time it gets into my custom KeyManager I will already be given the certs from a keystore specified in the connection properties).
当然,所有这些人都在宣称成功,但是没有任何事情对我有用.我尝试了所有示例,但没有运气就可以找到所有示例.使用Oracle钱包时,我能够成功进行身份验证,因此我知道自己的证书很好.如果有人以前这样做过,并且愿意发布一些很棒的代码.
Of course all of these people are claiming success, but nothing has worked for me. I have tried every example I have been able to find all with no luck. I was able to successfully authenticate when I was using Oracle wallets so I know my certificates are fine. If anyone has done this before and is willing to post some code that would be great.
我知道大多数人正在网站上使用Windows密钥库,因此正在创建自己的SSLContext,但是我无法想象我是唯一想使用JDBC来做到这一点的人(据我所知,这是不允许的)我为其提供SSLContext).
I know most people are using the Windows keystore with a website and therefore are creating their own SSLContext, but I cannot imagine I am the only one who has wanted to do this using JDBC (which as far as I know does not allow me to provide it an SSLContext).
这是我认为应该起作用的代码,但无效.
This is the code that I believe should work, but does not.
DriverManager.registerDriver)new OracleDriver());
String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=host)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=someName))(SECURITY= (SSL_SERVER_CERT_DN=\"CN=TESTSERVER\")))";
java.util.Properties props = new java.util.Properties();
props.setProperty("javax.net.ssl.keyStoreType", "Windows-MY");
props.setProperty("javax.net.ssl.keyStore", "NONE");
props.setProperty("javax.net.ssl.trustStoreType", "Windows-ROOT");
props.setProperty("javax.net.ssl.trustStore", "NONE");
props.setProperty("oracle.net.ssl_server_dn_match", "true");
props.setProperty("oracle.net.authentication_services", "(TCPS)");
Connection conn = DriverManager.getConnection(url, props);
此代码失败,例外:
java.sql.SQLRecoverableException: IOException: The Network Adapter could not establish the connection
推荐答案
本文应该提供您的更多详细信息.尽管Windows-MY不使用系统属性,但它显然是一种商店类型,并且不是基于文件的.因此,javax.net.ssl.keyStoreType应该是Windows-MY,而javax.net.ssl.keyStore应该设置为NONE(可能会大写),请参见
This article should give your more details. Although it doesn't use the system properties, Windows-MY is clearly a store type and it's not file based. Therefore, javax.net.ssl.keyStoreType should be Windows-MY and javax.net.ssl.keyStore should be set to NONE (upper case may matter), see the JSSE Ref Guide (Customization):
javax.net.ssl.keyStore系统属性
请注意,可以指定值NONE.如果密钥库不是,则此设置是适当的 基于文件的文件(例如,它位于硬件令牌中).
Note that the value NONE may be specified. This setting is appropriate if the keystore is not file-based (for example, it resides in a hardware token).
如果您的服务器证书不受默认Java信任库的信任,您可能还需要以类似的方式配置信任库.
You may also need to configure your trust store in a similar way if your server certificate isn't trusted by your default Java trust store.
这篇关于如何将Windows密钥库(MCS)与JDBC一起使用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
