用于出站连接的SSL配置在websphere-liberty 17.0.0.2中不起作用 [英] SSL config for outbound connections doesn't work in websphere-liberty 17.0.0.2

问题描述

我正在尝试将Websphere-liberty服务器配置为对所有出站连接(实际上是REST调用)使用默认密钥库和信任库，对于入站使用自定义密钥和信任库.但是，当尝试调用外部REST服务时，它将失败并显示SSLHandshakeException.在日志中，我可以看到它使用的是我的自定义信任库，而不是默认的信任库.
下面是我的server.xml

I'm trying to configure websphere-liberty server to use default keystore and trustore for all outbound connections (actually REST calls) and for inbound use a custom key and trust stores. But it fails with SSLHandshakeException when try to make a call to external REST service. In logs I can see that it uses my custom truststore instead of default one.
Below is my server.xml

<?xml version="1.0" encoding="UTF-8"?>
<server description="Default server">
    <featureManager>
        <feature>appSecurity-2.0</feature>
        <feature>transportSecurity-1.0</feature>
        <feature>jaxrs-2.0</feature>
        <feature>json-1.0</feature>
        <feature>javaMail-1.5</feature>
        <!--<feature>ssl-1.0</feature>-->
    </featureManager>

    <sslDefault sslRef="saasSSLConfig" outboundSSLRef="outboundSSLConfig" />

    <ssl id="saasSSLConfig" keyStoreRef="saasKeyStore" trustStoreRef="saasTrustStore" clientAuthentication="true" sslProtocol="TLSv1" />
    <keyStore id="saasKeyStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/sbs_endpoint_keystore.jks" password="pwd" />
    <keyStore id="saasTrustStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/serverTruststore.jks" password="pwd" />

    <ssl id="outboundSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" />

    <basicRegistry id="basic" realm="BasicRealm">
        <!-- <user name="yourUserName" password="" />  -->
    </basicRegistry>

    <httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" httpsPort="9443" />
    <applicationManager autoExpand="true"/>
</server>

顺便说一句，如果将saasSSLConfig更改为使用defaultTrustStore而不是saasTrustStore，那么一切正常.

BTW if change saasSSLConfig to use defaultTrustStore instead of saasTrustStore then everything works fine.

服务器版本:

WebSphere Application Server 17.0.0.2 (1.0.17.cl170220170523-1818) on IBM J9 VM, version pxa6480sr4fp7-20170627_02 (SR4 FP7) (en_US)

错误:

[ERROR] CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN CN=*.api.ibm.com, O=International Business Machines, L=Armonk, ST=New York, C=US was sent from the target host.  The signer might need to be added to local trust store /opt/ibm/wlp/output/defaultServer/resources/security/serverTruststore.jks, located in SSL configuration alias saasSSLConfig.  The extended error message from the SSL handshake exception is: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.;
SSLHandshakeException invoking https://dev.api.ibm.com/scx/test/sbs/customer/222222222: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.

推荐答案

自由不会自动加载cacerts.如果需要，可以创建一个keyStore元素来指向它.因此，在上述情况下，您可以创建这样的配置.

Liberty does not load cacerts automatically. You can create a keyStore element to point to it if desired. So in your case above you can create a configuration like this.

<ssl id="outboundSSLConfig" keyStoreRef="cacertKeyStore" />
<keyStore id="cacertKeyStore" location=<fill in path to your jdk cacerts file> password="changeit" />

我假设您不需要此配置的密钥，所以我简化为outboundSSLConfig上的keyStoreRef.它将使用keyStoreRef指向的密钥和信任.

I am assuming you do not need a key for this configuration so I simplified to just a keyStoreRef on outboundSSLConfig. It will use what is pointed to by keyStoreRef for both key and trust.

这篇关于用于出站连接的SSL配置在websphere-liberty 17.0.0.2中不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！