如何设置Apache CXF客户端以使用WebSphere Truststore? (接收“未找到可信证书"异常.) [英] How to set up Apache CXF client to use WebSphere truststore? (Receiving "No trusted certificate found" exception.)

问题描述

首先，我将从总结开始.我正在使用Apache CXF客户端通过SSL与使用自签名证书的Apache CXF服务提供商进行通信.我将证书导入到客户端服务器上的WebSphere信任库中，但是仍然收到"javax.net.ssl.SSLHandshakeException:SSLHandshakeException，调用 https ://somesvcprovider.com/appname/svc/myservice :com.ibm.jsse2.util.h:未找到可信证书".

First, I'll start with a summary. I'm using an Apache CXF client to communicate over SSL with an Apache CXF service provider that is using a self-signed certificate. I imported the certificate into the WebSphere truststore on the client server, but I still receive a "javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://somesvcprovider.com/appname/svc/myservice: com.ibm.jsse2.util.h: No trusted certificate found" exception.

现在，这是详细信息:

我有一个使用Spring配置的Apache CXF Web服务客户端，并且该客户端已部署到WebSphere 6.1应用程序服务器. CXF客户端与其他WebSphere服务器上的Apache CXF服务提供商进行通信.通信使用SSL.

I have an Apache CXF web service client that I am configuring using Spring, and the client is deployed to a WebSphere 6.1 application server. The CXF client communicates with an Apache CXF service provider on a different WebSphere server. The communication uses SSL.

服务提供商正在使用自签名证书.我已经通过管理控制台将提供者的证书导入到客户端服务器上的WebSphere Truststore中.我通过转到SSL证书和密钥管理> SSL配置> NodeDefaultSSLSettings>密钥库和证书> NodeDefaultTrustStore>签署者证书来完成此操作；然后我使用从端口检索"工具导入证书.

The service provider is using a self-signed certificate. I've imported the provider's certificate into the WebSphere truststore on the client server through the administrative console. I accomplished this by going to SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Key stores and certificates > NodeDefaultTrustStore > Signer certificates; then I used the "Retrieve from port" tool to import the certificate.

但是，尝试联系服务提供商时仍然收到此错误:"javax.net.ssl.SSLHandshakeException:SSLHandshakeException调用 https ://somesvcprovider.com/appname/svc/myservice :com.ibm.jsse2.util.h:未找到可信证书.

However, I still receive this error when attempting to contact the service provider: "javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://somesvcprovider.com/appname/svc/myservice: com.ibm.jsse2.util.h: No trusted certificate found".

Spring配置文件如下:

The Spring configuration file is as follows:

<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:sec="http://cxf.apache.org/configuration/security"
  xmlns:http="http://cxf.apache.org/transports/http/configuration"
  xmlns:jaxws="http://cxf.apache.org/jaxws"
  xsi:schemaLocation="
      http://cxf.apache.org/configuration/security
      http://cxf.apache.org/schemas/configuration/security.xsd
      http://cxf.apache.org/transports/http/configuration
      http://cxf.apache.org/schemas/configuration/http-conf.xsd
      http://cxf.apache.org/jaxws
      http://cxf.apache.org/schemas/jaxws.xsd
      http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans.xsd">
    <http:conduit name="*.http-conduit">
        <!-- deactivate HTTPS url hostname verification (localhost, etc) -->
        <!-- WARNING ! disableCNcheck=true should not used in production. -->
        <http:tlsClientParameters disableCNCheck="true" />
    </http:conduit>
    <!-- Read properties from property file(s). -->
    <bean id="propertyPlaceholderConfigurer"
            class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="locations">
            <list>
                <!-- The *.spring.properties files are prefixed with a system property
                    that is set on the WebSphere server. -->
                <value>classpath:spring.${my.env}.properties</value>
            </list>
        </property>
    </bean>
    <jaxws:client id="myServiceClient"
        serviceClass="com.client.stub.cxf.IMyService"
        address="${my.svc.url}" />
    <bean id="myReport" class="com.client.MyReportRequestor">
        <property name="client" ref="myServiceClient"/>
    </bean>
</beans>

如上所示，Spring通过设置器注入了CXF客户端.与服务联系的代码如下:

As shown above, the CXF client is injected via a setter by Spring. The code to contact the service is below:

List<String> formNames = client.retrieveNames(formIdsList);

此外，我不知道这是否相关，但是当我在运行时检查CXF客户端上的TLSClientParameters对象时，没有返回信任管理器.进行检查的代码如下:

Also, I don't know if this is related, but no trust managers are returned when I inspect the TLSClientParameters object on the CXF client at runtime. The code to do the inspection is below:

// Get the trust managers for this client.
Client proxy = ClientProxy.getClient(client);
HTTPConduit conduit = (HTTPConduit) proxy.getConduit();
TLSClientParameters tls = conduit.getTlsClientParameters();
TrustManager[] trustManagers = tls.getTrustManagers();  // trustManagers is null

要让Apache CXF客户端信任自签名证书，我还需要做其他事情吗?

Is there anything else that I need to do to get the Apache CXF client to trust the self-signed certificate?

我希望不必在配置文件中指定信任库的路径以及密码.

I prefer to not have to specify the path to a truststore along with a password in the configuration file.

谢谢！

推荐答案

我认为您不能像使用外部组件(Apache CXF)那样使用WAS密钥库.您可能必须构建并使用您自己的TrustManager . 示例为此.

I don't think you can use the WAS keystores just like that with external component (Apache CXF). You must probably build and use your own TrustManager. There seem to be several working examples around for that.

这篇关于如何设置Apache CXF客户端以使用WebSphere Truststore? (接收“未找到可信证书"异常.)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！