在WebSphere Liberty中重新加载信任库

时间:2018-11-02 09:38:53

标签: java ssl websphere-liberty

我们有一个运行在WebSphere Liberty概要文件上的OSGI应用程序,该应用程序有望对不同的端点进行HTTPS调用。

这些端点中的一些已共享其SSL证书,以将其导入服务器信任库中。以前,证书将被添加到信任库中,并且应用程序重新启动以获取更改。

这是用于信任库的配置($ {}是从属性文件读取的占位符):

<keyStore id="defaultKeyStore" location="${keystore.location}"
    password="${keystore.password}" type="${keystore.type}" />
<keyStore id="trustStore" location="${truststore.location}"
    password="${truststore.password}"
    type="${truststore.type}" />

<ssl clientAuthentication="false"
    clientAuthenticationSupported="true" 
    id="defaultSSLConfig"
    keyStoreRef="defaultKeyStore"
    sslProtocol="SSL_TLSv2"
    trustStoreRef="trustStore" />

<sslDefault sslRef="defaultSSLConfig" />

最近对此进行了修改,以通过进行以下更改来对信任库使用密钥库轮询:

<keyStore id="trustStore" location="${truststore.location}"
    password="${truststore.password}"
    type="${truststore.type}" pollingRate="5s" updateTrigger="polled"/>

此处描述了所使用的属性:

https://www.ibm.com/support/knowledgecenter/en/SSAW57_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/rwlp_ssl.html

  如果更新触发器,服务器可以重新加载

密钥库文件   属性设置为polled或mbean。如果启用了轮询,则   服务器根据在中设置的速率监视密钥库文件的更改   pollingRate属性。

现在,如果我将证书导入到正在运行的服务器的信任库中,则会在控制台中收到以下消息:

  

[AUDIT] CWPKI0811I:密钥库文件资源\ security \ trust.jks   已被修改。密钥库文件将被重新加载,以便更新   可以使用密钥库文件。

但是对端点的HTTPS调用仍然会失败,并且证书异常,直到服务器重新启动为止(在没有其他更改的情况下重新启动之后,端点调用成功,因此证书本身是正确的,并且端点有效):

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: unable to find valid certification path to requested target
    at com.ibm.jsse2.k.a(k.java:15)
    at com.ibm.jsse2.av.a(av.java:531)
    at com.ibm.jsse2.D.a(D.java:68)
    at com.ibm.jsse2.D.a(D.java:628)
    at com.ibm.jsse2.E.a(E.java:803)
    at com.ibm.jsse2.E.a(E.java:447)
    at com.ibm.jsse2.D.r(D.java:139)
    at com.ibm.jsse2.D.a(D.java:485)
    at com.ibm.jsse2.av.a(av.java:717)
    at com.ibm.jsse2.av.i(av.java:869)
    at com.ibm.jsse2.av.a(av.java:19)
    at com.ibm.jsse2.av.startHandshake(av.java:672)
    at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:46)
    at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:35)

我上面使用的配置是否错误,或者应该如何配置Liberty配置文件以正确地重新加载证书?

我尝试过的一些其他操作:

  • 使用SSLContext.getDefault()获取默认的sslcontext并使用信任库重新初始化它-之所以起作用,是因为Liberty本身用其自身替换了原始的,不变的信任库。但是,如果可能的话,我想避免这种方法,而使用Liberty标准方法。

编辑:有趣的是,如果我在server.xml中使用信任库的绝对路径,那么一切就开始起作用。相对路径不起作用。

相对路径:

[11/5/18 13:17:07:870 IST] 00000084 id=         com.ibm.ws.ssl.internal.KeystoreConfigurationFactory         > performFileBasedAction Entry
                                                                                                               [resources\security\trust.jks]
[11/5/18 13:17:07:871 IST] 00000084 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 3 Clearing standard javax.net.ssl.SSLContext cache.
[11/5/18 13:17:07:871 IST] 00000084 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id=         com.ibm.ws.ssl.config.SSLConfigManager                       > resetDefaultSSLContext Entry
[11/5/18 13:17:07:871 IST] 00000084 id=         com.ibm.ws.ssl.config.SSLConfigManager                       > getDefaultSSLConfig Entry
[11/5/18 13:17:07:871 IST] 00000084 id=         com.ibm.ws.ssl.config.SSLConfigManager                       3 getGlobalProperty -> com.ibm.ssl.defaultAlias=defaultSSLConfig
[11/5/18 13:17:07:871 IST] 00000084 id=         com.ibm.ws.ssl.config.SSLConfigManager                       3 defaultAlias: defaultSSLConfig
[11/5/18 13:17:07:871 IST] 00000084 id=         com.ibm.ws.ssl.config.SSLConfigManager                       < defaultAlias not null, getDefaultSSLConfig for: defaultSSLConfig Exit
[11/5/18 13:17:07:871 IST] 00000084 id=         com.ibm.ws.ssl.config.SSLConfigManager                       > keyStoreModified Entry
[11/5/18 13:17:07:871 IST] 00000084 id=         com.ibm.ws.ssl.config.SSLConfigManager                       < keyStoreModified false Exit
[11/5/18 13:17:07:871 IST] 00000084 id=         com.ibm.ws.ssl.config.SSLConfigManager                       3 Modified keystore file are not part of the default SSL configuration.
[11/5/18 13:17:07:871 IST] 00000084 id=         com.ibm.ws.ssl.config.SSLConfigManager                       < resetDefaultSSLContext Exit
[11/5/18 13:17:07:872 IST] 00000084 id=         com.ibm.ws.ssl.internal.KeystoreConfigurationFactory         A CWPKI0811I: The keystore file resources\security\trust.jks has been modified.  The keystore file will be reloaded so the updated keystore file can be used.
[11/5/18 13:17:07:872 IST] 00000084 id=         com.ibm.ws.ssl.internal.KeystoreConfigurationFactory         < performFileBasedAction Exit

使用绝对路径:

[11/5/18 13:11:32:720 IST] 00000086 id=         com.ibm.ws.ssl.internal.KeystoreConfigurationFactory         > performFileBasedAction Entry
                                                                                                               [D:\programs\WebSphere\wlp-webProfile7-18.0.0.1\wlp\usr\servers\defaultServer\resources\security\trust.jks]
[11/5/18 13:11:32:723 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 3 Clearing standard javax.net.ssl.SSLContext cache.
[11/5/18 13:11:32:723 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 clearJavaKeyStore
[11/5/18 13:11:32:723 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 clearJavaKeyStore
[11/5/18 13:11:32:723 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 clearJavaKeyStore
[11/5/18 13:11:32:723 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 clearJavaKeyStore
[11/5/18 13:11:32:724 IST] 00000086 id=         com.ibm.ws.ssl.config.SSLConfigManager                       > resetDefaultSSLContext Entry
[11/5/18 13:11:32:724 IST] 00000086 id=         com.ibm.ws.ssl.config.SSLConfigManager                       > getDefaultSSLConfig Entry
[11/5/18 13:11:32:724 IST] 00000086 id=         com.ibm.ws.ssl.config.SSLConfigManager                       3 getGlobalProperty -> com.ibm.ssl.defaultAlias=defaultSSLConfig
[11/5/18 13:11:32:724 IST] 00000086 id=         com.ibm.ws.ssl.config.SSLConfigManager                       3 defaultAlias: defaultSSLConfig
[11/5/18 13:11:32:724 IST] 00000086 id=         com.ibm.ws.ssl.config.SSLConfigManager                       < defaultAlias not null, getDefaultSSLConfig for: defaultSSLConfig Exit
[11/5/18 13:11:32:724 IST] 00000086 id=         com.ibm.ws.ssl.config.SSLConfigManager                       > keyStoreModified Entry
[11/5/18 13:11:32:726 IST] 00000086 id=         com.ibm.ws.ssl.config.SSLConfigManager                       < keyStoreModified true Exit
[11/5/18 13:11:32:726 IST] 00000086 id=         com.ibm.ws.ssl.JSSEProviderFactory                           > getInstance: null Entry
[11/5/18 13:11:32:726 IST] 00000086 id=         com.ibm.ws.ssl.JSSEProviderFactory                           < getInstance: com.ibm.ws.ssl.provider.IBMJSSEProvider@50d8b2eb Exit
[11/5/18 13:11:32:727 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 > setServerDefaultSSLContext Entry
[11/5/18 13:11:32:727 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 > getSSLContext Entry
                                                                                                               null
[11/5/18 13:11:32:727 IST] 00000086 id=         com.ibm.ws.ssl.config.ThreadContext                          3 setOutboundConnectionInfoInternal :null
[11/5/18 13:11:32:727 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 3 outboundConnectionInfo: null
[11/5/18 13:11:32:727 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 > getSSLContextInstance Entry
[11/5/18 13:11:32:728 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 < getSSLContextInstance Exit
[11/5/18 13:11:32:728 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 > getKeyTrustManagers Entry
                                                                                                               null
                                                                                                               SSLConfig.toString() {
com.ibm.ssl.clientAuthenticationSupported=false
com.ibm.ssl.contextProvider=IBMJSSE2
config.displayId=keyStore[defaultKeyStore]
com.ibm.ssl.protocol=SSL_TLS
com.ibm.ssl.keyStoreReadOnly=false
com.ibm.ssl.alias=defaultSSLConfig
com.ibm.ssl.keyStoreCreateCMSStash=false
com.ibm.ssl.securityLevel=HIGH
com.ibm.ssl.trustStoreName=jvmTrustStore
com.ibm.ssl.trustStorePassword=********
service.pid=com.ibm.ws.ssl.keystore_21
com.ibm.ssl.trustManager=PKIX
com.ibm.ssl.validationEnabled=false
com.ibm.ssl.trustStoreInitializeAtStartup=false
com.ibm.ssl.keyManager=IbmX509
com.ibm.ssl.keyStoreFileBased=true
com.ibm.ssl.keyStoreType=jks
com.ibm.ssl.trustStoreFileBased=true
com.ibm.ssl.trustStoreCreateCMSStash=false
com.ibm.ssl.trustStore=D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
config.overrides=true
com.ibm.ssl.daysBeforeExpireWarning=60
sslRef=defaultSSLConfig
id=defaultKeyStore
config.id=com.ibm.ws.ssl.keystore[defaultKeyStore]
com.ibm.ssl.clientAuthentication=false
com.ibm.ssl.keyStore=resources/security/key.jks
com.ibm.ssl.trustStoreReadOnly=false
config.source=file
alias=defaultSSLConfig
com.ibm.ssl.tokenEnabled=false
com.ibm.ssl.keyStoreName=defaultKeyStore
com.ibm.ssl.keyStorePassword=********
com.ibm.ssl.keyStoreInitializeAtStartup=false
service.factoryPid=com.ibm.ws.ssl.keystore
com.ibm.ssl.trustStoreType=jks
}
[11/5/18 13:11:32:728 IST] 00000086 id=         com.ibm.ws.ssl.config.KeyStoreManager                        3 Returning a keyStore for name: jvmTrustStore
[11/5/18 13:11:32:728 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             > do_getKeyStore Entry
                                                                                                               false
                                                                                                               false
[11/5/18 13:11:32:728 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 Initializing KeyStore: jvmTrustStore
[11/5/18 13:11:32:729 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 Password was not decoded.
[11/5/18 13:11:32:729 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 File path for store: D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:729 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 Loading keyStore (filebased)
[11/5/18 13:11:32:729 IST] 00000086 id=         com.ibm.ws.ssl.JSSEProviderFactory                           > getInstance: null Entry
[11/5/18 13:11:32:729 IST] 00000086 id=         com.ibm.ws.ssl.JSSEProviderFactory                           < getInstance: com.ibm.ws.ssl.provider.IBMJSSEProvider@50d8b2eb Exit
[11/5/18 13:11:32:729 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 3 KeyStore.getInstance(jks, null)
[11/5/18 13:11:32:731 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 alias: p13
[11/5/18 13:11:32:731 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 alias: p12
[11/5/18 13:11:32:731 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 do_getKeyStore (initialized)
[11/5/18 13:11:32:731 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             < do_getKeyStore Exit
                                                                                                               java.security.KeyStore@7be5d76a
[11/5/18 13:11:32:731 IST] 00000086 id=         com.ibm.ws.ssl.config.KeyStoreManager                        3 Returning a keyStore for name: defaultKeyStore
[11/5/18 13:11:32:732 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             > do_getKeyStore Entry
                                                                                                               false
                                                                                                               false
[11/5/18 13:11:32:732 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 Initializing KeyStore: defaultKeyStore
[11/5/18 13:11:32:732 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 Password was not decoded.
[11/5/18 13:11:32:732 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 File path for store: resources/security/key.jks
[11/5/18 13:11:32:732 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 Loading keyStore (filebased)
[11/5/18 13:11:32:732 IST] 00000086 id=         com.ibm.ws.ssl.JSSEProviderFactory                           > getInstance: null Entry
[11/5/18 13:11:32:732 IST] 00000086 id=         com.ibm.ws.ssl.JSSEProviderFactory                           < getInstance: com.ibm.ws.ssl.provider.IBMJSSEProvider@50d8b2eb Exit
[11/5/18 13:11:32:733 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 3 KeyStore.getInstance(jks, null)
[11/5/18 13:11:32:735 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 alias: default
[11/5/18 13:11:32:735 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 do_getKeyStore (initialized)
[11/5/18 13:11:32:735 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             < do_getKeyStore Exit
                                                                                                               java.security.KeyStore@941dcba8
[11/5/18 13:11:32:735 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 getLocation -> D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:735 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 3 Using trust store: D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:736 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 3 getTrustManagerFactory.getInstance(PKIX, IBMJSSE2)javax.net.ssl.TrustManagerFactory@c99b19d6
[11/5/18 13:11:32:736 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 3 certStoreHost: null
[11/5/18 13:11:32:736 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 3 certStorePort: 389
[11/5/18 13:11:32:736 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 3 trustManagerAlgorithm: PKIX
[11/5/18 13:11:32:736 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 getLocation -> resources/security/key.jks
[11/5/18 13:11:32:736 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 3 Using software keystore: resources/security/key.jks
[11/5/18 13:11:32:736 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 3 getKeyManagerFactory.getInstance(IbmX509, IBMJSSE2) javax.net.ssl.KeyManagerFactory@df035ba8
[11/5/18 13:11:32:737 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 Password was not decoded.
[11/5/18 13:11:32:737 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 3 Entering synchronized block around key manager factory init.
[11/5/18 13:11:32:739 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 3 Exiting synchronized block around key manager factory init.
[11/5/18 13:11:32:740 IST] 00000086 id=         com.ibm.ws.ssl.core.WSX509KeyManager                         > WSX509KeyManager Entry
[11/5/18 13:11:32:740 IST] 00000086 id=         com.ibm.ws.ssl.core.CertMappingKeyManager                    > <init> Entry
[11/5/18 13:11:32:740 IST] 00000086 id=         com.ibm.ws.ssl.core.CertMappingKeyManager                    > parseSSLCertFile Entry
[11/5/18 13:11:32:740 IST] 00000086 id=         com.ibm.ws.ssl.core.CertMappingKeyManager                    < parseSSLCertFile Exit
[11/5/18 13:11:32:740 IST] 00000086 id=         com.ibm.ws.ssl.core.CertMappingKeyManager                    < <init> Exit
[11/5/18 13:11:32:740 IST] 00000086 id=         com.ibm.ws.ssl.config.KeyStoreManager                        3 Returning a keyStore for name: defaultKeyStore
[11/5/18 13:11:32:740 IST] 00000086 id=         com.ibm.ws.ssl.core.WSX509KeyManager                         < WSX509KeyManager Exit
[11/5/18 13:11:32:741 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 3 Initializing WSX509KeyManager.
                                                                                                               null
                                                                                                               null
                                                                                                               null
[11/5/18 13:11:32:741 IST] 00000086 id=         com.ibm.ws.ssl.config.WSKeyStore                             3 getLocation -> D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:741 IST] 00000086 id=         com.ibm.ws.ssl.core.WSX509TrustManager                       > WSX509TrustManager Entry
                                                                                                               null
                                                                                                               D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:742 IST] 00000086 id=         com.ibm.ws.ssl.core.WSX509TrustManager                       < WSX509TrustManager Exit
[11/5/18 13:11:32:742 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 < getKeyTrustManagers Exit
[11/5/18 13:11:32:743 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 3 SSLContext cache size: 1
[11/5/18 13:11:32:743 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 < getSSLContext -> (new) Exit
[11/5/18 13:11:32:743 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 3 Default SSLContext set to defaultSSLConfig
[11/5/18 13:11:32:743 IST] 00000086 id=         com.ibm.ws.ssl.provider.AbstractJSSEProvider                 < setServerDefaultSSLContext Exit
[11/5/18 13:11:32:743 IST] 00000086 id=         com.ibm.ws.ssl.config.SSLConfigManager                       < resetDefaultSSLContext Exit
[11/5/18 13:11:32:743 IST] 00000086 id=         com.ibm.ws.ssl.internal.KeystoreConfigurationFactory         A CWPKI0811I: The keystore file D:\programs\WebSphere\wlp-webProfile7-18.0.0.1\wlp\usr\servers\defaultServer\resources\security\trust.jks has been modified.  The keystore file will be reloaded so the updated keystore file can be used.
[11/5/18 13:11:32:744 IST] 00000086 id=         com.ibm.ws.ssl.internal.KeystoreConfigurationFactory         < performFileBasedAction Exit

1 个答案:

答案 0 :(得分:0)

此问题已通过使用变通办法来解决,该变通办法每次都提供到信任库的绝对路径。这似乎是一个错误,因为我找不到任何文档来表明该属性仅支持绝对路径。