需要帮助在tomcat中调试SSL握手(need help Debugging SSL handshake in tomcat)

946 IT屋

I have a very weird issue and looking for some tips. I have a certificate sent by client that I need to install so I can access HTTPS webservice. The certifcate has been installed, in both windows and Linux OS. using keytool command

keytool -import -alias ca -file somecert.cer -keystore cacerts –storepass changeit

when i deploy my application in windows tomcat I can communicate with HTTPS web server. However Linux tomcat gives me and error:

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)

This means it couldn't find the certifcate. The certifcate is at java security cacerts. I have used keytool -list command and it is there.

I have no idea why it works in windows and not linux. I have tried setting the paramaters in the My servlet

System.setProperty("javax.net.debug", "all"); 
System.setProperty("javax.net.ssl.trustStore", "/usr/java/jdk1.5.0_14/jre/lib/security/cacerts"); 
System.setProperty("javax.net.ssl.trustStorePassword", "changeit"); 

It still doesn't work.

My questions are:

1.Anyone has any idea why this isn't working, I have tired everything?

2.How do you enbale SSL debuging for tomcat.Ss setting System.setProperty("javax.net.debug", "all") works ? For some reason I don't see any SSL debug Info in Catalina.out. Do I need to change anything else.What kind of debug info should i see.

Any help is greatly appericated I am out of ideas.

解决方案

To solve this problem you could try the following

Download SSLPoke.java from google

SSLPoke.java

Compile it:

javac SSLPoke.java 

Once you compile code call SSLPoke as

java -Djavax.net.debug=all SSLPoke [your https host] 443

In the output you will see where java is looking for cacerts.

Once you know the exact location use keytool to import your file to cacerts

keytool -import -alias [your https host] -keystore [the location returned]/cacerts -file [your.crt]

And that is all, restart tomcat and it must be working right.

Some times when you have lot of java versions on the same Linux machine even adding [your.crt] to the cacerts returned by debug does not work, if this is the case add [your.crt] to all cacerts on the Linux machine you can find them all with:

locate cacert

once the Linux machine return all the locations of cacerts for example:

/home/xuser/NetBeansProjects/porjectx/conf/cacerts
/opt/otherlocation/j2sdkee1.3.1/lib/security/cacerts.jks
/opt/icedtea-bin-6.1.12.7/jre/lib/security/cacerts
/opt/icedtea-bin-6.1.13.5/jre/lib/security/cacerts
/opt/icedtea-bin-7.2.4.1/jre/lib/security/cacerts
/opt/oracle-jdk-bin-1.7.0.76/jre/lib/security/cacerts
/opt/sun-j2ee-1.3.1/lib/security/cacerts.jks

add [your.crt] to all of them with keytool and restart tomcat.

If you dont have the file your.crt you can get it with command

openssl s_client -connect [your https host]:443 < /dev/null

and copy from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----

I hope this help you

我有一个非常奇怪的问题,并寻找一些提示。我有一个客户端发送的证书,我需要安装,所以我可以访问HTTPS webservice。 certifcate已经安装,在Windows和Linux操作系统。使用keytool命令



  keytool -import -alias ca -file somecert.cer -keystore cacerts -storepass changeit 
< code>


我在Windows中部署我的应用程序tomcat我可以与HTTPS Web服务器通信。但是Linux tomcat给了我错误:




造成:sun.security.provider.certpath.SunCertPathBuilderException:
无法找到请求目标的有效认证路径
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
在java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)




这意味着它找不到certifcate。 certifcate是在java安全cacerts。我已经使用 keytool -list 命令,它就在那里。



我不知道为什么它在窗口中工作,不是linux。我已经尝试设置我的servlet中的参数



  System.setProperty("javax.net.debug","all") ; 
System.setProperty("javax.net.ssl.trustStore","/usr/java/jdk1.5.0_14/jre/lib/security/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword","changeit");


它仍然无法工作。



我的问题是:



1.任何人都知道为什么这不工作,我累了一切?



2.如何为tomcat.Ss设置SSL调试 System.setProperty("javax.net.debug","all")工作原理?由于某种原因,我在Catalina.out中没有看到任何SSL调试信息。我需要更改任何其他。我应该看到什么样的调试信息。



任何帮助是非常appericated我的想法。

$ b $



为了解决这个问题,您可以从google下载SSLPoke.java

p>

SSLPoke .java



编译:



  javac SSLPoke .java 


编译代码后调用SSLPoke



  java -Djavax.net.debug =所有SSLPoke [您的https主机] 443 


在输出中你会看到java正在寻找cacerts的地方。



一旦你知道确切的位置使用keytool导入你的文件到cacerts < / p>

  keytool -import -alias [您的https主机] -keystore [返回的位置] / cacerts -file [your.crt] 


这就是所有的,重新启动tomcat,它必须工作正常。



有时候,如果你在同一台Linux机器上有很多java版本,甚至将[your.crt]添加到由debug返回的cacerts不起作用,如果这是case添加[your.crt]到Linux机器上的所有cacerts你可以找到他们:



 找到cacert $ b $一旦Linux机器返回cacerts的所有位置,例如:


$ b $ <$ p $ b $
b
  / home / xuser / NetBeansProjects / porjectx / conf / cacerts 
/opt/otherlocation/j2sdkee1.3.1/lib/security/cacerts.jks
/ opt / icedtea-bin-6.1.12.7 / jre / lib / security / cacerts
/opt/icedtea-bin-6.1.13.5/jre/lib/security/cacerts
/ opt / icedtea- 7.2.4.1/jre/lib/security/cacerts
/opt/oracle-jdk-bin-1.7.0.76/jre/lib/security/cacerts
/opt/sun-j2ee-1.3.1/ lib / security / cacerts.jks


使用keytool将[your.crt]




如果您没有文件your.crt,您可以使用命令获取




openssl s_client -connect [your https host]:443< / dev / null




并从----- BEGIN CERTIFICATE -----复制到 - ---- END CERTIFICATE -----




我希望这可以帮助您


本文地址:IT屋 » 需要帮助在tomcat中调试SSL握手