Websphere 中的证书链接错误 [英] Certificate chaining error in Websphere
问题描述
我正在尝试从 url https://someurl.com 使用 RESTful 服务.我在代码中添加了以下属性:
I am trying to consume a RESTful service from url https://someurl.com. I have added the following properties in my code:
Security.setProperty("ssl.SocketFactory.provider", "com.ibm.jsse2.SSLSocketFactoryImpl");
Security.setProperty("ssl.ServerSocketFactory.provider", "com.ibm.jsse2.SSLServerSocketFactoryImpl");
Security.setProperty("javax.net.ssl.trustStore", "cacerts.jks");
Security.setProperty("javax.net.ssl.keyStore", "keystore.jks");
Security.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
Security.setProperty("javax.net.ssl.trustStoreType", "JKS");
到目前为止我所做的配置更改是:
The configuration changes that I have done so far are:
- 将
com.ibm.websphere.ssl.retrieveLeafCert设置为true - 使用 url 作为 someurl 和端口 443 检索证书并将其添加到信任库.
- 重启服务器
但我收到以下异常:
java.security.cert.CertPathValidatorException: Certificate chaining error
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Walmart Root CA, O=Wal-Mart Stores Inc is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.o.a(o.java:22)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:423)
at com.ibm.jsse2.kb.a(kb.java:192)
at com.ibm.jsse2.kb.a(kb.java:176)
at com.ibm.jsse2.lb.a(lb.java:53)
at com.ibm.jsse2.lb.a(lb.java:464)
at com.ibm.jsse2.kb.s(kb.java:545)
at com.ibm.jsse2.kb.a(kb.java:530)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:79)
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:437)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:142)
at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:686)
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:98)
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:13)
at com.ibm.net.ssl.www2.protocol.https.b.connect(b.java:6)
at com.dwl.tcrm.tester.RESTClient_2.main(RESTClient_2.java:76)
推荐答案
我假设您有一个 Web 应用程序,它正在尝试访问该宁静服务.
I'm assuming you have a web application, which is trying to access that restful service.
首先,您不应通过 javax.net.ssl.* 属性设置您的商店,而应使用 WebSphere 中提供的 SSL 配置.所以注释所有这些 setProperty() 调用.其次,您必须将您的服务服务器证书添加到信任库中.
First, you should not set your stores via javax.net.ssl.* properties, but use SSL configurations provided in WebSphere. So comment all these setProperty() calls.
Second, you have to add your service server certificate to the trust store.
登录网络管理控制台:
- 转到<代码>安全性>SSL 证书和密钥管理 >密钥库和证书 >NodeDefaultTrustStore >签名者证书
- 点击
Retrieve from port按钮,并指定主机名、443端口和别名. - 点击
检索歌手信息按钮. - 验证是否导入了正确的证书(父证书).
- 保存并重新启动.
- Go to
Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates - Click
Retrieve from portbutton, and specify hostname, 443 port, and Alias. - Click
Retrieve singer informationbutton. - Verify, if correct certificate is imported (parent).
- Save, and restart.
在某些版本中,会导入子证书(而不是根证书),在这种情况下,您必须手动下载根证书和中间证书(例如通过浏览器,然后将其导入NodeDefaultTrustStorecode>,但这次使用 Add 按钮,而不是 Retrieve..
In some versions, the child certificate was imported (not the root), in that case, you will have to manually download the root certificate and intermediate (e.g. via browser, and import that one to the NodeDefaultTrustStore, but this time using Add button, not Retrieve..
这篇关于Websphere 中的证书链接错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
