Arquillian嵌入式玻璃鱼证书已过期 [英] Arquillian Embedded Glassfish Certificate Expired

问题描述

8月14日，Glassfish使用的gtecybertrust5ca证书过期，导致我的Arquillian测试打印错误。

On Aug 14th, the gtecybertrust5ca certifcate used by Glassfish expired causing my Arquillian tests to print errors.

此问题类似于此：通过启动Glassfish 3.1.2在日志中证书已过期 except，我通过Maven，Arquillian和SureFire使用Glassfish的 Embedded 版本运行单元和集成测试。

This problem is similar to this one: Certificate has expired" in log by starting Glassfish 3.1.2 except, I am using the Embedded version of Glassfish via Maven, Arquillian and SureFire to run unit and integration tests.

Maven使用本地密钥库，JRE附带的密钥库，努力防止过期的证书被使用。我验证过期的证书不包含在此密钥库中：

I have tried instructing Maven to use a local keystore, the one that comes with the JRE, in an effort to keep the expired cert from being used. I verified the expired certificate is not contained within this keystore:

C:\Java\jdk1.7.0_25\jre\lib\security>keytool -list -keystore cacerts

我通过Maven指示SureFire启动具有使用cacerts可信密钥库的参数的JVM：

I instruct SureFire via Maven to start the JVM with arguments to use the cacerts trusted keystore:

         <plugin>
          <groupId>org.apache.maven.plugins</groupId>
          <artifactId>maven-surefire-plugin</artifactId>
          <version>2.16</version>
          <configuration>                
              <argLine>
                -Djavax.net.ssl.trustStore=C:\Java\jdk1.7.0_25\jre\lib\security\cacerts
                -Djavax.net.ssl.trustStorePassword=changeit
              </argLine>
              ....
          </configuration>
      </plugin>

      <!-- Configure the Embedded GlassFish Maven plugin -->
      <plugin>
          <groupId>org.glassfish.embedded</groupId>
          <artifactId>maven-embedded-glassfish-plugin</artifactId>
          <version>4.0</version>
          <configuration>
              <app>${project.build.directory}/${project.build.finalName}.war</app>
              <port>7070</port>
              <containerType>web</containerType>
          </configuration>
      </plugin>

我还添加了JVM参数，其中Maven在Maven的mvn.bat文件中启动：

I also added JVM arguments where Maven is start within Maven's mvn.bat file:

@REM Use specified java cert trust
set MAVEN_OPTS=%MAVEN_OPTS% 
 -Djavax.net.ssl.trustStore=%JAVA_HOME%\jre\lib\security\cacerts 
 -Djavax.net.ssl.trustStorePassword=changeit

%MAVEN_JAVA_EXE% %MAVEN_OPTS% ...

以下是用于运行单元测试的JVM的Surefire调用：

Here's the Surefire invocation of the JVM used to run the unit tests:

Forking command line: cmd.exe /X /C "C:\Java\jdk1.7.0_25\jre\bin\java 
-Djavax.net.ssl.trustStore=C:\Java\jdk1.7.0_25\jre\lib\security\cacerts 
-Djavax.net.ssl.trustStorePassword=changeit ..."
Running com.networkfleet.ssp.activation.SelectedActivationTableBeanTest

命令行args似乎匹配预期的系统属性Glassfish期望其com.sun.enterprise.security.ssl.impl.SecuritySupportImpl和com.sun.enterprise.server.pluggable.SecuritySupport类中有
：

The command line args do seem to match the expected system properties Glassfish expects per its com.sun.enterprise.security.ssl.impl.SecuritySupportImpl and com.sun.enterprise.server.pluggable.SecuritySupport classes:

@Contract
public abstract class SecuritySupport {

public static final String KEYSTORE_PASS_PROP = "javax.net.ssl.keyStorePassword";
public static final String TRUSTSTORE_PASS_PROP = "javax.net.ssl.trustStorePassword";
public static final String KEYSTORE_TYPE_PROP = "javax.net.ssl.keyStoreType";
public static final String TRUSTSTORE_TYPE_PROP = "javax.net.ssl.trustStoreType";
public static final String keyStoreProp = "javax.net.ssl.keyStore";
public static final String trustStoreProp = "javax.net.ssl.trustStore";

但是，它们似乎不是由Glassfish提取的，因为过期的证书
仍然在默认的任何可信密钥库中找到。

However, they do not appear to be picked up by Glassfish, because the expired cert is still being found in whatever trusted keystore it defaults to.

我真的很感谢一些帮助。谢谢。

I would really appreciate some help. Thanks.

推荐答案

我终于找到了问题的底部，通过跟踪加载证书的Glassfish代码。嵌入的，至少是版本忽略任何传入的参数，并查找其类路径以查找要加载的信任密钥存储。然后将其写入临时位置，并指示服务器加载并使用它。

I finally got to the bottom of the issue by tracing the Glassfish code that loads the certs. The embedded, at least, version ignores any passed in parameters and looks to its classpath to find the trusted key store to load. It then writes it to a temp location and instructs the server to load and use it.

为了摆脱错误消息，从它的临时位置抓取cacerts.jks（运行Maven并看到过期的异常后）我发现它在：C：\\ \\Users {myUserName} \AppData\Local\Temp\gfembed872323756359721458tmp\config \cacerts.jks

To get rid of the error messages, grab the cacerts.jks from its temp location (after running Maven and seeing the expired exception) I found it at: C:\Users{myUserName}\AppData\Local\Temp\gfembed872323756359721458tmp\config\cacerts.jks

将此文件复制到resources / config下的项目中/cacerts.jks（它需要加载到你的测试类路径）

Copy this file to your project under resources/config/cacerts.jks (it will need to be loaded into your test classpath)

在你复制密钥库的目录中的命令提示符下，使用你的jdk keytool过期密钥如下：

From the command prompt in the directory where you copied they keystore, use your jdk keytool to remove the expired key as follows:

keytool -delete -keystore cacerts.jks -alias gtecybertrust5ca

keytool -delete -keystore cacerts.jks -alias gtecybertrust5ca

嵌入式Glassfish现在应该选择您更新的密钥库，而不是其默认的硬编码版本。

The Embedded Glassfish should now pick up your updated keystore instead of its default hardcoded version.

这篇关于Arquillian嵌入式玻璃鱼证书已过期的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！