在 Java 中选择 SSL 客户端证书 [英] Choosing SSL client certificate in Java

问题描述

我们的系统与多个网络服务提供商进行通信.它们都是从单个 Java 客户端应用程序调用的.到目前为止，所有 Web 服务都通过 SSL，但没有一个使用客户端证书.好吧，新的合作伙伴正在改变这种状况.

Our system communicates with several web services providers. They are all invoked from a single Java client application. All the web services up until now have been over SSL, but none use client certificates. Well, a new partner is changing that.

使应用程序使用证书进行调用很容易；设置 javax.net.ssl.keyStore 和 javax.net.ssl.keyStorePassword 就可以了.但是，现在的问题是如何使其仅在调用该特定 Web 服务时使用该证书.我想更一般地说，我们希望能够选择要使用的客户端证书(如果有).

Making the application use a certificate for the invocation is easy; setting javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword will do it. However, the problem is now how to make it so that it only uses the certificate when invoking that particular web service. I guess more generally speaking, we'd like to be able to choose the client certificate to be used, if any.

一个快速的解决方案可能是设置系统属性，调用方法，然后取消设置.唯一的问题是我们正在处理一个多线程应用程序，所以现在我们需要处理同步或锁或你有什么.

One quick solution could be setting the system properties, invoking the methods, and then unsetting them. The only problem with that is that we're dealing with a multi-threaded application, so now we would need to deal with synchronization or locks or what have you.

每个服务客户端都应该彼此完全独立，并且它们被单独打包在单独的 JAR 中.因此，我想到的一个选择(尽管我们没有正确分析它)是以某种方式隔离每个 JAR，也许将每个 JAR 加载到具有不同参数的不同 VM 下.这只是一个我不知道如何实施的想法(或者如果可能的话，就此而言.)

Each service client is supposed to be completely independent from each other, and they're individually packaged in separate JARs. Thus, one option that has occurred to me (although we haven't properly analyzed it) is to somehow isolate each JAR, maybe load each one under a different VM with different parameters. That's merely an idea that I don't know how to implement (or if it's even possible, for that matter.)

这篇文章表明可以从密钥库中选择单个证书，但如何将其附加到请求似乎完全不同.

This post suggests that it is possible to select an individual certificate from a key store, but how to attach it to the request seems to be a different issue altogether.

我们使用 Java 1.5、Axis2 和通过 wsimport 或 wsdl2java 生成的客户端类.

We're using Java 1.5, Axis2, and client classes generated with either wsimport or wsdl2java.

推荐答案

Java SSL 客户端只会在服务器请求时发送证书.服务器可以发送有关它将接受哪些证书的可选提示；如果有多个证书，这将帮助客户选择单个证书.

Java SSL clients will only send a certificate if requested by the server. A server can send an optional hint about what certificates it will accept; this will help a client choose a single certificate if it has multiple.

通常，一个新的 SSLContext 是使用特定的客户端证书创建的，而 Socket 实例是从从该上下文中获得的工厂创建的.不幸的是，Axis2 似乎不支持使用 SSLContext 或自定义 SocketFactory.其客户端证书设置是全局的.

Normally, a new SSLContext is created with a specific client certificate, and Socket instances are created from a factory obtained from that context. Unfortunately, Axis2 doesn't appear to support the use of an SSLContext or a custom SocketFactory. Its client certificate settings are global.

这篇关于在 Java 中选择 SSL 客户端证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！