Jdeveloper中安全(Https)连接的Java Web服务客户端证书配置

时间:2013-01-26 12:08:06

标签: web-services oracle https certificate jdeveloper

我正在使用Oracle Jdeveloper为Java发货开发Java服务集成。我已经导入了WSDL文件,并且它们被完美地分配了。但是我无法运行它,因为Jdeveloper会抛出异常,因为它无法识别其证书。我已经下载了所需的证书,并使用keytool命令将其安装在密钥库中,但没有任何更改。然后我生成了一个新的密钥库并在其中安装了我的证书,但是Oracle使用了DemoIdentity.jks和DemoTrust.jks密钥库。我不能让Oracle使用我的新密钥库作为默认值。

这是我得到的日志和错误:

<26.Oca.2013 14:02:08 EET> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias DemoIdentity from the jks keystore file C:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\DemoIdentity.jks.> 
<26.Oca.2013 14:02:09 EET> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file C:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\DemoTrust.jks.> 
<26.Oca.2013 14:02:09 EET> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file C:\Oracle\MIDDLE~1\JDK160~1\jre\lib\security\cacerts.> 
<26.Oca.2013 14:02:09 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=Entrust Root Certification Authority - G2,OU=(c) 2009 Entrust\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:09 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=thawte Primary Root CA - G3,OU=(c) 2008 thawte\, Inc. - For authorized use only,OU=Certification Services Division,O=thawte\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:09 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:09 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:09 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=VeriSign Universal Root Certification Authority,OU=(c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=Entrust Root Certification Authority - G2,OU=(c) 2009 Entrust\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=thawte Primary Root CA - G3,OU=(c) 2008 thawte\, Inc. - For authorized use only,OU=Certification Services Division,O=thawte\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=VeriSign Universal Root Certification Authority,OU=(c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Warning> <Security> <BEA-090504> <Certificate chain received from localhost - 127.0.0.1 --> wwwcie.ups.com failed hostname verification check. Certificate contained MST-PC(My computer name) but check expected wwwcie.ups.com> 

请告诉我您如何解决此问题的想法。任何推荐的将不胜感激。 感谢。

P.S:我正在使用Oracle JDeveloper 11g第1版,jdk160_24,Weblogic Server 10.3,Win7 64位。

2 个答案:

答案 0 :(得分:1)

首先,SSL是单向还是双向?

单向意味着只有服务服务器(具有您尝试访问的WS的服务器)必须与您进行身份识别。为了让服务服务器与您进行身份识别,您必须从其页面下载它提供的证书(有关如何执行此操作的教程的大量内容)。警告:您必须获得整个证书链!将这些证书添加到您的Trust密钥库。

双向意味着您还必须与他们认同。为此,您应该从服务提供商那里获得证书并将其添加到您的客户端身份密钥库。

此时您应该有2个单独的密钥库。一,Trust密钥库,是存放所有安全服务器证书的商店(您信任它们,因此名称)。第二个是Identity密钥库,即在特定别名下保存您的身份的商店。其他服务器将使用此信息来确定他们是否信任您。

现在进行WLS配置:

首先,如果您要使用SSL,请不要使用Demo Identity和Demo Trust设置。将其更改为自定义标识和自定义信任。将密钥库设置为您创建的密钥库。如果服务器只使用单向SSL,那么您可以将标识存储设置为演示标识,但仍需要在自定义标识和自定义信任设置下完成(只需从默认设置复制路径,密码等)。在服务器 - &gt; SSL下设置标识,您就完成了。

其他:

您可能想要关闭主机名验证(服务器 - > SSL-&gt;高级)。这有时候 引起很多问题。

如果仍然无效,请将以下标志添加到java选项:

-Dweblogic.security.SSL.verbose = true

-Dweblogic.security.SSL.enable.renegotiation = true

-Dsun.security.ssl.allowUnsafeRenegotiation =真

答案 1 :(得分:1)

Sun JDK(Java Developer Kit)的最新更新(版本:1.6.0_13和1.5.0_18)与以下版本的Oracle WebLogic Server中的SSL(安全套接字层)实现不兼容:

  • 11gR1(10.3.1)
  • 10gR3(10.3.0)
  • 10.0和10.0的所有维护版本
  • 9.0,9.1,9.2以及9.2 MP4之前9.2的所有维护版本 R27.6.4(1.6.0_13和1.5.0_18)及更高版本的Oracle JRockit版本也出现此问题。

解决方法

1)使用早期版本的JDK - JDK1.6.0_12,之前的版本也可以。

 or

2)用以前的JDK替换\ jdk \ jre \ lib \ security \ cacerts的信任库文件