问题描述
美好的一天,
我有一台MobileFirst Server,它将调用我的银行服务申请(IP地址:10.8.1.46).
I have a MobileFirst Server, that will call to my bankend appliction (ip address: 10.8.1.46).
当我连接到http后端应用程序时,它目前可以正常工作.
Its work currently as I am connected to http backend application.
我想更改它以连接到https.
以下是我已完成的步骤:
The following is the step I have done:
-
登录到bakend服务器,运行以下命令以生成密钥库:
Log in to bakend server, run the following command to generate the keystore:
keytool -genkey -alias backend -keyalg RSA -validity 365 -keystore backend.jks -storetype JKS
keytool -genkey -alias backend -keyalg RSA -validity 365 -keystore backend.jks -storetype JKS
提示输入密钥库密码,名字和姓氏以及其他信息.对于名字和姓氏,我键入10.8.1.46
It prompt to key in keystore password, first name and last name and the other info.For first name and last name, I key in 10.8.1.46
-
我运行以下命令来导出
crt文件"
keytool -export -alias后端-keystore backend.keystore -rfc -file backend.crt
keytool -export -alias backend -keystore backend.keystore -rfc -file backend.crt
我将此backend.crt复制到我的mfp服务器.在我的mfp服务器中,我还通过以下命令创建了密钥库:
I copy this backend.crt to my mfp server. In my mfp server, I also create a keystore, by following command:
keytool -keystore mfp.jks -genkey -alias mfp -keyalg RSA
keytool -keystore mfp.jks -genkey -alias mfp -keyalg RSA
我运行以下命令将后端证书导入到mfp密钥库中.
I run the following command to import the backend cert to mfp keystore.
keytool-导入-alias后端-文件backend.crt -storetype JKS -keystore mfp.jks
keytool -import -alias backend -file backend.crt -storetype JKS -keystore mfp.jks
我运行keytool命令以验证证书是否在密钥库中,是的,在其内部.
I run the keytool command to verify the cert is inside the keystore or not, and yes, its inside.
keytool -list -keystore mfp.jks
keytool -list -keystore mfp.jks
接下来,我去编辑mfp服务器server.xml,如下更新密钥库标记:
Next, I go edit mfp server server.xml, I update the keystore tag as follow:
<keyStore id="defaultKeyStore" location="/opt/IBM/libertyCore/usr/servers/mfp1/resources/security/mfp.jks" password="pass123" type="jks" />
然后在我的adapter.xml中添加了<connectivity>标记:
And I added in the <connectivity> tag in my adapter.xml:
<displayName>MyAdapter</displayName>
<description>MyAdapter</description>
<connectivity>
<connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
<protocol>https</protocol>
<domain>10.8.1.46</domain>
<port>8443</port>
<sslCertificateAlias>mfp</sslCertificateAlias>
<sslCertificatePassword>pass123</sslCertificatePassword>
</connectionPolicy>
</connectivity>
<JAXRSApplicationClass>c.c.i.mobile.MyAdapterApplication</JAXRSApplicationClass>
<property name="rest.api.base.url" defaultValue="https://10.8.1.46:8443/api/v1" description="REST API Base URL" />
<property name="rest.api.connection.request.timeout" defaultValue="4000" description="REST API Connection Request Timeout (miliseconds)" />
<property name="rest.api.connect.timeout" defaultValue="10000" description="REST API Connect Timeout (miliseconds)" />
<property name="rest.api.socket.timeout" defaultValue="50000" description="REST API Socket Timeout (miliseconds)" />
<securityCheckDefinition name="UserAuthentication" class="c.c.i.mobile.authentication.UserAuthentication">
<property name="maxAttempts" defaultValue="3" description="How many attempts are allowed"/>
</securityCheckDefinition>
- 重新启动mfp服务器.
但是,当向https后端服务发出火灾请求时,我仍然遇到证书错误.
However, I am still hitting certificate error when fire request to https backend service.
[2/20/20 18:56:37:900 MYT] 0000008c c.c.i.mobile.resources.GeneralResource I >>> initialize
[2/20/20 18:56:37:906 MYT] 0000008c c.c.i.mobile.client.RestClient E client fail to execute REST
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at com.cv.ibs.mobile.client.RestClient.execute(RestClient.java:55)
at com.cv.ibs.mobile.resources.BaseResource.requestForPost(BaseResource.java:47)
at com.cv.ibs.mobile.resources.GeneralResource.initialize(GeneralResource.java:39)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:181)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:97)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:200)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:99)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:268)
at com.ibm.mfp.server.java.adapter.shared.JAXRSSandbox$3.doFilter(JAXRSSandbox.java:579)
at com.ibm.mfp.server.java.adapter.shared.FilterChainImpl.doFilter(FilterChainImpl.java:86)
at com.ibm.mfp.server.java.adapter.shared.JAXRSSandbox.handleRequest(JAXRSSandbox.java:584)
at com.ibm.mfp.server.java.adapter.internal.rest.AdaptersEndpoint.adapterServing(AdaptersEndpoint.java:123)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:221)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:137)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:776)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:705)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:966)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:868)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:842)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1285)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:776)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:473)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:135)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:74)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:978)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1100)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:81)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:912)
at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:262)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:955)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
... 77 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 83 more
但是,如果转到MFP控制台将网址更改回http,它仍然可以正常工作.
But if go to MFP Console to change the url back to http, its still work.
我想念任何步骤吗?
推荐答案
不确定server.xml为何不加载mfp.jks甚至重启mfp服务器.
Not sure why the mfp.jks is not load by server.xml even restart mfp server.
我发现了另一种替代方法,将以下值添加到mfp服务器的jvm.options中:
I found another alternative way to do this, by add the following value into jvm.options in mfp server:
-Djavax.net.ssl.trustStore=/opt/IBM/libertyCore/usr/servers/mfp1/resources/security/mfp.jks
-Djavax.net.ssl.trustStorePassword=cyber123
重新启动mfp服务器,它将正常工作.
Restart mfp server and it will work.
这篇关于配置mobileFirst密钥库后仍然遇到证书错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!