我在设置双向SSL身份验证时遇到问题。 我需要从wso2企业集成商访问HTTPS端点。 服务提供商给了我一个pfx密钥库,其中包含我必须提供给服务器的证书和私钥。
我在Windows计算机上安装了此pfx密钥库,并尝试从Chrome访问端点(端点在根上下文中具有GET服务,该服务返回问候消息)。访问此终结点时,chrome告诉我选择要提供给服务器的证书...我选择了一个好证书,并返回了问候消息...很好,该证书有效。
我也尝试了curl,提供了密钥,cacert和cert(使用openssl从pfx文件中提取)。一切正常。
问题是当我尝试从wso2 ei服务访问此终结点时。 按照以下步骤,使用keytool将pfx文件导入到默认密钥库(wso2carbon.jks):
在jks中导入pfx
keytool -importkeystore -srckeystore .pfx -srcstoretype pkcs12 -destkeystore wso2carbon.jks -deststoretype JKS -srcstorepass -deststorepass wso2carbon
导出jks公钥
keytool -export -alias“” -keystore wso2carbon.jks-文件publickey.pem -storepass wso2carbon
在默认的client-trustore.jks中导入公钥
keytool -import -alias“”-文件publickey.pem -keystore client-truststore.jks -storepass wso2carbon
在wso2carbon密钥库中更新别名的密码(必须与jks pwd相同)
keytool -keypasswd -alias“”-新的wso2carbon -keystore wso2carbon.jks -keypass -storepass wso2carbon
已将根和中间服务器证书添加到受托人
keytool-导入-v -trustcacerts-别名root-文件root.cer -keystore客户端-truststore.jks -storepass wso2carbon keytool -import -v -trustcacerts -alias intermed -file intermed.cer -keystore client-truststore.jks -storepass wso2carbon
重新启动WSO2 EI,然后尝试访问端点(握手失败!!!)
我在错误跟踪下方激活了-Djavax.net.debug = ssl:handshake。 好像WSO2 EI找不到服务器要求的证书
...
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, Unknown (hash:0x4, signature:0x2), SHA256withECDSA, SHA224withRSA, Unknown (hash:0x3, signature:0x2), SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<CN=Autorite Bureau RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Racine RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Bureau Machine RTE, DC=bureau, DC=si, DC=interne>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1.2
PassThroughMessageProcessor-2, WRITE: TLSv1.2 Handshake, length = 320
SESSION KEYGEN:
PreMaster Secret:
... no IV derived for this protocol
PassThroughMessageProcessor-2, WRITE: TLSv1.2 Change Cipher Spec, length = 64
*** Finished
verify_data: { 111, 185, 151, 74, 99, 156, 152, 185, 240, 222, 162, 116 }
***
PassThroughMessageProcessor-2, WRITE: TLSv1.2 Handshake, length = 80
PassThroughMessageProcessor-2, READ: TLSv1.2 Alert, length = 64
PassThroughMessageProcessor-2, RECV TLSv1.2 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA256]
%% Invalidated: [Session-2, TLS_RSA_WITH_AES_256_CBC_SHA256]
PassThroughMessageProcessor-2, called closeSocket()
PassThroughMessageProcessor-2, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
PassThroughMessageProcessor-2, called close()
PassThroughMessageProcessor-2, called closeInternal(true)
我尝试使用SOAP UI,引用了先前创建的密钥库,并且GET调用返回问候消息(握手成功)。
我还尝试了使用该密钥库的片段Java类,并且ssl握手过程正常。
System.setProperty("javax.net.ssl.keyStore", keystorePath);
System.setProperty("javax.net.ssl.keyStorePassword", CERT_PASSWORD);
System.setProperty("javax.net.ssl.keyStoreType", "JKS");
URL myUrl;
try {
myUrl = new URL(endpoint);
HttpsURLConnection conn = (HttpsURLConnection) myUrl.openConnection();
InputStream is = conn.getInputStream();
InputStreamReader isr = new InputStreamReader(is);
BufferedReader br = new BufferedReader(isr);
String inputLine;
while ((inputLine = br.readLine()) != null) {
System.out.println(inputLine);
}
Cert Authorities:
<CN=Autorite Bureau RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Racine RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Bureau Machine RTE, DC=bureau, DC=si, DC=interne>
*** ServerHelloDone
matching alias: alias-cert
感谢您的帮助。 谢谢。
亲切的问候, 鲁迪