使用HTTPS调用REST服务的Oracle BPEL(Java 8U92)提供SSL握手异常

时间:2016-07-06 19:47:23

标签: ssl ssl-certificate http2 sslhandshakeexception

我已经使用oracle SOA 12c设置了一个基本的weblogic域,用于开发可以调用Apples APN服务的组合。 Apple APN需要使用TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384和TLS 1.2加密的HTTP2连接。

已配置JKS信任库并使用根证书,中间证书和服务器证书加载证书。 

geotrustrootca, Jun 21, 2016, trustedCertEntry, 
Certificate fingerprint (SHA1): DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12
serverc_ss_cert, Jun 21, 2016, trustedCertEntry, 
Certificate fingerprint (SHA1): 73:C4:A9:4E:E8:1B:14:58:7B:64:47:02:73:01:15:3E:88:E8:E8:66
appledevpush, Jun 21, 2016, trustedCertEntry, 
Certificate fingerprint (SHA1): CC:18:A5:75:04:74:3A:3B:72:D7:A5:07:F2:CD:E4:83:51:11:34:CB
appleintermediate, Jun 21, 2016, trustedCertEntry, 
Certificate fingerprint (SHA1): 8E:83:21:CA:08:B0:8E:37:26:FE:1D:82:99:68:84:EE:B5:F0:D6:55

通过添加java属性-Djavax.net.ssl.trustStore=/u01/data/keystores/truststore.jks

来更改setDomainEnv.sh

测试一个简单的BPEL组合,如果因SSLHandshakeException失败而对Apple的APN服务进行REST调用:

[ACTIVE] ExecuteThread: '58' for queue: 'weblogic.kernel.Default (self-tuning)', SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown
[ACTIVE] ExecuteThread: '58' for queue: 'weblogic.kernel.Default (self-tuning)', WRITE: TLSv1.2 Alert, length = 2
[ACTIVE] ExecuteThread: '58' for queue: 'weblogic.kernel.Default (self-tuning)', called closeSocket()
[ACTIVE] ExecuteThread: '58' for queue: 'weblogic.kernel.Default (self-tuning)', handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

调试SSL协商时,请参阅; 

%% No cached client session
*** ClientHello, TLSv1.2

....

*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1922117017 bytes = { 236, 133, 59, 43, 182, 3, 165, 71, 241, 54, 240, 145, 222, 41, 200, 242, 63, 237, 253, 77, 188, 235, 187, 177, 245, 173, 53, 232 }
Session ID:  {119, 250, 96, 4, 116, 33, 211, 17, 47, 213, 227, 158, 164, 107, 14, 73, 157, 194, 0, 104, 54, 237, 0, 58, 229, 225, 158, 2, 29, 159, 79, 171}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

...

%% Initialized:  [Session-7, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[ACTIVE] ExecuteThread: '58' for queue: 'weblogic.kernel.Default (self-tuning)', READ: TLSv1.2 Handshake, length = 2576
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: C=US, ST=California, O=Apple Inc., OU=management:idms.group.533599, CN=api.development.push.apple.com
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

...

chain [1] = [
[
  Version: V3
  Subject: C=US, O=Apple Inc., OU=Certification Authority, CN=Apple IST CA 2 - G1
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

...

***
%% Invalidated:  [Session-7, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
[ACTIVE] ExecuteThread: '58' for queue: 'weblogic.kernel.Default (self-tuning)', SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown
[ACTIVE] ExecuteThread: '58' for queue: 'weblogic.kernel.Default (self-tuning)', WRITE: TLSv1.2 Alert, length = 2
[ACTIVE] ExecuteThread: '58' for queue: 'weblogic.kernel.Default (self-tuning)', called closeSocket()
[ACTIVE] ExecuteThread: '58' for queue: 'weblogic.kernel.Default (self-tuning)', handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

我的结论是服务器N=api.development.push.apple.com的服务器证书已被接受,但中间CA CN=Apple IST CA 2 - G1的证书被拒绝。

CN=Apple IST CA 2 - G1的发布者为CN=GeoTrust Global CA, O=GeoTrust Inc., C=US,序列号为023a74。此证书也加载在信任库中;

别名:geotrustrootca 创作日期:2016年6月21日 条目类型:trustedCertEntry 

Owner: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Serial number: 23456
Valid from: Tue May 21 06:00:00 CEST 2002 until: Sat May 21 06:00:00 CEST 2022
Certificate fingerprints:
     MD5:  F7:75:AB:29:FB:51:4E:B7:77:5E:FF:05:3C:99:8E:F5
     SHA1: DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12
     SHA256: FF:85:6A:2D:25:1D:CD:88:D3:66:56:F4:50:12:67:98:CF:AB:AA:DE:40:79:9C:72:2D:E4:D2:B5:DB:36:A7:3A
     Signature algorithm name: SHA1withRSA
     Version: 3

任何想法(如果我的结论是正确的)为什么拒绝中间证书或如何进一步调试?当使用浏览器打开URI到APN并检查证书时,我得到与信任库中相同的内容。

==更新1 ==

尝试使用curl连接。 首先将证书从信任库导出到/ u01 / data / keystores 

$keytool -keystore truststore.jks -exportcert -alias geotrustrootca | openssl x509 -inform der -text > geotrustrootca.pem
 $keytool -keystore truststore.jks -exportcert -alias appledevpush | openssl x509 -inform der -text > appledevpush.pem
$keytool -keystore truststore.jks -exportcert -alias appleintermediate | openssl x509 -inform der -text > appleintermediate.pem

然后尝试使用curl连接

$ curl --capath /u01/data/keystores --verbose  https://api.development.push.apple.com/3/device/
* About to connect() to api.development.push.apple.com port 443 (#0)
*   Trying 17.172.238.203... connected
* Connected to api.development.push.apple.com (17.172.238.203) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* failed to load '/u01/data/keystores/identitykeystore.jks' from CURLOPT_CAPATH
* failed to load '/u01/data/keystores/appledevpush.cer' from CURLOPT_CAPATH
* failed to load '/u01/data/keystores/geotrustrootca.cer' from CURLOPT_CAPATH
* failed to load '/u01/data/keystores/truststore.jks' from CURLOPT_CAPATH
* failed to load '/u01/data/keystores/yum-oracle-8v1ncO' from CURLOPT_CAPATH
* failed to load '/u01/data/keystores/vm0010.localdomain-rootCA.der' from CURLOPT_CAPATH
* failed to load '/u01/data/keystores/appleintermediate.cer' from CURLOPT_CAPATH
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: /u01/data/keystores
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*   subject: C=US,ST=California,O=Apple Inc.,OU=management:idms.group.533599,CN=api.development.push.apple.com
*   start date: Jun 19 01:49:43 2015 GMT
*   expire date: Jul 18 01:49:43 2017 GMT
*   common name: api.development.push.apple.com
*   issuer: C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1
> GET /3/device/ HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: api.development.push.apple.com
> Accept: */*
> 
* Connection #0 to host api.development.push.apple.com left intact
* Closing connection #0
@@�HTTP/2 client preface string missing or corrupt. Hex dump for received bytes: 474554202f332f6465766963652f20485454502f312e310d

所以证书是正确的。

== update 2 ==

再次重新创建信任库。通过打开netscape中的URL https://api.development.push.apple.com/3/device/并以pem格式保存证书来获取pem文件。

在新的truststore.jks中导入证书

for ls -1 *.der中的文件; do keytool -importcert -keystore truststore.jks -file $ file -storepass welcome1 -noprompt -alias $ file;完成

没有欢乐......

==更新3 ==

现在,在server.out中重新启动受管服务器时,也会加载默认的自签名证书。

<Jul 11, 2016 10:15:50 PM CEST> <Warning> <oracle.soa.healthcheck> <BEA-000000> <On startup, health check id 881 failed for category 'Startup'. Ran 6 checks. Number of failures=1, errors=1, warnings=0.>
adding as trusted cert:
  Subject: CN=CertGenCA, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
  Issuer:  CN=CertGenCA, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
  Algorithm: RSA; Serial number: 0x40044886c441ef3b643a8066409afca0
  Valid from Sat Dec 01 04:07:51 CET 2012 until Thu Dec 02 04:07:51 CET 2032

adding as trusted cert:
  Subject: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
  Issuer:  CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
  Algorithm: RSA; Serial number: 0x234b5559d1fa0f3ff5c82bdfed032a87
  Valid from Thu Oct 24 17:54:45 CEST 2002 until Tue Oct 25 17:54:45 CEST 2022

javax.net.ssl.trustStore设置为自定义信任库。同样在weblogic中,Identity和Truststore位置已设置为自定义JKS存储。

即使从$ WLS_HOME / lib中删除DemoTrust.jks,证书也会被添加为可信证书。我目前无能为力。

==更新4 ==

$ DOMAIN_HOME / security包含DemoIdentity.jks。删除此文件并重新启动受管服务器后,不再加载Demo受信任的证书。

==更新5 ==

针对目标网址SAS SSL / TLS诊断工具验证了信任库。确保正确设置信任库。

SAS SSL/TLS diagnostics tool

正如user2351802所指出的,必须使用OPSS密钥库而不是Java属性javax.net.ssl.trustStore中定义的JKS密钥库。

在SOA Suite 10g / 11g中,使用单向SSL从复合体调用外部Web服务时的标准方式安全传输是通过创建JKS信任库并在javax.net.ssl.trustStore Java属性中指定该信任库的位置。甚至在SOA Suite 12.2.1.1 Admin Guide中仍然记录了将JKS信任库用于来自SOA组合的maken单向SSL连接。 Oracle WebLogic Server 12.2.1.1.0 Admin Guide提及(新)OPSS密钥库,并引用文档“Securing Applications with Oracle Platform Security Services”以使用和配置新的KSS OPSS密钥库。虽然它提到了为LDAP明确设置单向SSL的过程,但它似乎是FMW应用程序的新常用方法。

清理weblogic中的身份和信任库并仅将服务器证书添加到身份存储库(因此在JKS信任库中不再存在可信证书)并将根证书添加到OPSS系统/信任它有效!

1 个答案:

答案 0 :(得分:2)

行。听起来很奇怪,但它会起作用。我们有相同的SOA 12c设置,但我们使用标准Java信任密钥库来托管SOA服务器。

我可以看到你修改了setDomainEnv.sh来指定/u01/data/keystores/truststore.jks作为你的密钥库。

理论上,如果我的案例中的cacerts中存在根证书,而在你的情况下是truststore.jks,它应该可以工作。我可以确认SOAP服务与密钥库一起工作正常。

以某种方式通过REST适配器调用REST服务由于证书错误而失败,与您的相同。

Here's what made it to work:
Login to EM
Weblogic Domain -> Security -> Keystore
Select System (stripe) -> trust -> Hit the manage button
Here import the root cert of geotrustrootca.

退回SOA服务器。测试你的服务。它应该工作正常。

  

我不明白的是:系统(条纹) - &gt; trust =这是   在配置域时预先配置为演示信任库。一世   已更改要使用的受管服务器的密钥库设置   cacerts中。不知何故,看起来这个kss信任商店仍然存在   引用某处。问题是在哪里?

请分享,以防你想出这个。与此同时,解决方案将帮助您实现目标。

相关问题
最新问题