无法分别使用trustStore和keyStore将Mongo与ca.crt和client.pem连接[Java Springboot App] [TLS]

时间:2018-08-16 23:31:49

标签: mongodb spring-boot ssl keystore truststore

我们很难使用Spring Boot App [2.0.3] [JAVA SDK 8]的key.pem和ca.crt设置自定义密钥库和信任库,以连接到已部署的Mongos实例,但连接超时

从外壳连接正常

mongo --ssl --host 00.000.00.00:27019 --sslPEMKeyFile client.pem --sslCAFile ca.crt --authenticationDatabase admin --username user --password pass1 --authenticationMechanism SCRAM-SHA-1

我们正在通过javasetting在系统属性中尝试实现相同的功能,但是由于某些原因,它们没有被正确设置/读取并且连接超时。这是我的程序。

public static void main(String[] args) throws Exception {
    System.setProperty("javax.net.ssl.trustStore", "/var/tmp/truststore.jks");
    System.setProperty("javax.net.ssl.trustStorePassword", "pass1");

    System.setProperty("javax.net.ssl.keyStore", "/var/tmp/keystore.jks");
    System.setProperty("javax.net.ssl.keyStorePassword", "pass1");

    MongoClientURI connectionString = new MongoClientURI("mongodb://user:pass1@00.000.00.00:27019?ssl=true");

    MongoClient mongoClient = new MongoClient(connectionString);

    System.out.println(mongoClient);

    MongoDatabase mongoDatabase = mongoClient.getDatabase("appdb-staging");
    System.out.println(mongoDatabase);

    MongoCollection mongoCollection = mongoDatabase.getCollection("person");

    System.out.println(mongoCollection.count());
}

程序抛出异常,30秒后超时。

Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 00.000.00.00 found at java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:182) at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:98) at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:481) at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:456) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:238) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:133) at java.base/sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1825) ... 21 common frames omitted

“ 00.000.00.00” IP是我们已部署的服务器的IP,但是我们知道mongos实例和客户端证书都具有给定的SAN地址,因此我们怀疑我们的程序正在尝试使用默认Java进行验证。证书,而不使用我们提供的证书。

我们生成keyStore和trustStore的方式如下;

keytool -importcert -trustcacerts -file /var/tmp/ca.crt -keystore /var/tmp/truststore.jks -storepass pass1 keytool -importcert -trustcacerts -file /var/tmp/client2.pem -keystore /var/tmp/keystore.jks -storepass pass1

曾经坚持了一段时间,并尝试了几种方法来生成密钥并指定keyStore和trustStore,但是似乎都失败了。

谢谢!

0 个答案:

没有答案
相关问题
最新问题