我目前正在创建一个用于在java中构建我们的webapp的Docker文件,我遇到了一个问题,即必须使用自定义.cert键来使用logstash-logback-forwarder登录SSL,而webapp本身需要进行SSL连接(连接到SOAP SSL)。问题是,我能够登录SSL,并且webapp可以安全地使用SOAP API(它一直能够做到这一点),但我不能同时做到这两点。
首先,这是我的docker构建文件的相关部分
ADD logstash-forwarder.crt /root/logstash-forwarder.crt
RUN (cd /root && /usr/java/latest/bin/keytool -import -file logstash-forwarder.crt -alias logstash -storepass SOMEPASS -noprompt -keystore logstash.keystore)
这会添加crt文件,然后使用keytool导入keyStore。我正在使用logstash-logback-forwarder,它使用标准SSLSocketFactory(即https://github.com/logstash/logstash-logback-encoder/blob/master/src/main/java/net/logstash/logback/appender/SSLLogstashTcpSocketAppender.java)
然后我使用此命令运行我的java站点(通过jetty-webrunner)
CMD java -Dlogback.configurationFile=/root/logback.xml \
-Djavax.net.ssl.keyStorePassword=SOMEPASS \
-Djavax.net.ssl.keyStoreType=pkcs12 \
-Djavax.net.ssl.trustStoreType=jks \
-Djavax.net.ssl.trustStore=logstash.keystore \
-Djavax.net.ssl.trustStorePassword=SOMEPASS \
-server -ea -XX:+UseConcMarkSweepGC \
-XX:+CMSClassUnloadingEnabled \
-Xmx2048M -jar jetty-runner-9.2.3.v20140905.jar \
--port 8080 \
--lib "/root/lib" \
--config jetty.xml \
jetty-web.xml
现在使用以下命令,安全日志记录在SSL上工作正常,问题是,webapp不再能够安全地连接到它需要使用的SOAP API,我收到以下错误(提供了java stacktrace)
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1917)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:301)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:295)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1471)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:936)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:871)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
at org.apache.axis.client.Call.invoke(Call.java:2767)
at org.apache.axis.client.Call.invoke(Call.java:2443)
at org.apache.axis.client.Call.invoke(Call.java:2366)
at org.apache.axis.client.Call.invoke(Call.java:1812)
现在很明显,如果我完全删除SSL(显然日志记录将停止工作),通过执行此操作
CMD java -Dlogback.configurationFile=/root/logback.xml \
-server -ea -XX:+UseConcMarkSweepGC \
-XX:+CMSClassUnloadingEnabled \
-Xmx2048M -jar jetty-runner-9.2.3.v20140905.jar \
--port 8080 \
--lib "/root/lib" \
--config jetty.xml \
jetty-web.xml
SOAP apis via轴工作正常,但SSL日志记录没有。我知道你可以使用keytool组合密钥库,但是我没有理解它(它比传递带有单个标志的.crt文件复杂得多,非大多数非java应用程序倾向于)。你将如何导入.keystore以使其正常工作(等效的docker命令是什么?)
服务器正在运行JDK 8