JBoss的{SSL}证书导入和配置

时间:2016-03-16 01:47:28

标签: ssl jboss sslhandshakeexception ibm-datapower pega

我是JBoss配置的新手,我被要求将证书导入JBoss App服务器。基于我在论坛上阅读的内容,我认为我做了必要的事情,但我们仍然看到"没有任何TrustManagers允许信任该客户端所提供的远程服务器提供的SSL证书尝试连接"错误信息。我们在JBoss服务器上托管了Pega应用程序,Pega应用程序进行单向出站调用以使用IBM Datapower的服务。我们在Red Hat Enterprise Linux 7.1上使用红帽JBoss中间件(EWS + EAP),并在域模式下设置了JBoss。

JBoss企业应用程序平台版本6.4安装在/ opt / jboss文件夹下,由jboss系统用户配置,仅在域模式下运行。环境预先配置了一个域控制器和一个或多个主机控制器。所有主机控制器都可以由域控制器管理。环境也适合专门用于完整的HA配置文件。

enter image description here 我们有一个针对Datapower的SGWSGateway-sscert.pem证书,我被要求导入JBoss。我采取的步骤是。如果我能对我的设置不正确或需要更改的内容得到任何帮助,我将非常感激。

1)使用别名-sgwsgateway将其导入/ host-controller / configuration / keystores中的jbossTrust.jks。 enter image description here

2)domain.xml配置为:

               <subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="default-host" native="false">
                    <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
                    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
                          <ssl/>
                    </connector>
                    <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
                    <virtual-server name="default-host" enable-welcome-root="true">
                        <alias name="localhost"/>
                    </virtual-server>
                </subsystem>

      <interfaces>
            <interface name="management"/>
            <interface name="public"/>
            <interface name="unsecure"/>
        </interfaces>


        <socket-binding-groups>
            <socket-binding-group name="full-ha-sockets" default-interface="public">
                <socket-binding name="ajp" port="8009"/>
                <socket-binding name="http" port="8080"/>
                <socket-binding name="https" port="8443"/>
                <socket-binding name="jacorb" interface="unsecure" port="3528"/>
                <socket-binding name="jacorb-ssl" interface="unsecure" port="3529"/>
                <socket-binding name="jgroups-mping" port="0" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45700"/>
                <socket-binding name="jgroups-tcp" port="7600"/>
                <socket-binding name="jgroups-tcp-fd" port="57600"/>
                <socket-binding name="jgroups-udp" port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45688"/>
                <socket-binding name="jgroups-udp-fd" port="54200"/>
                <socket-binding name="messaging" port="5445"/>
                <socket-binding name="messaging-group" port="0" multicast-address="${jboss.messaging.group.address:231.7.7.7}" multicast-port="${jboss.messaging.group.port:9876}"/>
                <socket-binding name="messaging-throughput" port="5455"/>
                <socket-binding name="modcluster" port="0" multicast-address="224.0.1.105" multicast-port="23364"/>
                <socket-binding name="remoting" port="4447"/>
                <socket-binding name="txn-recovery-environment" port="4712"/>
                <socket-binding name="txn-status-manager" port="4713"/>
                <outbound-socket-binding name="mail-smtp">
                    <remote-destination host="localhost" port="25"/>
                </outbound-socket-binding>
            </socket-binding-group>
        </socket-binding-groups>

        <server-groups>
            <server-group name="jboss-server-group" profile="full-ha">
                <jvm name="pega_default">
                    <heap size="4096m" max-size="8192m"/>
                    <permgen size="768m" max-size="1536m"/>
                    <jvm-options>
                        <option value="-Xms8192m"/>
                        <option value="-Xmx8192m"/>
                        <option value="-XX:NewSize=1536m"/>
                        <option value="-XX:MaxNewSize=1536m"/>
                        <option value="-XX:PermSize=768m"/>
                        <option value="-XX:MaxPermSize=1536m"/>
                        <option value="-Djboss.as.management.blocking.timeout=60000"/>
                        <option value="-Djava.net.preferIPv4Stack=true"/>
                        <option value="-XX:TargetSurvivorRatio=90"/>
                        <option value="-XX:+UseParNewGC"/>
                        <option value="-XX:+UseConcMarkSweepGC"/>
                        <option value="-XX:+UseCMSInitiatingOccupancyOnly"/>
                        <option value="-XX:CMSInitiatingOccupancyFraction=80"/>
                        <option value="-XX:+CMSClassUnloadingEnabled"/>
                        <option value="-XX:ReservedCodeCacheSize=768m"/>
                        <option value="-XX:+UseCodeCacheFlushing"/>
                        <option value="-XX:+DisableExplicitGC"/>
                        <option value="-XX:+PrintGCDetails"/>
                        <option value="-verbose:gc"/>
                        <option value="-Xloggc:/opt/jboss/host-controller/log/gc.%t.%p.log"/>
                        <option value="-XX:+UseGCLogFileRotation"/>
                        <option value="-XX:NumberOfGCLogFiles=10"/>
                        <option value="-XX:GCLogFileSize=1M"/>
                        <option value="-Djava.awt.headless=true"/>
                        <option value="-Djboss.modules.policy-permissions=true"/>
                    </jvm-options>
                </jvm>
                <socket-binding-group ref="full-ha-sockets"/>
                <deployments>
                    <deployment name="example.war" runtime-name="example.war"/>
                    <deployment name="prhelp.war" runtime-name="prhelp.war"/>
                    <deployment name="prsysmgmt_jboss.war" runtime-name="prsysmgmt_jboss.war"/>
                    <deployment name="prpc_j2ee14_jboss61JBM.ear" runtime-name="prpc_j2ee14_jboss61JBM.ear"/>
                </deployments>
            </server-group>
        </server-groups>

3)host-master.xml配置为:

    <security-realms>
        <security-realm name="ManagementRealm">
            <server-identities>
                <ssl protocol="TLSv1">
                    <keystore path="keystores/jbossIdentity.jks" relative-to="jboss.domain.config.dir" keystore-password="${VAULT::serverInfo::dc_ident_keystore_password::1}" alias="jboss_domain"/>
                </ssl>
            </server-identities>
            <authentication>
                <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
            </authentication>
            <authorization map-groups-to-roles="false">
                <properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>
            </authorization>
        </security-realm>

4)host-slave.xml配置为:

            <security-realms>
                <security-realm name="ManagementRealm">
                    <server-identities>
                        <ssl protocol="TLSv1">
                            <keystore path="keystores/jbossIdentity.jks" relative-to="jboss.domain.config.dir" keystore-password="${VAULT::serverInfo::hc_identity_keystore_password::1}" alias="jboss_host"/>
                        </ssl>
                        <secret value="U2NvdGlhYmFua0Ax"/>
                    </server-identities>
                    <authentication>
                        <truststore path="keystores/jbossTrust.jks" relative-to="jboss.domain.config.dir" keystore-password="${VAULT::serverInfo::hc_trust_keystore_password::1}"/>
                        <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                    </authentication>
                    <authorization map-groups-to-roles="false">
                        <properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>
                    </authorization>
                </security-realm>

        <interfaces>
            <interface name="management">
                <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
            </interface>
            <interface name="public">
                <inet-address value="${jboss.bind.address:127.0.0.1}"/>
            </interface>
            <interface name="unsecure">
                <inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"/>
            </interface>
        </interfaces>


        <servers>
            <server name="jboss-server-one" group="jboss-server-group" auto-start="true">
                <jvm name="pega_default"/>
                <socket-bindings port-offset="100"/>
            </server>
      </servers>

此致 阿里。

1 个答案:

答案 0 :(得分:0)

我们通过在Java级别添加证书来解决此问题。在上面的问题场景中,我们将证书导入JBoss密钥库。由于我们设置了不同的JVM,该应用程序未找到证书。因此,我们将证书导入jre文件夹中的Java cacerts密钥库。