本文介绍了使用cloudant的自由应用程序的SSL握手失败的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我被困在这上面的时间比我想承认的要长得多。我想使用WebSphere Liberty连接到cloudant / couchdb。



我是Java应用程序开发,Liberty,Cloudant和Bluemix的新手。



我认为我需要在本地信任存储中为cloudant添加SSL证书,但唯一的方法是使用Websphere Application Server集成解决方案控制台,我无法运行使用Liberty?



如果有人能指导我正确的方向,我会很感激!

  [错误] CWPKI0022E:SSL HANDSHAKE FAILURE:具有SubjectDN的签名者CN = * .cloudant.com,OU = Engineering,O =Cloudant,Inc。,L = Boston,ST = Massachusetts,C =美国是从目标主机发送的。签名者可能需要添加到本地信任库C:/Users/user/Liberty/usr/servers/simplespring2/resources/security/key.jks,位于SSL配置别名defaultSSLConfig中。来自SSL握手异常的扩展错误消息是:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效证书路径
[错误]无法读取cookie响应头
java.security.cert.CertificateException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效证书路径
[错误] CWPKI0022E:SSL握手失败:签名者SubjectDN CN = * .cloudant.com,OU = Engineering,O =Cloudant,Inc。,L = Boston,ST = Massachusetts,C = US是从目标主机发送的。签名者可能需要添加到本地信任库C:/Users/user/Liberty/usr/servers/simplespring2/resources/security/key.jks,位于SSL配置别名defaultSSLConfig中。来自SSL握手异常的扩展错误消息是:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效证书路径
[错误]无法从请求获取响应代码
java.security.cert.CertificateException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效证书路径
[错误] SRVE0777E:应用程序类抛出的异常db.CloudantClientMgr.getDB:128'
java.lang.RuntimeException:DB未找到db.CloudantClientMgr.getDB的
(CloudantClientMgr.java:128)
at servlets.LocationServlet.setLocation(LocationServlet .java:180)
at servlets.LocationServlet.doPost(LocationServlet.java:170)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax。 servlet.http.HttpServlet.service(HttpServlet.java:790)com.ibm.ws.webcontain的
er.servlet.ServletWrapper.service(ServletWrapper.java:1287)
at [internal classes]
引起:com.cloudant.client.org.lightcouch.CouchDbException:检索服务器响应时出错
在com.cloudant.client.org.lightcouch.CouchDbClient.execute(CouchDbClient.java:535)
at com.cloudant.client.org.lightcouch.CouchDbClient.executeToInputStream(CouchDbClient.java:550)
在com.cloudant.client.org.lightcouch.CouchDbClient.put(CouchDbClient.java:361)
at com.cloudant.client.org.lightcouch.CouchDbClient.put(CouchDbClient.java:351)
在com.cloudant.client.org.lightcouch.CouchDatabaseBase.create(CouchDatabaseBase.java:437)
at com.cloudant.client.org.lightcouch.CouchDatabaseBase。< init>(CouchDatabaseBase.java:61)
at com.cloudant.client.org.lightcouch.CouchDatabase。< init>(CouchDatabase.java:26)
at com.cloudant.client.org.lightcouch.CouchDbClient.database(CouchDbClient.java: 165)com.cloudant.client.ap上的
i.CloudantClient.database(CloudantClient.java:216)
at db.CloudantClientMgr.getDB(CloudantClientMgr.java:126)
... 6 more
由(重复)引起... :javax.net.ssl.SSLHandshakeException:java.security.cert.CertificateException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法在sun.reflect中找到请求目标
的有效证书路径。 NativeConstructorAccessorImpl.newInstance0(本机方法)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect。 Constructor.newInstance(未知来源)
at sun.net.www.protocol.http.HttpURLConnection $ 10.run(未知来源)
at sun.net.www.protocol.http.HttpURLConnection $ 10.run(未知来源)
at java.security.AccessController.doPrivileged(Native Method)
at sun.net.www.protocol.http.HttpURLConnection。 getChainedException(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
at com.cloudant.client.org。 lightcouch.CouchDbClient.execute(CouchDbClient.java:483)
... 15更多
引起:java.security.cert.CertificateException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException :无法在com.ibm.ws.ssl.core.WSX509TrustManager.checkServerTrusted(WSX509TrustManager.java:290)找到请求目标
的有效证书路径
at [internal classes]
at sun .security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(未知来源)
... 32更多


解决方案

您需要将远程服务器证书添加到WAS trustStore



获取远程证书(例如:使用Linux / Mac):
echo| openssl s_client -connect YOUR_REMOTE_SERVER:443 -showcerts 2> / dev / null | openssl x509 -out certfile.txt



将证书导入trustStore文件:
keytool -import -alias ca -file certfile.txt -keystore trust.jks -storepass changeit



在WAS中使用此JKS信任库 server.xml ,将其复制到您的WAS( {WLP} / usr / servers / {YOUR_SERVER} / resources / security )并将其添加到您的 server.xml 例如:

 < ssl id =defaultSSLSettings sslProtocol =TLSv1.2keyStoreRef =defaultKeyStore
trustStoreRef =defaultTrustStore/>
< keyStore id =defaultKeyStorelocation =$ {server.config.dir} /resources/security/key.jks
password =changeit/>
< keyStore id =defaultTrustStore
location =$ {server.config.dir} /resources/security/trust.jks\"password =changeit/>


I've been stuck on this far longer than I want to admit. I want to connect to cloudant/couchdb using WebSphere Liberty.

I'm fairly new to Java app development, Liberty, Cloudant and Bluemix.

I believe I need to add a SSL certificate for cloudant in a local trust store but the only way to do it seems to be by using the Websphere Application Server Integrated Solutions Console, which I can't run using Liberty?

If anyone can guide me in the right direction I would appreciate it alot!

    [ERROR   ] CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN CN=*.cloudant.com, OU=Engineering, O="Cloudant, Inc.", L=Boston, ST=Massachusetts, C=US was sent from the target host.  The signer might need to be added to local trust store C:/Users/user/Liberty/usr/servers/simplespring2/resources/security/key.jks, located in SSL configuration alias defaultSSLConfig.  The extended error message from the SSL handshake exception is: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[ERROR   ] Failed to read cookie response header
java.security.cert.CertificateException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[ERROR   ] CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN CN=*.cloudant.com, OU=Engineering, O="Cloudant, Inc.", L=Boston, ST=Massachusetts, C=US was sent from the target host.  The signer might need to be added to local trust store C:/Users/user/Liberty/usr/servers/simplespring2/resources/security/key.jks, located in SSL configuration alias defaultSSLConfig.  The extended error message from the SSL handshake exception is: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[ERROR   ] Failed to get response code from request
java.security.cert.CertificateException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[ERROR   ] SRVE0777E: Exception thrown by application class 'db.CloudantClientMgr.getDB:128'
java.lang.RuntimeException: DB Not found
    at db.CloudantClientMgr.getDB(CloudantClientMgr.java:128)
    at servlets.LocationServlet.setLocation(LocationServlet.java:180)
    at servlets.LocationServlet.doPost(LocationServlet.java:170)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1287)
    at [internal classes]
Caused by: com.cloudant.client.org.lightcouch.CouchDbException: Error retrieving server response
    at com.cloudant.client.org.lightcouch.CouchDbClient.execute(CouchDbClient.java:535)
    at com.cloudant.client.org.lightcouch.CouchDbClient.executeToInputStream(CouchDbClient.java:550)
    at com.cloudant.client.org.lightcouch.CouchDbClient.put(CouchDbClient.java:361)
    at com.cloudant.client.org.lightcouch.CouchDbClient.put(CouchDbClient.java:351)
    at com.cloudant.client.org.lightcouch.CouchDatabaseBase.create(CouchDatabaseBase.java:437)
    at com.cloudant.client.org.lightcouch.CouchDatabaseBase.<init>(CouchDatabaseBase.java:61)
    at com.cloudant.client.org.lightcouch.CouchDatabase.<init>(CouchDatabase.java:26)
    at com.cloudant.client.org.lightcouch.CouchDbClient.database(CouchDbClient.java:165)
    at com.cloudant.client.api.CloudantClient.database(CloudantClient.java:216)
    at db.CloudantClientMgr.getDB(CloudantClientMgr.java:126)
    ... 6 more
Caused by (repeated) ... : javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
    at java.lang.reflect.Constructor.newInstance(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection$10.run(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection$10.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.net.www.protocol.http.HttpURLConnection.getChainedException(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
    at java.net.HttpURLConnection.getResponseCode(Unknown Source)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
    at com.cloudant.client.org.lightcouch.CouchDbClient.execute(CouchDbClient.java:483)
    ... 15 more
Caused by: java.security.cert.CertificateException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.ibm.ws.ssl.core.WSX509TrustManager.checkServerTrusted(WSX509TrustManager.java:290)
    at [internal classes]
    at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)
    ... 32 more
解决方案

You need to add remote server certificate to WAS trustStore

Get remote certificate (e.g: using Linux/Mac):echo "" | openssl s_client -connect YOUR_REMOTE_SERVER:443 -showcerts 2>/dev/null | openssl x509 -out certfile.txt

Import certificate to trustStore file:keytool -import -alias ca -file certfile.txt -keystore trust.jks -storepass changeit

Use this JKS trust store in your WAS server.xml, copy it into your WAS ({WLP}/usr/servers/{YOUR_SERVER}/resources/security) and add these into your server.xml e.g:

<ssl id="defaultSSLSettings" sslProtocol="TLSv1.2" keyStoreRef="defaultKeyStore"
    trustStoreRef="defaultTrustStore" />
<keyStore id="defaultKeyStore" location="${server.config.dir}/resources/security/key.jks"
    password="changeit" />
<keyStore id="defaultTrustStore"
    location="${server.config.dir}/resources/security/trust.jks" password="changeit" />

这篇关于使用cloudant的自由应用程序的SSL握手失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-11 20:36