在Java中选择SSL客户端证书 [英] Choosing SSL client certificate in Java
问题描述
我们的系统与多个Web服务提供商进行通信。它们都是从单个Java客户端应用程序调用的。到目前为止,所有Web服务都已通过SSL,但没有一个使用客户端证书。好吧,一个新的合作伙伴正在改变它。
Our system communicates with several web services providers. They are all invoked from a single Java client application. All the web services up until now have been over SSL, but none use client certificates. Well, a new partner is changing that.
使应用程序使用证书进行调用很容易;设置 javax.net.ssl.keyStore 和 javax.net.ssl.keyStorePassword 将会这样做。但是,现在的问题是如何使它在调用特定Web服务时仅使用证书。我想更一般地说,我们希望能够选择要使用的客户端证书(如果有的话)。
Making the application use a certificate for the invocation is easy; setting javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword will do it. However, the problem is now how to make it so that it only uses the certificate when invoking that particular web service. I guess more generally speaking, we'd like to be able to choose the client certificate to be used, if any.
一个快速的解决方案是设置系统属性,调用方法,然后取消设置它们。唯一的问题是我们正在处理多线程应用程序,所以现在我们需要处理同步或锁定或者你有什么。
One quick solution could be setting the system properties, invoking the methods, and then unsetting them. The only problem with that is that we're dealing with a multi-threaded application, so now we would need to deal with synchronization or locks or what have you.
每个服务客户端应该完全相互独立,并且它们被单独打包在单独的JAR中。因此,我发现的一个选项(虽然我们没有正确分析它)是以某种方式隔离每个JAR,可能在不同的VM下用不同的参数加载每个JAR。这只是一个我不知道如何实现的想法(或者如果它甚至可能,那么。)
Each service client is supposed to be completely independent from each other, and they're individually packaged in separate JARs. Thus, one option that has occurred to me (although we haven't properly analyzed it) is to somehow isolate each JAR, maybe load each one under a different VM with different parameters. That's merely an idea that I don't know how to implement (or if it's even possible, for that matter.)
这篇文章表明可以从密钥库中选择一个单独的证书,但如何将它附加到请求似乎是一个不同的完全问题。
This post suggests that it is possible to select an individual certificate from a key store, but how to attach it to the request seems to be a different issue altogether.
我们使用的是使用 wsimport 或<$生成的Java 1.5,Axis2和客户端类c $ c> wsdl2java 。
推荐答案
Java SSL客户端只会在需要时发送证书服务器。服务器可以发送关于它将接受哪些证书的可选提示;如果客户有多个证书,这将有助于客户选择一个证书。
Java SSL clients will only send a certificate if requested by the server. A server can send an optional hint about what certificates it will accept; this will help a client choose a single certificate if it has multiple.
通常,使用特定客户端证书创建新的 SSLContext , Socket 实例是从从该上下文获得的工厂创建的。不幸的是,Axis2似乎不支持使用 SSLContext 或自定义 SocketFactory 。它的客户端证书设置是全局的。
Normally, a new SSLContext is created with a specific client certificate, and Socket instances are created from a factory obtained from that context. Unfortunately, Axis2 doesn't appear to support the use of an SSLContext or a custom SocketFactory. Its client certificate settings are global.
这篇关于在Java中选择SSL客户端证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
