在 WebSphere Liberty 中重新加载信任库
Reload truststore in WebSphere Liberty
我们在 WebSphere Liberty 配置文件上有一个 OSGI 应用程序 运行,该应用程序有望对不同端点进行 HTTPS 调用。
其中一些端点共享了要导入到服务器信任库中的 SSL 证书。以前,证书会被添加到信任库中,然后应用程序会重新启动以获取更改。
这是用于信任库的配置(${} 是从属性文件中读取的占位符):
<keyStore id="defaultKeyStore" location="${keystore.location}"
password="${keystore.password}" type="${keystore.type}" />
<keyStore id="trustStore" location="${truststore.location}"
password="${truststore.password}"
type="${truststore.type}" />
<ssl clientAuthentication="false"
clientAuthenticationSupported="true"
id="defaultSSLConfig"
keyStoreRef="defaultKeyStore"
sslProtocol="SSL_TLSv2"
trustStoreRef="trustStore" />
<sslDefault sslRef="defaultSSLConfig" />
最近通过进行以下更改将其修改为使用信任库的密钥库轮询:
<keyStore id="trustStore" location="${truststore.location}"
password="${truststore.password}"
type="${truststore.type}" pollingRate="5s" updateTrigger="polled"/>
此处描述了使用的属性:
Keystore files can be reloaded by the server if the updateTrigger
attribute is set to polled or mbean. If polled is enabled, then the
server monitors the keystore file for changes based on the rate set in
the pollingRate attribute.
现在,如果我将证书导入 运行 服务器的信任库,我会在控制台中收到以下消息:
[AUDIT ] CWPKI0811I: The keystore file resources\security\trust.jks
has been modified. The keystore file will be reloaded so the updated
keystore file can be used.
但是对端点的 HTTPS 调用仍然失败并出现证书异常,直到服务器重新启动(重启后没有其他更改端点调用成功,因此证书本身是正确的,并且端点有效):
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: unable to find valid certification path to requested target
at com.ibm.jsse2.k.a(k.java:15)
at com.ibm.jsse2.av.a(av.java:531)
at com.ibm.jsse2.D.a(D.java:68)
at com.ibm.jsse2.D.a(D.java:628)
at com.ibm.jsse2.E.a(E.java:803)
at com.ibm.jsse2.E.a(E.java:447)
at com.ibm.jsse2.D.r(D.java:139)
at com.ibm.jsse2.D.a(D.java:485)
at com.ibm.jsse2.av.a(av.java:717)
at com.ibm.jsse2.av.i(av.java:869)
at com.ibm.jsse2.av.a(av.java:19)
at com.ibm.jsse2.av.startHandshake(av.java:672)
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:46)
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:35)
我上面使用的配置是否不正确,或者我应该如何配置 Liberty 配置文件以正确地重新加载证书?
我尝试了一些额外的东西:
- 使用
SSLContext.getDefault() 获取默认的 sslcontext 并使用信任库重新初始化它 - 这是有效的,因为 Liberty 本身用它自己的替换了原始的、不可变的信任库。但是,如果可能的话,我想避免这种方法并使用 Liberty 标准方法。
编辑:有趣的是,如果我在 server.xml 中使用信任库的绝对路径,事情就会开始起作用。相对路径不起作用。
相对路径:
[11/5/18 13:17:07:870 IST] 00000084 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory > performFileBasedAction Entry
[resources\security\trust.jks]
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Clearing standard javax.net.ssl.SSLContext cache.
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager > resetDefaultSSLContext Entry
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager > getDefaultSSLConfig Entry
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager 3 getGlobalProperty -> com.ibm.ssl.defaultAlias=defaultSSLConfig
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager 3 defaultAlias: defaultSSLConfig
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager < defaultAlias not null, getDefaultSSLConfig for: defaultSSLConfig Exit
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager > keyStoreModified Entry
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager < keyStoreModified false Exit
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager 3 Modified keystore file are not part of the default SSL configuration.
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager < resetDefaultSSLContext Exit
[11/5/18 13:17:07:872 IST] 00000084 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory A CWPKI0811I: The keystore file resources\security\trust.jks has been modified. The keystore file will be reloaded so the updated keystore file can be used.
[11/5/18 13:17:07:872 IST] 00000084 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory < performFileBasedAction Exit
用绝对路径:
[11/5/18 13:11:32:720 IST] 00000086 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory > performFileBasedAction Entry
[D:\programs\WebSphere\wlp-webProfile7-18.0.0.1\wlp\usr\servers\defaultServer\resources\security\trust.jks]
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Clearing standard javax.net.ssl.SSLContext cache.
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager > resetDefaultSSLContext Entry
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager > getDefaultSSLConfig Entry
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager 3 getGlobalProperty -> com.ibm.ssl.defaultAlias=defaultSSLConfig
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager 3 defaultAlias: defaultSSLConfig
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager < defaultAlias not null, getDefaultSSLConfig for: defaultSSLConfig Exit
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager > keyStoreModified Entry
[11/5/18 13:11:32:726 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager < keyStoreModified true Exit
[11/5/18 13:11:32:726 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory > getInstance: null Entry
[11/5/18 13:11:32:726 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory < getInstance: com.ibm.ws.ssl.provider.IBMJSSEProvider@50d8b2eb Exit
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider > setServerDefaultSSLContext Entry
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider > getSSLContext Entry
null
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.config.ThreadContext 3 setOutboundConnectionInfoInternal :null
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 outboundConnectionInfo: null
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider > getSSLContextInstance Entry
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider < getSSLContextInstance Exit
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider > getKeyTrustManagers Entry
null
SSLConfig.toString() {
com.ibm.ssl.clientAuthenticationSupported=false
com.ibm.ssl.contextProvider=IBMJSSE2
config.displayId=keyStore[defaultKeyStore]
com.ibm.ssl.protocol=SSL_TLS
com.ibm.ssl.keyStoreReadOnly=false
com.ibm.ssl.alias=defaultSSLConfig
com.ibm.ssl.keyStoreCreateCMSStash=false
com.ibm.ssl.securityLevel=HIGH
com.ibm.ssl.trustStoreName=jvmTrustStore
com.ibm.ssl.trustStorePassword=********
service.pid=com.ibm.ws.ssl.keystore_21
com.ibm.ssl.trustManager=PKIX
com.ibm.ssl.validationEnabled=false
com.ibm.ssl.trustStoreInitializeAtStartup=false
com.ibm.ssl.keyManager=IbmX509
com.ibm.ssl.keyStoreFileBased=true
com.ibm.ssl.keyStoreType=jks
com.ibm.ssl.trustStoreFileBased=true
com.ibm.ssl.trustStoreCreateCMSStash=false
com.ibm.ssl.trustStore=D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
config.overrides=true
com.ibm.ssl.daysBeforeExpireWarning=60
sslRef=defaultSSLConfig
id=defaultKeyStore
config.id=com.ibm.ws.ssl.keystore[defaultKeyStore]
com.ibm.ssl.clientAuthentication=false
com.ibm.ssl.keyStore=resources/security/key.jks
com.ibm.ssl.trustStoreReadOnly=false
config.source=file
alias=defaultSSLConfig
com.ibm.ssl.tokenEnabled=false
com.ibm.ssl.keyStoreName=defaultKeyStore
com.ibm.ssl.keyStorePassword=********
com.ibm.ssl.keyStoreInitializeAtStartup=false
service.factoryPid=com.ibm.ws.ssl.keystore
com.ibm.ssl.trustStoreType=jks
}
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.config.KeyStoreManager 3 Returning a keyStore for name: jvmTrustStore
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore > do_getKeyStore Entry
false
false
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Initializing KeyStore: jvmTrustStore
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Password was not decoded.
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 File path for store: D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Loading keyStore (filebased)
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory > getInstance: null Entry
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory < getInstance: com.ibm.ws.ssl.provider.IBMJSSEProvider@50d8b2eb Exit
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 KeyStore.getInstance(jks, null)
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 alias: p13
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 alias: p12
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 do_getKeyStore (initialized)
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore < do_getKeyStore Exit
java.security.KeyStore@7be5d76a
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.KeyStoreManager 3 Returning a keyStore for name: defaultKeyStore
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore > do_getKeyStore Entry
false
false
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Initializing KeyStore: defaultKeyStore
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Password was not decoded.
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 File path for store: resources/security/key.jks
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Loading keyStore (filebased)
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory > getInstance: null Entry
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory < getInstance: com.ibm.ws.ssl.provider.IBMJSSEProvider@50d8b2eb Exit
[11/5/18 13:11:32:733 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 KeyStore.getInstance(jks, null)
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 alias: default
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 do_getKeyStore (initialized)
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore < do_getKeyStore Exit
java.security.KeyStore@941dcba8
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 getLocation -> D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Using trust store: D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 getTrustManagerFactory.getInstance(PKIX, IBMJSSE2)javax.net.ssl.TrustManagerFactory@c99b19d6
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 certStoreHost: null
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 certStorePort: 389
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 trustManagerAlgorithm: PKIX
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 getLocation -> resources/security/key.jks
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Using software keystore: resources/security/key.jks
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 getKeyManagerFactory.getInstance(IbmX509, IBMJSSE2) javax.net.ssl.KeyManagerFactory@df035ba8
[11/5/18 13:11:32:737 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Password was not decoded.
[11/5/18 13:11:32:737 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Entering synchronized block around key manager factory init.
[11/5/18 13:11:32:739 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Exiting synchronized block around key manager factory init.
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.WSX509KeyManager > WSX509KeyManager Entry
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.CertMappingKeyManager > <init> Entry
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.CertMappingKeyManager > parseSSLCertFile Entry
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.CertMappingKeyManager < parseSSLCertFile Exit
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.CertMappingKeyManager < <init> Exit
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.config.KeyStoreManager 3 Returning a keyStore for name: defaultKeyStore
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.WSX509KeyManager < WSX509KeyManager Exit
[11/5/18 13:11:32:741 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Initializing WSX509KeyManager.
null
null
null
[11/5/18 13:11:32:741 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 getLocation -> D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:741 IST] 00000086 id= com.ibm.ws.ssl.core.WSX509TrustManager > WSX509TrustManager Entry
null
D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:742 IST] 00000086 id= com.ibm.ws.ssl.core.WSX509TrustManager < WSX509TrustManager Exit
[11/5/18 13:11:32:742 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider < getKeyTrustManagers Exit
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 SSLContext cache size: 1
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider < getSSLContext -> (new) Exit
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Default SSLContext set to defaultSSLConfig
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider < setServerDefaultSSLContext Exit
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager < resetDefaultSSLContext Exit
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory A CWPKI0811I: The keystore file D:\programs\WebSphere\wlp-webProfile7-18.0.0.1\wlp\usr\servers\defaultServer\resources\security\trust.jks has been modified. The keystore file will be reloaded so the updated keystore file can be used.
[11/5/18 13:11:32:744 IST] 00000086 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory < performFileBasedAction Exit
这已通过使用每次都提供到信任库的绝对路径的变通方法解决。这似乎是一个错误,因为我找不到任何表明该属性仅支持绝对路径的文档。
我们在 WebSphere Liberty 配置文件上有一个 OSGI 应用程序 运行,该应用程序有望对不同端点进行 HTTPS 调用。
其中一些端点共享了要导入到服务器信任库中的 SSL 证书。以前,证书会被添加到信任库中,然后应用程序会重新启动以获取更改。
这是用于信任库的配置(${} 是从属性文件中读取的占位符):
<keyStore id="defaultKeyStore" location="${keystore.location}"
password="${keystore.password}" type="${keystore.type}" />
<keyStore id="trustStore" location="${truststore.location}"
password="${truststore.password}"
type="${truststore.type}" />
<ssl clientAuthentication="false"
clientAuthenticationSupported="true"
id="defaultSSLConfig"
keyStoreRef="defaultKeyStore"
sslProtocol="SSL_TLSv2"
trustStoreRef="trustStore" />
<sslDefault sslRef="defaultSSLConfig" />
最近通过进行以下更改将其修改为使用信任库的密钥库轮询:
<keyStore id="trustStore" location="${truststore.location}"
password="${truststore.password}"
type="${truststore.type}" pollingRate="5s" updateTrigger="polled"/>
此处描述了使用的属性:
Keystore files can be reloaded by the server if the updateTrigger attribute is set to polled or mbean. If polled is enabled, then the server monitors the keystore file for changes based on the rate set in the pollingRate attribute.
现在,如果我将证书导入 运行 服务器的信任库,我会在控制台中收到以下消息:
[AUDIT ] CWPKI0811I: The keystore file resources\security\trust.jks has been modified. The keystore file will be reloaded so the updated keystore file can be used.
但是对端点的 HTTPS 调用仍然失败并出现证书异常,直到服务器重新启动(重启后没有其他更改端点调用成功,因此证书本身是正确的,并且端点有效):
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: unable to find valid certification path to requested target
at com.ibm.jsse2.k.a(k.java:15)
at com.ibm.jsse2.av.a(av.java:531)
at com.ibm.jsse2.D.a(D.java:68)
at com.ibm.jsse2.D.a(D.java:628)
at com.ibm.jsse2.E.a(E.java:803)
at com.ibm.jsse2.E.a(E.java:447)
at com.ibm.jsse2.D.r(D.java:139)
at com.ibm.jsse2.D.a(D.java:485)
at com.ibm.jsse2.av.a(av.java:717)
at com.ibm.jsse2.av.i(av.java:869)
at com.ibm.jsse2.av.a(av.java:19)
at com.ibm.jsse2.av.startHandshake(av.java:672)
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:46)
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:35)
我上面使用的配置是否不正确,或者我应该如何配置 Liberty 配置文件以正确地重新加载证书?
我尝试了一些额外的东西:
- 使用
SSLContext.getDefault()获取默认的 sslcontext 并使用信任库重新初始化它 - 这是有效的,因为 Liberty 本身用它自己的替换了原始的、不可变的信任库。但是,如果可能的话,我想避免这种方法并使用 Liberty 标准方法。
编辑:有趣的是,如果我在 server.xml 中使用信任库的绝对路径,事情就会开始起作用。相对路径不起作用。
相对路径:
[11/5/18 13:17:07:870 IST] 00000084 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory > performFileBasedAction Entry
[resources\security\trust.jks]
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Clearing standard javax.net.ssl.SSLContext cache.
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager > resetDefaultSSLContext Entry
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager > getDefaultSSLConfig Entry
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager 3 getGlobalProperty -> com.ibm.ssl.defaultAlias=defaultSSLConfig
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager 3 defaultAlias: defaultSSLConfig
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager < defaultAlias not null, getDefaultSSLConfig for: defaultSSLConfig Exit
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager > keyStoreModified Entry
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager < keyStoreModified false Exit
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager 3 Modified keystore file are not part of the default SSL configuration.
[11/5/18 13:17:07:871 IST] 00000084 id= com.ibm.ws.ssl.config.SSLConfigManager < resetDefaultSSLContext Exit
[11/5/18 13:17:07:872 IST] 00000084 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory A CWPKI0811I: The keystore file resources\security\trust.jks has been modified. The keystore file will be reloaded so the updated keystore file can be used.
[11/5/18 13:17:07:872 IST] 00000084 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory < performFileBasedAction Exit
用绝对路径:
[11/5/18 13:11:32:720 IST] 00000086 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory > performFileBasedAction Entry
[D:\programs\WebSphere\wlp-webProfile7-18.0.0.1\wlp\usr\servers\defaultServer\resources\security\trust.jks]
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Clearing standard javax.net.ssl.SSLContext cache.
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:11:32:723 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 clearJavaKeyStore
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager > resetDefaultSSLContext Entry
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager > getDefaultSSLConfig Entry
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager 3 getGlobalProperty -> com.ibm.ssl.defaultAlias=defaultSSLConfig
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager 3 defaultAlias: defaultSSLConfig
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager < defaultAlias not null, getDefaultSSLConfig for: defaultSSLConfig Exit
[11/5/18 13:11:32:724 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager > keyStoreModified Entry
[11/5/18 13:11:32:726 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager < keyStoreModified true Exit
[11/5/18 13:11:32:726 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory > getInstance: null Entry
[11/5/18 13:11:32:726 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory < getInstance: com.ibm.ws.ssl.provider.IBMJSSEProvider@50d8b2eb Exit
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider > setServerDefaultSSLContext Entry
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider > getSSLContext Entry
null
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.config.ThreadContext 3 setOutboundConnectionInfoInternal :null
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 outboundConnectionInfo: null
[11/5/18 13:11:32:727 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider > getSSLContextInstance Entry
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider < getSSLContextInstance Exit
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider > getKeyTrustManagers Entry
null
SSLConfig.toString() {
com.ibm.ssl.clientAuthenticationSupported=false
com.ibm.ssl.contextProvider=IBMJSSE2
config.displayId=keyStore[defaultKeyStore]
com.ibm.ssl.protocol=SSL_TLS
com.ibm.ssl.keyStoreReadOnly=false
com.ibm.ssl.alias=defaultSSLConfig
com.ibm.ssl.keyStoreCreateCMSStash=false
com.ibm.ssl.securityLevel=HIGH
com.ibm.ssl.trustStoreName=jvmTrustStore
com.ibm.ssl.trustStorePassword=********
service.pid=com.ibm.ws.ssl.keystore_21
com.ibm.ssl.trustManager=PKIX
com.ibm.ssl.validationEnabled=false
com.ibm.ssl.trustStoreInitializeAtStartup=false
com.ibm.ssl.keyManager=IbmX509
com.ibm.ssl.keyStoreFileBased=true
com.ibm.ssl.keyStoreType=jks
com.ibm.ssl.trustStoreFileBased=true
com.ibm.ssl.trustStoreCreateCMSStash=false
com.ibm.ssl.trustStore=D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
config.overrides=true
com.ibm.ssl.daysBeforeExpireWarning=60
sslRef=defaultSSLConfig
id=defaultKeyStore
config.id=com.ibm.ws.ssl.keystore[defaultKeyStore]
com.ibm.ssl.clientAuthentication=false
com.ibm.ssl.keyStore=resources/security/key.jks
com.ibm.ssl.trustStoreReadOnly=false
config.source=file
alias=defaultSSLConfig
com.ibm.ssl.tokenEnabled=false
com.ibm.ssl.keyStoreName=defaultKeyStore
com.ibm.ssl.keyStorePassword=********
com.ibm.ssl.keyStoreInitializeAtStartup=false
service.factoryPid=com.ibm.ws.ssl.keystore
com.ibm.ssl.trustStoreType=jks
}
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.config.KeyStoreManager 3 Returning a keyStore for name: jvmTrustStore
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore > do_getKeyStore Entry
false
false
[11/5/18 13:11:32:728 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Initializing KeyStore: jvmTrustStore
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Password was not decoded.
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 File path for store: D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Loading keyStore (filebased)
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory > getInstance: null Entry
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory < getInstance: com.ibm.ws.ssl.provider.IBMJSSEProvider@50d8b2eb Exit
[11/5/18 13:11:32:729 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 KeyStore.getInstance(jks, null)
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 alias: p13
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 alias: p12
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 do_getKeyStore (initialized)
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore < do_getKeyStore Exit
java.security.KeyStore@7be5d76a
[11/5/18 13:11:32:731 IST] 00000086 id= com.ibm.ws.ssl.config.KeyStoreManager 3 Returning a keyStore for name: defaultKeyStore
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore > do_getKeyStore Entry
false
false
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Initializing KeyStore: defaultKeyStore
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Password was not decoded.
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 File path for store: resources/security/key.jks
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Loading keyStore (filebased)
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory > getInstance: null Entry
[11/5/18 13:11:32:732 IST] 00000086 id= com.ibm.ws.ssl.JSSEProviderFactory < getInstance: com.ibm.ws.ssl.provider.IBMJSSEProvider@50d8b2eb Exit
[11/5/18 13:11:32:733 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 KeyStore.getInstance(jks, null)
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 alias: default
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 do_getKeyStore (initialized)
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore < do_getKeyStore Exit
java.security.KeyStore@941dcba8
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 getLocation -> D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:735 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Using trust store: D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 getTrustManagerFactory.getInstance(PKIX, IBMJSSE2)javax.net.ssl.TrustManagerFactory@c99b19d6
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 certStoreHost: null
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 certStorePort: 389
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 trustManagerAlgorithm: PKIX
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 getLocation -> resources/security/key.jks
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Using software keystore: resources/security/key.jks
[11/5/18 13:11:32:736 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 getKeyManagerFactory.getInstance(IbmX509, IBMJSSE2) javax.net.ssl.KeyManagerFactory@df035ba8
[11/5/18 13:11:32:737 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 Password was not decoded.
[11/5/18 13:11:32:737 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Entering synchronized block around key manager factory init.
[11/5/18 13:11:32:739 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Exiting synchronized block around key manager factory init.
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.WSX509KeyManager > WSX509KeyManager Entry
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.CertMappingKeyManager > <init> Entry
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.CertMappingKeyManager > parseSSLCertFile Entry
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.CertMappingKeyManager < parseSSLCertFile Exit
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.CertMappingKeyManager < <init> Exit
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.config.KeyStoreManager 3 Returning a keyStore for name: defaultKeyStore
[11/5/18 13:11:32:740 IST] 00000086 id= com.ibm.ws.ssl.core.WSX509KeyManager < WSX509KeyManager Exit
[11/5/18 13:11:32:741 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Initializing WSX509KeyManager.
null
null
null
[11/5/18 13:11:32:741 IST] 00000086 id= com.ibm.ws.ssl.config.WSKeyStore 3 getLocation -> D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:741 IST] 00000086 id= com.ibm.ws.ssl.core.WSX509TrustManager > WSX509TrustManager Entry
null
D:/programs/WebSphere/wlp-webProfile7-18.0.0.1/wlp/usr/servers/defaultServer/resources/security/trust.jks
[11/5/18 13:11:32:742 IST] 00000086 id= com.ibm.ws.ssl.core.WSX509TrustManager < WSX509TrustManager Exit
[11/5/18 13:11:32:742 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider < getKeyTrustManagers Exit
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 SSLContext cache size: 1
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider < getSSLContext -> (new) Exit
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 Default SSLContext set to defaultSSLConfig
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider < setServerDefaultSSLContext Exit
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.config.SSLConfigManager < resetDefaultSSLContext Exit
[11/5/18 13:11:32:743 IST] 00000086 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory A CWPKI0811I: The keystore file D:\programs\WebSphere\wlp-webProfile7-18.0.0.1\wlp\usr\servers\defaultServer\resources\security\trust.jks has been modified. The keystore file will be reloaded so the updated keystore file can be used.
[11/5/18 13:11:32:744 IST] 00000086 id= com.ibm.ws.ssl.internal.KeystoreConfigurationFactory < performFileBasedAction Exit
这已通过使用每次都提供到信任库的绝对路径的变通方法解决。这似乎是一个错误,因为我找不到任何表明该属性仅支持绝对路径的文档。