问题描述

我正在使用旧版本的IBM iSeries(IBM-i，i5OS，AS/400等)，并在O/S版本V5R3M0上使用Java 5 JVM(经典而不是ITJ J9).

I am working on an older IBM iSeries (IBM-i, i5OS, AS/400, etc), with a Java 5 JVM (Classic, not ITJ J9) on O/S version V5R3M0.

以下是该场景:

1. 我使用 Portecle 1.7 创建了JKS类型的密钥库(注意:我确实尝试过转换密钥-store到JCEKS，但是由于不支持的格式而被拒绝，因此JKS似乎是iSeries机器(至少是我使用的版本)的唯一选择.
2. 然后我创建了密钥对和CSR，并将CSR发送给Thawte进行签名.
3. 我成功地使用PKCS#7格式从Thawte导入了签名证书，以导入整个证书链，其中包括我的证书，Thawte中介和Thawte服务器根目录.

1. I created a key-store of type JKS using Portecle 1.7 (Note: I did try converting my key-store to JCEKS but that was rejected as an unsupported format, so it appears that JKS is the only option with the iSeries machine (at least the version I am on).
2. I then created a key-pair and CSR and sent the CSR to Thawte to be signed.
3. I imported the signed certificate from Thawte successfully using the PKCS#7 format to import the entire certificate chain, which included my certificate, the Thawte intermediary and the Thawte server root.

这一切都按预期进行.

但是，当我运行JVM时，正确配置为指向存储并提供其密码(我过去使用Portecle中创建的用于测试的自签名证书来完成此操作)，然后尝试启动我的Web服务器在443上，我收到以下安全异常:

However, when I ran up the JVM, configured properly to point to the store and supply it's password (which I have done in the past with self-signed certificates created in Portecle for testing), and try to start my web server on 443, I get the following security exception:

java.security.KeyStoreException: Cannot store non-PrivateKeys

谁能告诉我我哪里出了问题，或者下一步我应该检查什么?

Can anyone tell me where I went wrong, or what I should check next?

推荐答案

您可以使用单个SSLContext内的所有内容来代替使用临时密钥库.

Instead of using an ephemeral keystore, you could handle everything within a single SSLContext.

您需要使用自定义 X509KeyManager ，而不使用默认的KeyManagerFactory给出的那个.在此X509KeyManager中，chooseServerAlias(String keyType, Principal[] issuers, Socket socket)应该返回不同的别名，具体取决于从套接字获取的本地地址.

You would need to initialise your SSLContext using an custom X509KeyManager instead of using the one given by the default KeyManagerFactory. In this X509KeyManager,chooseServerAlias(String keyType, Principal[] issuers, Socket socket) should return a different alias depending on the local address obtained from the socket.

这样，您不必担心将私钥从一个密钥库复制到另一个，这甚至适用于无法从中提取(并复制)但仅使用私钥的密钥库类型，例如PKCS#11.

This way, you wouldn't have to worry about copying the private key from one keystore to another, and this would even work for keystore types from which you can't extract (and thus copy) but only use the private key, e.g. PKCS#11.

这篇关于为什么会出现错误“无法存储非私有密钥"?在Java中创建SSL套接字时?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！