WSO2 MDM 配置:证书问题 [英] WSO2 MDM configuration : certificate problems
问题描述
一旦我使用 keytool 将第一个密钥导入 wso2carbon.jks 文件(并重新启动服务),我的服务已经无法正常启动并记录以下错误:
As soon as I import the first key with keytool into the wso2carbon.jks file (and I restart the service) my service already fails to launch properly and logs the following error:
TID: [0] [EMM] [2014-03-06 23:46:42,106] ERROR
{org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiverDS} - Can not
create and start Agent Server
{org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiverDS}
org.wso2.carbon.databridge.core.exception.DataBridgeException: Cannot start agent server
on port 7711
at
org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.startSecureEventTransmission(ThriftDataReceiver.java:129)
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.start(ThriftDataReceiver.java:101)
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiverDS.activate(ThriftDataReceiverDS.java:96)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.eclipse.equinox.internal.ds.model.ServiceComponent.activate(ServiceComponent.java:260)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.activate(ServiceComponentProp.java:146)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.build(ServiceComponentProp.java:347)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponent(InstanceProcess.java:620)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponents(InstanceProcess.java:197)
at org.eclipse.equinox.internal.ds.Resolver.getEligible(Resolver.java:343)
at org.eclipse.equinox.internal.ds.SCRManager.serviceChanged(SCRManager.java:222)
at org.eclipse.osgi.internal.serviceregistry.FilteredServiceListener.serviceChanged(FilteredServiceListener.java:107)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.dispatchEvent(BundleContextImpl.java:861)
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)
at org.eclipse.osgi.framework.eventmgr.ListenerQueue.dispatchEventSynchronous(ListenerQueue.java:148)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEventPrivileged(ServiceRegistry.java:819)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEvent(ServiceRegistry.java:771)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistrationImpl.register(ServiceRegistrationImpl.java:130)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.registerService(ServiceRegistry.java:214)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.registerService(BundleContextImpl.java:433)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.registerService(BundleContextImpl.java:451)
at org.wso2.carbon.core.init.CarbonServerManager.initializeCarbon(CarbonServerManager.java:517)
at org.wso2.carbon.core.init.CarbonServerManager.start(CarbonServerManager.java:219)
at org.wso2.carbon.core.internal.CarbonCoreServiceComponent.activate(CarbonCoreServiceComponent.java:77)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.eclipse.equinox.internal.ds.model.ServiceComponent.activate(ServiceComponent.java:260)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.activate(ServiceComponentProp.java:146)
at org.eclipse.equinox.internal.ds.model.ServiceComponentProp.build(ServiceComponentProp.java:347)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponent(InstanceProcess.java:620)
at org.eclipse.equinox.internal.ds.InstanceProcess.buildComponents(InstanceProcess.java:197)
at org.eclipse.equinox.internal.ds.Resolver.getEligible(Resolver.java:343)
at org.eclipse.equinox.internal.ds.SCRManager.serviceChanged(SCRManager.java:222)
at org.eclipse.osgi.internal.serviceregistry.FilteredServiceListener.serviceChanged(FilteredServiceListener.java:107)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.dispatchEvent(BundleContextImpl.java:861)
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)
at org.eclipse.osgi.framework.eventmgr.ListenerQueue.dispatchEventSynchronous(ListenerQueue.java:148)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEventPrivileged(ServiceRegistry.java:819)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.publishServiceEvent(ServiceRegistry.java:771)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistrationImpl.register(ServiceRegistrationImpl.java:130)
at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.registerService(ServiceRegistry.java:214)
at org.eclipse.osgi.framework.internal.core.BundleContextImpl.registerService(BundleContextImpl.java:433)
at org.eclipse.equinox.http.servlet.internal.Activator.registerHttpService(Activator.java:81)
at org.eclipse.equinox.http.servlet.internal.Activator.addProxyServlet(Activator.java:60)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.init(ProxyServlet.java:40)
at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.init(DelegationServlet.java:38)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1267)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1186)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1081)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5027)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5314)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1559)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1549)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
Caused by: org.wso2.carbon.databridge.commons.exception.TransportException: Thrift transport exception occurred
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.startSecureEventTransmission(ThriftDataReceiver.java:150)
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.startSecureEventTransmission(ThriftDataReceiver.java:127)
... 63 more
Caused by: org.apache.thrift.transport.TTransportException: Error creating the transport
at org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:201)
at org.apache.thrift.transport.TSSLTransportFactory.getServerSocket(TSSLTransportFactory.java:102)
at org.wso2.carbon.databridge.receiver.thrift.internal.ThriftDataReceiver.startSecureEventTransmission(ThriftDataReceiver.java:146)
... 64 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)
at java.security.KeyStore.getKey(KeyStore.java:792)
at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:131)
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:68)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:259)
at org.apache.thrift.transport.TSSLTransportFactory.createSSLContext(TSSLTransportFactory.java:187)
... 66 more
我已经尝试用证书做各种各样的事情已经好几个星期了,但我未能成功设置一个完全运行的服务.任何人都可以帮助我逐步完成证书处理,因为遵循手册显然由于某种原因没有成功.备注:我没有 iOS 证书,我按照 wso2 手册使用 openSSL 生成了所有证书.我执行了这个命令来生成这个特定的 (KEYSTORE)p12 文件,以便在 wso2carbon.jks 中导入.我是否首先需要手动删除该文件夹中的所有 jks 文件,还是应该将其导入现有文件?我还有什么可能做错的?感谢您的支持.
I've tried to do all sorts of things with the certificates for weeks now but I failed to succeed to setup a completely running service. Can anyone please help me through the certificate handling step by step, because following the manual apparently has no success for some reason. Remark : I don't have an iOS certificate and I generated all my certificates with openSSL by following the wso2 manual. I executed this command to generate this specific (KEYSTORE)p12 file for import in wso2carbon.jks. Do I first need to manually delete all jks files in that folder, or should I import into the existing files for one? What else might I be doing wrong? Thanks for the support.
推荐答案
根据您以前的问题,我假设您正在尝试配置 Android 管理部分.文档中大部分与证书相关的内容都与 iOS 相关联.如果您想尝试 Android 配置,您可以跳过其中的大部分部分.只需跳过 CA/RA 代.
Based on your older questions I assume you are trying to configure the Android management part. Most of the certificate related stuff in the document is associated with iOS. If you want to try out the Android configuration you can skip most of the parts in that. Simply skip the CA/RA generations.
配置 Android 时,唯一需要密钥库的地方就是配置 Android 代理应用程序.您可以在 Android 客户端配置中找到分步配置.在此链接中,它已指向 iOS CA 生成,因为如果您同时配置 iOS 和 Android,则已执行此步骤.否则你只需要执行这些命令.
When configuring Android, only place you need a keystore is to configure the Android agent app. You can find the step by step configuration at Android client configurations. In this link it has pointed to the iOS CA generation since this step is already followed if you configure both iOS and Android. Otherwise you just have to execute these commands.
openssl genrsa -out <CA PRIVATE KEY> 4096
For example: openssl genrsa -out ca_private.key 4096
openssl req -new -key <CA PRIVATE KEY> -out <CA CSR>
For example: openssl req -new -key ca_private.key -out ca.csr
openssl x509 -req -days <DAYS> -in <CA CSR> -signkey <CA PRIVATE KEY> -out <CA CRT> -extensions v3_ca
For example: openssl x509 -req -days 365 -in ca.csr -signkey ca_private.key -out ca.crt -extensions v3_ca
openssl rsa -in <CA PRIVATE KEY> -text > <CA PRIVATE PEM>
For example: openssl rsa -in ca_private.key -text > ca_private.pem
openssl x509 -in <CA CRT> -out <CA CERT PEM>
For example: openssl x509 -in ca.crt -out ca_cert.pem
以下命令结束后,您应该有一个 ca_cert.pem.
End of the following commands you should have a ca_cert.pem with you.
现在您需要将此 ca 文件导出到 pkcs12 中.命令如下.
Now you need to export this ca file into pkcs12. Command is as follows.
openssl pkcs12 -export -out ca.p12 -inkey ca_private.pem -in ca_cert.pem -name "cacert"
现在你得到了 ca.p12 文件.
Now you get the ca.p12 file.
只需执行以下命令即可创建密钥库文件.
Just exectue following command to create a keystore file.
keytool -importkeystore -srckeystore ca.p12 -srcstoretype PKCS12 -destkeystore wso2mobilemdm.jks
正如我在另一个线程中提到的 wso2-mdm-android-agent-issue 您可以将其重命名为 bks 文件格式,也可以使用 portecle 将其转换为 bks因为 Android 期望您以 bouncycastle 格式制作密钥库文件.然后按照文档中的说明嵌入此 bks 并重新编译 Android 代理代码.
As mentioned in my other thread wso2-mdm-android-agent-issue you can either rename this to bks file format or you can use portecle to convert this to bks since Android expect you to make the keystore file in bouncycastle format. Then embed this bks as mentioned in the doc and recompile the Android agent code.
为了更好地开始它,您清除所有内容并获得一个新的 WSO2 EMM zip 文件.提取它并从头开始.从您的日志中,我感觉您现有的 wso2carbon.jks 已损坏.生成时不要将生成的 CA 导入其中并使用我在上一步中提到的新密钥库文件.
In order to start its better you clear everything and get a fresh WSO2 EMM zip file. Extract it and start from the scratch. From you log what I feel is your existing wso2carbon.jks is corrupted. When generating do not import your generated CA to it and use a new keystore file as I mentioned in the last step.
希望这会有所帮助.
这篇关于WSO2 MDM 配置:证书问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
