我使用3个ActiveMQ实例;他们每个人都有自己的keystore
和truststore
。我已为每个人设置sslContext
。
但是,当我尝试启动该服务时,我得到以下异常:
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
jvm 1 | at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
jvm 1 | at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
jvm 1 | at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
jvm 1 | at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
jvm 1 | at java.security.KeyStore.load(KeyStore.java:1445)
jvm 1 | at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:55)
jvm 1 | at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:871)
jvm 1 | at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:273)
jvm 1 | at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
jvm 1 | at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
jvm 1 | at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
jvm 1 | at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:64)
jvm 1 | at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
jvm 1 | at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
jvm 1 | at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
jvm 1 | at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:256)
jvm 1 | at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
jvm 1 | at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:236)
jvm 1 | at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
jvm 1 | at org.eclipse.jetty.server.Server.doStart(Server.java:366)
jvm 1 | at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
jvm 1 | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
jvm 1 | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
jvm 1 | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
jvm 1 | at java.lang.reflect.Method.invoke(Method.java:498)
jvm 1 | at org.springframework.util.MethodInvoker.invoke(MethodInvoker.java:269)
jvm 1 | at org.springframework.beans.factory.config.MethodInvokingBean.invokeWithTargetException(MethodInvokingBean.java:119)
jvm 1 | at org.springframework.beans.factory.config.MethodInvokingFactoryBean.afterPropertiesSet(MethodInvokingFactoryBean.java:106)
jvm 1 | at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1631)
jvm 1 | at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1568)
jvm 1 | ... 33 more
jvm 1 | Caused by: java.security.UnrecoverableKeyException: Password verification failed
jvm 1 | at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
jvm 1 | ... 62 more
wrapper | <-- Wrapper Stopped
我很高兴我的密钥库和信任库使用提供的密码,因为我使用keytool命令仔细检查它们:
<sslContext keyStore="/opt/activemq/conf/mom1vasi.jks" keyStorePassword="somepassword" trustStore="/opt/activemq/conf/mom1vasi.jts" trustStorePassword="somepassword" />
使用keytool
检查密码是否正确:
keytool -v -list -keystore /opt/activemq/conf/mom1vasi.jts
修改 这就是我生成密钥库的方式:
generate_keystore(){
local kpass="$(openssl rand -hex 32)"
openssl pkcs12 -export -in "server/${HOST}.crt" -inkey "server/${HOST}.key" -name "${HOST}.company.com" -certfile "CA/cacert.pem" -out "server/${HOST}.jks.pkcs12" -passin pass:"${kpass}" -passout pass:"${kpass}"
keytool -importkeystore -srckeystore "server/${HOST}.jks.pkcs12" -srcstoretype pkcs12 -destkeystore "server/${HOST}.jks" -deststoretype JKS -srcstorepass "${kpass}" -deststorepass "${kpass}"
echo "${kpass}" > "server/${HOST}.jks.pass"
rm -f "server/${HOST}.jks.pkcs12"
}
这就是我生成信任库的方式:
generate_truststore(){
local tpass="$(openssl rand -hex 32)"
local server="${1}"
keytool -alias "${server}.company.com" -import -file server/${server}.crt -keystore server/${server}.jts -storepass "${tpass}" -noprompt
echo "${tpass}" > server/${server}.jts.pass
}