我们正在使用Spring Integration连接到https / ssl外部系统。使用外部主机和端口443添加证书后,从端口检索。证书存在。
但是应用程序不断失败
> ERROR 2886 --- [ebContainer : 1] c.i.w.w.servlet.ServletWrapper : SRVE0014E: Uncaught service() exception root cause
> dispatcherServlet:
> org.springframework.web.util.NestedServletException: Request
> processing failed; nested exception is
> org.springframework.ws.client.WebServiceIOException: I/O error:
> com.ibm.jsse2.util.h: PKIX path building failed:
> java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl
> could not build a valid CertPath.; internal cause is:
> java.security.cert.CertPathValidatorException: The certificate issued by CN=ODC somest Root CA - G1, O=ODC sonst, C=TR is
> not trusted; internal cause is:
> java.security.cert.CertPathValidatorException: Certificate chaining error; nested exception is
> javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path
> building failed: java.security.cert.CertPathBuilderException:
> PKIXCertPathBuilderImpl could not build a valid CertPath.; internal
> cause is:
> java.security.cert.CertPathValidatorException: The certificate issued by CN=ODC somest Root CA - G1, O=ODC sonst, C=PR is
> not trusted; internal cause is:
> java.security.cert.CertPathValidatorException: Certificate chaining error
如果我运行keytool并将证书导入cacert,则该应用程序将运行。但是该解决方案未被维护团队接受,因为它不会显示在Websphere控制台中。 Spring整合要求中有什么我可以更改的吗 所以我可以请任何人帮助我了解问题和解决方法。
更新
/ srv / opt / IBM / WebSphere / AppServer / java / bin / keytool -list -v -keystore /srv/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/K1Node01Cell/nodes/K1Node01/trust.p12 -storepass WebAS -storetype PKCS12
显示证书条目...不确定如何确认它是否完整
问题:
是否应该从Port检索更新的cacert文件? cacert位于websphere jre安全性之内,而trust.p12位于profile /../ nodes
之内
更新2 :
我已启用跟踪,请参阅以下日志。是春天在尝试研究cacerts ...还是正常的,因为它是WebSphere使用的JRE的一部分
> [18-2-19 13:44:59:154 ] 00000063 SystemOut O 2019-02-18
> 13:44:59.153 INFO 30426 --- [ver.startup : 0]
> pertySourcedRequestMappingHandlerMapping : Mapped URL path
> [/v2/api-docs] onto method [public
> org.springframework.http.ResponseEntity<springfox.documentation.spring.web.json.Json>
> springfox.documentation.swagger2.web.Swagger2Controller.getDocumentation(java.lang.String,javax.servlet.http.HttpServletRequest)]
> [18-2-19 13:44:59:826 ] 00000063 SystemOut O keyStore is:
> /srv/opt/IBM/WebSphere/AppServer/java/8.0/jre/lib/security/cacerts
> [18-2-19 13:44:59:826 ] 00000063 SystemOut O keyStore type is: jks
> [18-2-19 13:44:59:827 ] 00000063 SystemOut O keyStore provider is:
> [18-2-19 13:44:59:827 ] 00000063 SystemOut O init keystore
> [18-2-19 13:44:59:906 ] 00000063 SystemOut O SSLContextImpl:
> Using X509ExtendedKeyManager com.ibm.jsse2.ay [18-2-19 13:44:59:908 ]
> 00000063 SystemOut O trustStore is:
> /srv/opt/IBM/WebSphere/AppServer/java/8.0/jre/lib/security/cacerts
答案 0 :(得分:1)
我按照 IBM 链接并使用了 useSystemProperties()。这将使用 websphere 内部的证书,否则它将在 Server Java 中查找证书
HttpClient theClient = HttpClientBuilder.create().useSystemProperties().addInterceptorFirst(new RemoveSoapHeadersInterceptor()).build();
答案 1 :(得分:0)
仅回答您的最后一个问题,不,从端口检索不应更新cacerts。它会更新您提到的trust.p12文件之类的文件。
但是,您的路径表明您确实拥有一个带有单元和节点的ND环境。并且您已经导入到NodeDefaultTrustStore中。我们总是改为导入CellDefaultTrustStore。您可以尝试一下吗?