具有两种方式SSL的Weblogic(10.3)中的Web服务客户端(JAX-WS)无法完成握手 [英] Web Service Client (JAX-WS) in Weblogic(10.3) with 2 way SSL cannot complete the handshake
问题描述
一个星期以来,我们一直在寻找解决问题的方法,在浏览了许多类似的帖子并阅读了所有可用的文档之后,我们还没有解决方案。
We have been looking for a soution to our problem for one week and after looking in a lot of similar posts and after reading all the available documentation we haven't got a solution.
我将解释我的当前状况,希望有人可以帮助我们解决问题。
I'm going to explain my current situation and I hope someone could help us to solve the problem.
我们已经在JAX中开发了一个Web服务客户端-WS,它与另一个平台中的服务器端Web Service通信。通讯是2种方式的SSL,我们拥有服务器端的CA(信任他),以及我们在服务器端标识的私有证书。
We have developed a Web Service Client in JAX-WS, which comunicates with a server-side Web Service in another platform. The comunication is 2 way SSL and we have the CA of the server side, to trust him, and our private certificates to identify in the server side.
我们的Web服务客户端部署在Weblogic 10.3中,当要调用服务器端Web服务时,我们会动态加载仅存储一个证书的信任库和密钥库,因为每次我们都将使用不同的证书因此,我们不能仅使用静态密钥库。
Our Web Service Client is deployed in a Weblogic 10.3 and when it is going to make a call to the server-side Web Service, we load dinamically the truststore and the keystore which is loaded with just one certificate, because each time we are going to use a different certificate so we cannot use only a static keystore.
问题是当我们建立连接,协商握手时,因为Weblogic会忽略在调用和调用之前加载的信任库和密钥库。仅在Weblogic的密钥库中查找受信任的证书和私钥...
The problem is when we are stablishing the connection, negotiating the handshake because Weblogic ignores the truststore and keystore we loaded before the call and only look for the trusted certificates and the private keys in the Weblogic's keystores...
如果我们将受信任的证书放入Weblogic的信任库中,然后再次开始通信。我们开始握手,我们信任服务器端(因为现在Weblogic在其密钥库中找到了CA),但是当我们的Web服务客户端必须发送服务器端信任的证书时,证书链为空并且我们得到了一个 BAD_CERTIFICATE。
If we put our trusted certificate in the truststore of Weblogic and start the comunication again. We begin the handshake, we trust the server side (because now Weblogic find the CA in its keystore), but when our Web Service Client has to send the certificate to be trusted by the server-side, the "Certificate Chain" is empty and we get a "BAD_CERTIFICATE".
我们尝试使用Apache CXF和JAX-WS,问题是相同的,使用System属性和库来设置密钥库。 ..所以我们不知道为什么我们的Web服务客户端不能发送证书。似乎Weblogic由于某些原因(可能是Weblogic的配置)而不为他们提供服务,但是我们不知道。
We have tried with Apache CXF and JAX-WS and the problem is the same, setting the keystores using the System properties and the libraries... So we don't know why our Web Service Client is not capable to send the certificate. It seems Weblogic is not serving them because of some reason, maybe Weblogic configuration, but we don't know.
如果有人知道我们可以做什么,请告诉我们。
If someone knows what we can do, plase tell us.
预先感谢。
推荐答案
我在SSL方面遇到很多问题和JAX-WS,直到我更改了Weblogic中的设置:使用JSSE。
根据Weblogic的版本(10.3.x,x改变了一切),这可能或不可能。
它对我来说适用于10.3.3和10.3.5,它们都是Weblogic 11g。
可以使用控制台(安全,高级)或命令行-Dweblogic.security.SSL.enableJSSE = true
I got many problems with SSL and JAX-WS until I changed a setting in Weblogic : use JSSE. Depending on the version of weblogic (10.3.x, the x is changing everything) this may or may not be possible. It worked for me on 10.3.3 and 10.3.5, which are all Weblogic 11g. This change can be done using the console (in security, advanced) or command line -Dweblogic.security.SSL.enableJSSE=true
进行此更改,原因是在以前的SSL的oracle实现中(如果未使用JSSE),根据算法和密钥大小,某些证书不被接受。另外,此实现使用不同的设置,并且不会将JSSE设置用于javax.net.ssl.keyStore等设置。
The reason is that in previous oracle implementation of SSL (if not using JSSE) some certificates are not accepted depending on algorithm and size of key. Plus this implementation uses different settings and will not use JSSE settings for settings like javax.net.ssl.keyStore...
我现在正在使用此JSSE + -Djavax。 net.debug = ssl:verbose,一切都清楚了。
I am now using this JSSE + -Djavax.net.debug=ssl:verbose and everything is clear.
这篇关于具有两种方式SSL的Weblogic(10.3)中的Web服务客户端(JAX-WS)无法完成握手的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
