我有一个供应商提供的示例命令行Java应用程序。它取决于SSL身份验证。我有供应商的证书,可以在我的java 7 cacerts文件(Windows,c:\program files\java\jdk1.7.0_07\jre\lib\security\cacerts)中看到它们。如果我打开java 8 cacerts文件,则它们不存在(c:\program files\java\jre1.8.0_66\lib\security\cacerts)
如果我将路径设置为首先使用Java 8,则该程序可以运行。如果我更改路径以使Java 7首先出现,则程序将失败并显示证书错误:
C:\project\tryCerts\Demo2>path=c:\program files\java\jdk1.7.0_07\bin;c:\program files\java\jre1.8.0_66\bin
C:\project\tryCerts\Demo2>java -jar vendorCmd.jar user1 password2 environment3
Dec 22, 2015 11:11:35 AM [com.sun.xml.ws.policy.jaxws.PolicyConfigParser] parse
INFO: WSP5018: Loaded WSIT configuration from file: jar:file:/C:/project/tryCerts/Demo2/vendorCmd/dist/vendorCmd.jar!/META-INF/wsit-client.xml.
Unable to log in: com.sun.xml.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.Va
lidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to re
quested target
C:\project\tryCerts\Demo2>path=c:\program files\java\jre1.8.0_66\bin;c:\program files\java\jdk1.7.0_07\bin
C:\project\tryCerts\Demo2>java -jar vendorCmd.jar acc03\acc03_ws_user accwbS3rv!ceS acc03_p_production
Dec 22, 2015 11:21:34 AM [com.sun.xml.ws.policy.jaxws.PolicyConfigParser] parse
INFO: WSP5018: Loaded WSIT configuration from file: jar:file:/C:/project/tryCerts/Demo2/vendorCmd/dist/vendorCmd.jar!/META-INF/wsit-client.xml.
logged in
Dec 22, 2015 11:21:35 AM [com.sun.xml.ws.policy.jaxws.PolicyConfigParser] parse
INFO: WSP5018: Loaded WSIT configuration from file: jar:file:/C:/project/tryCerts/Demo2/vendorCmd/dist/vendorCmd.jar!/META-INF/wsit-client.xml.
Signed Info:org.jcp.xml.dsig.internal.dom.DOMSignedInfo@3f071328
AccountNumber: 279105/ Firstname: null/ LastName: null
AccountNumber: 1005118/ Firstname: null/ LastName: COMPANY1
AccountNumber: 2102765/ Firstname: null/ LastName: COMPANY2
AccountNumber: 2101373/ Firstname: null/ LastName: COMPANY3
AccountNumber: 2119664/ Firstname: null/ LastName: COMPANY4
AccountNumber: 2119668/ Firstname: null/ LastName: ET CETERA
C:\project\tryCerts\Demo2>dir/s cacerts
Volume in drive C is OS
Volume Serial Number is 9896-211D
File Not Found
C:\project\tryCerts\Demo2>
这与我的预期恰恰相反-具有供应商证书链的java 7文件夹中的cacerts文件,而没有供应商证书链的java 8。但是,在Java 7上运行该程序失败并显示证书错误,而在8上运行成功。
谁能告诉我我应该寻找什么来解释这一点?
最佳答案
要确定正在使用的信任存储区,而不必求助于strace(linux)和process explorer(windows)之类的工具,可以将调试标志-Djavax.net.debug=ssl传递给Java命令行,该命令行转储所有与ssl相关的调试信息(我提到过)原始注释中的all,但这会给输出增加更多的噪音):
java -Djavax.net.debug=ssl -jar vendorCmd.jar user1 password2 environment3
在调试输出的前10行中,将出现以下行:
trustStore is: <path to>cacerts
这表明正在使用的信任库。
知道
=ssl选项,它还将转储所有被添加到JVM认为受信任的证书列表中的受信任证书。这可以用来验证您认为在信任库中的证书确实在信任库中-在这种情况下,您应该能够在列表中看到供应商的证书。JSSE引用指南中详细介绍了the debug options for javax.net.debug的完整列表。