问题描述
我的应用程序消耗使用传输级身份验证的SOAP服务。我们正试图应用从Tomcat迁移到Glassfish的3.1。不幸的是,Glassfish的似乎沉默以执行由SOAP服务所需的客户端认证。在SSL堆栈跟踪结果消息uknown_ca。
I have application consuming a SOAP service that uses transport-level authentication. We are trying to move the application from Tomcat to Glassfish 3.1. Unfortunately, Glassfish seems reticent to perform the client authentication needed by the SOAP service. The SSL stacktrace results in the message "uknown_ca".
我有我的GlassFish服务器配置为使用包含每个在AUTH链(存储为-trustcacerts)三个委托证书的密钥库以及具有进口SOAP目标服务器的证书了。
I have my Glassfish server configured to use a keystore that contains each of the three entrust certificates in the auth chain (stored as -trustcacerts) as well as having imported the SOAP destination server's certificate too.
我曾尝试从划痕的几个重建我的GlassFish服务器,甚至使出没有运气试图Tomcat服务器的密钥存储文件。
I have tried several from-scratch rebuilds of my Glassfish server and even resorted to trying the tomcat server's keystore file with no luck.
有谁知道是怎么回事,要不我怎么弄的Glassfish提供关于我所涉及的握手和密钥存储(超出-Djava.net.ssl.debug标志)更多有用的信息。
Does anyone know what is going on, or else how do I get Glassfish to provide me more useful information regarding the handshake and keystores involved (beyond the -Djava.net.ssl.debug flag).
推荐答案
我的一位同事想出了解决方案。指向安德鲁。
A co-worker of mine came up with the solution. Points to Andrew.
目的地竟然是向我们的 unknown_ca
消息,因为它不理解的关键是Glassfish的身份验证过程中发送CA
The destination turned out to be sending us the unknown_ca
message, as it did not understand the CA of the key that Glassfish was sending during the authentication process.
删除JVM参数 -Dcom.sun.enterprise.security.httpsOutboundKeyAlias =为s1as
解决问题。人们还可以改变参数来指定,而不是让JVM确定要使用的关键preferred关键的别名。
Removing the JVM argument -Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as
resolves the issue. One may also change the argument to specify the alias of the preferred key instead of letting the JVM determine the key to use.
这篇关于我在Glassfish 3.1应用程序将不会执行客户机认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!