为什么我的 RMI/SSL 客户端身份验证不起作用? [英] Why is my RMI/SSL client authentication not working?
问题描述
我做了以下几件事:
+ generate keystore.jks with keytool
+ exported keystore.cer file with keytool
+ imported keystore.cer file into truststore.jks
+ copied keystore.jks and keystore.cer to the client
然后我用
-Djavax.net.ssl.trustStore=truststore.jks -Djavax.net.ssl.trustStorePassword=*
和我的客户
-Djavax.net.ssl.keyStore=forclient.jks -Djavax.net.ssl.keyStorePassword=*
服务器通过 UnicastRemoteObject 的 super() 调用公开其接口
The server exposes its interface with the super() call of UnicastRemoteObject
super(PORT,
new SslRMIClientSocketFactory(),
new SslRMIServerSocketFactory(null, null, true));
注册表的东西不使用任何 SSL.为什么那行不通?如果我在服务器运行配置中添加密钥库 VM 参数并在客户端中添加 trustore VM 参数,它确实会起作用.但我真的很想知道为什么?
The Registry stuff does not use any SSL. Why is that not working out? It DOES work out if I add the keystore VM arguments in the server run config and the trustore VM arguments in the clien. But I really want to know why?
推荐答案
请先了解 keystore 和 truststore 的目的.查看 POST .它说
Please understand the aim of keystore and truststore first. Look at the POST . It says
密钥库包含私钥,以及带有相应公钥的证书.
A keystore contains private keys, and the certificates with their corresponding public keys.
信任库包含来自您希望与之通信的其他方的证书,或来自您信任的用于识别其他方的证书颁发机构的证书.
A truststore contains certificates from other parties that you expect to communicate with, or from Certificate Authorities that you trust to identify other parties.
所以客户端应该有信任库,以便它信任与其交互的服务器使用服务器的公钥来加密数据.服务器应该有密钥库,用于存储私钥,用于解密客户端使用相应私钥加密的数据.
So the client SHOULD have truststore so that it trusts the server its interacting with uses server's public key to encrypt the data. Server SHOULD have keystore which stores the private keys which is used to decrypt the data encrypted by corresponding private key by client.
我希望现在您明白了当您在客户端-服务器中切换密钥库和信任库时您的应用程序工作的原因.
I hope now you got why your application works when you switch keystore and trustore in client-server.
这篇关于为什么我的 RMI/SSL 客户端身份验证不起作用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
