密钥库被篡改,或密码与ActiveMQ不正确

时间:2016-06-13 09:43:28

标签: java activemq keystore truststore

我使用3个ActiveMQ实例;他们每个人都有自己的keystoretruststore。我已为每个人设置sslContext。 但是,当我尝试启动该服务时,我得到以下异常:

Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
jvm 1    |  at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
jvm 1    |  at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
jvm 1    |  at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
jvm 1    |  at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
jvm 1    |  at java.security.KeyStore.load(KeyStore.java:1445)
jvm 1    |  at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:55)
jvm 1    |  at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:871)
jvm 1    |  at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:273)
jvm 1    |  at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
jvm 1    |  at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
jvm 1    |  at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
jvm 1    |  at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:64)
jvm 1    |  at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
jvm 1    |  at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
jvm 1    |  at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
jvm 1    |  at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:256)
jvm 1    |  at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
jvm 1    |  at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:236)
jvm 1    |  at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
jvm 1    |  at org.eclipse.jetty.server.Server.doStart(Server.java:366)
jvm 1    |  at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
jvm 1    |  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
jvm 1    |  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
jvm 1    |  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
jvm 1    |  at java.lang.reflect.Method.invoke(Method.java:498)
jvm 1    |  at org.springframework.util.MethodInvoker.invoke(MethodInvoker.java:269)
jvm 1    |  at org.springframework.beans.factory.config.MethodInvokingBean.invokeWithTargetException(MethodInvokingBean.java:119)
jvm 1    |  at org.springframework.beans.factory.config.MethodInvokingFactoryBean.afterPropertiesSet(MethodInvokingFactoryBean.java:106)
jvm 1    |  at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1631)
jvm 1    |  at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1568)
jvm 1    |  ... 33 more
jvm 1    | Caused by: java.security.UnrecoverableKeyException: Password verification failed
jvm 1    |  at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
jvm 1    |  ... 62 more
wrapper  | <-- Wrapper Stopped

我很高兴我的密钥库和信任库使用提供的密码,因为我使用keytool命令仔细检查它们:

    <sslContext keyStore="/opt/activemq/conf/mom1vasi.jks" keyStorePassword="somepassword" trustStore="/opt/activemq/conf/mom1vasi.jts" trustStorePassword="somepassword" />

使用keytool检查密码是否正确:

keytool -v -list -keystore /opt/activemq/conf/mom1vasi.jts

修改 这就是我生成密钥库的方式:

generate_keystore(){
  local kpass="$(openssl rand -hex 32)"
  openssl pkcs12 -export -in "server/${HOST}.crt" -inkey "server/${HOST}.key" -name "${HOST}.company.com" -certfile "CA/cacert.pem" -out "server/${HOST}.jks.pkcs12" -passin pass:"${kpass}" -passout pass:"${kpass}"
  keytool -importkeystore -srckeystore "server/${HOST}.jks.pkcs12" -srcstoretype pkcs12 -destkeystore "server/${HOST}.jks" -deststoretype JKS -srcstorepass "${kpass}" -deststorepass "${kpass}"
  echo "${kpass}" > "server/${HOST}.jks.pass"
  rm -f "server/${HOST}.jks.pkcs12"
}

这就是我生成信任库的方式:

generate_truststore(){
  local tpass="$(openssl rand -hex 32)"
  local server="${1}"

  keytool -alias "${server}.company.com" -import -file server/${server}.crt -keystore server/${server}.jts -storepass "${tpass}" -noprompt
  echo "${tpass}" > server/${server}.jts.pass
}

0 个答案:

没有答案