使用 TLS 1.2 的 Websphere Application Server 到 Oracle 数据库
Websphere Application Server to Oracle Database using TLS 1.2
我正在尝试实现从 Websphere Application Server v9.0.5.6 到 Oracle 19c 数据库的 TLS 1.2。 WAS 和 Oracle 都在 Centos 7 上的不同虚拟机 运行 上。使用 Websphere 提供 IBM Java 8 和 Oracle 提供 ojdbc8.jar(来自 Oracle 19c 客户端)。非 SSL 连接在 WAS 控制台中工作正常。
我已完成以下操作来实施 TLS 1.2。
- 二手 this link and completed the Oracle Database side SSL configuration. For testing I even made the client side configuration on WAS vm and tested using sqlplus (with oracle user and oracle 19c client) and I was able to connect and get TCPS as provided in this query.
- 然后我将 Oracle DB 自签名证书添加到 'WAS_HOME/AppServer/profiles/AppSrv01/etc/trust.p12'。我使用 iKeyman 将数据库证书添加到 WAS。然后在数据源中添加自定义 属性
“connectionProperties”的值为 javax.net.ssl.trustStore=WAS_HOME/AppServer/profiles/AppSrv01/etc/trust.p12; javax.net.ssl.trustStore类型=PKCS12; oracle.net.ssl_version=1.2; javax.net.ssl.trustStore密码=***
- 代替第2点,我也尝试了JKS。将 Oracle DB 自签名证书添加到 'WAS_HOME/AppServer/java/8.0/jre/lib/security/cacerts'。我使用 iKeyman 将数据库证书添加到 WAS。然后在数据源“connectionProperties”中添加自定义 属性,值为 javax.net.ssl.keyStore= WAS_HOME/AppServer/java/8.0/jre/lib/security/cacerts; javax.net.ssl.keyStore类型=JKS; oracle.net.ssl_version=1.2; javax.net.ssl.keyStore密码=***
我启用了调试日志,在这两种情况下我都收到了错误 'java.security.SignatureException: Signature length not correct: got 128 but was expecting 256'
任何人都可以就错误或如何成功实现从 WAS 到 Oracle DB 的 TLS 1.2 提出建议吗?
Sysout 日志
[29/03/21 10:37:15:975 BST] 0000008c FileRepositor A ADMR0010I: Document cells/appserver01Node01Cell/security.xml is modified.
[29/03/21 10:37:15:978 BST] 0000008c FileRepositor A ADMR0010I: Document cells/appserver01Node01Cell/nodes/appserver01Node01/trust.p12 is modified.
[29/03/21 10:37:26:165 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.164 BST|Thread.java:1164|adding as trusted certificates (
"certificate" : {
"version" : "v3",
"serial number" : "30 F6 93 B4",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=dbserver01.miracle.com",
"not before" : "2021-03-28 04:43:25.000 BST",
"not after" : "2031-02-04 03:43:25.000 GMT",
"subject" : "CN=dbserver01.miracle.com",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 57 d7 09 3f d2 5e db c3 43 93 6f af 82 4a fc 7d W.......C.o..J..
0010: 16 74 be 60 .t..
]
]
}
]},
"certificate" : {
"version" : "v3",
"serial number" : "38 5D 50 BF 82",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=appserver01.miracle.com, OU=Root Certificate, OU=appserver01Node01Cell, OU=appserver01Node01, O=IBM, C=US",
"not before" : "2021-03-25 21:09:10.000 GMT",
"not after" : "2036-03-21 21:09:10.000 GMT",
"subject" : "CN=appserver01.miracle.com, OU=Root Certificate, OU=appserver01Node01Cell, OU=appserver01Node01, O=IBM, C=US",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4c 3e 62 ab 29 d9 6c 08 L.b...l.
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:AppSrv01-BASE-5d9b3381-f22f-4812-a07b-c1e59b63d0a5]]
}
]}
)
[29/03/21 10:37:26:171 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.166 BST|Thread.java:1164|keyStore is: /home/sunny/IBM/WebSphere/AppServer/java/8.0/jre/lib/security/cacerts
[29/03/21 10:37:26:172 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.171 BST|Thread.java:1164|keyStore type is: jks
[29/03/21 10:37:26:178 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.173 BST|Thread.java:1164|keyStore provider is:
…..
[29/03/21 10:37:26:218 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.217 BST|Thread.java:1164|Ignore unsupported cipher suite: TLS_AES_256_GCM_SHA384
[29/03/21 10:37:26:220 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.218 BST|Thread.java:1164|Ignore unsupported cipher suite: TLS_CHACHA20_POLY1305_SHA256
……
[29/03/21 10:37:26:261 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.256 BST|Thread.java:1164|Ignore unsupported cipher suite: TLS_CHACHA20_POLY1305_SHA256
[29/03/21 10:37:26:264 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.262 BST|Thread.java:1164|Ignore unsupported cipher suite: TLS_AES_128_GCM_SHA256
[29/03/21 10:37:26:287 BST] 0000008c SystemOut O javax.net.ssl|WARNING|8C|WebContainer : 1|2021-03-29 10:37:26.284 BST|Thread.java:1164|Unable to indicate server name
…
[29/03/21 10:37:26:303 BST] 0000008c SystemOut O javax.net.ssl|INFO|8C|WebContainer : 1|2021-03-29 10:37:26.300 BST|Thread.java:1164|No available application protocols
[29/03/21 10:37:26:304 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.303 BST|Thread.java:1164|Ignore, context unavailable extension: application_layer_protocol_negotiation
[29/03/21 10:37:26:306 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.304 BST|Thread.java:1164|Ignore, context unavailable extension: status_request_v2
[29/03/21 10:37:26:307 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.306 BST|Thread.java:1164|Ignore, context unavailable extension: renegotiation_info
[29/03/21 10:37:26:310 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.309 BST|Thread.java:1164|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "88 57 8E A5 C0 F4 72 B7 2C F9 EA 52 C1 8B D8 D4 3E 09 5D 3A BB 50 9C 5D 78 54 DD 19 AA 81 A9 63",
"session id" : "",
"cipher suites" : "[SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), SSL_RSA_WITH_AES_256_GCM_SHA384(0x009D), SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), SSL_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), SSL_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), SSL_RSA_WITH_AES_128_GCM_SHA256(0x009C), SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031),
………..
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), SSL_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), SSL_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA(0xC008), SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA(0x0016), SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA(0x0013), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"supported_groups (10)": {
"versions": [secp256r1, secp384r1, secp521r1]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.2]
}
]
}
)
[29/03/21 10:37:26:312 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.311 BST|Thread.java:1164|WRITE: TLS12 handshake, length = 262
[29/03/21 10:37:26:314 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.313 BST|Thread.java:1164|Raw write (
0000: 16 03 03 01 06 01 00 01 02 03 03 88 57 8e a5 c0 ............W...
0010: f4 72 b7 2c f9 ea 52 c1 8b d8 d4 3e 09 5d 3a bb .r....R.........
.
00e0: 08 04 08 05 08 06 08 09 08 0a 08 0b 04 01 05 01 ................
00f0: 06 01 04 02 03 03 03 01 03 02 02 03 02 01 02 02 ................
0100: 00 17 00 00 00 2b 00 03 02 03 03 ...........
)
[29/03/21 10:37:26:321 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.320 BST|Thread.java:1164|Raw read (
0000: 16 03 03 00 51 02 00 00 4d 03 03 60 61 9f d6 32 ....Q...M...a..2
0010: 63 9b cf 09 dc a2 95 64 8d c0 cb 0f e5 ed 1b 1b c......d........
0040: b5 10 28 2a 9d e0 ed 5e a8 f9 a5 13 c0 30 00 00 .............0..
.
02d0: 2b f9 e5 e8 c0 60 be 3b 11 68 2a 0d 1f 60 18 b3 .........h......
02e0: e6 d5 0b 7e 12 03 9e 72 2f 88 f3 54 26 18 18 ca .......r...T....
02f0: e5 ae 0a 2f db b9 0f 18 ae c5 2f 8d 16 03 03 00 ................
0300: 04 0e 00 00 00 .....
)
[29/03/21 10:37:26:323 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.322 BST|Thread.java:1164|READ: TLSv1.2 handshake, length = 81
[29/03/21 10:37:26:328 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.327 BST|Thread.java:1164|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "60 61 9F D6 32 63 9B CF 09 DC A2 95 64 8D C0 CB 0F E5 ED 1B 1B E3 C9 2B 7F 06 6D 03 58 6D DF 4F",
"session id" : "3A EC 80 A8 76 B9 C2 33 CD 59 71 86 01 77 6F 4B 64 3A 0A A6 B5 10 28 2A 9D E0 ED 5E A8 F9 A5 13",
"cipher suite" : "SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)",
"compression methods" : "00",
"extensions" : [
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
[29/03/21 10:37:26:335 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.334 BST|Thread.java:1164|Ignore unavailable extension: supported_versions
[29/03/21 10:37:26:336 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.335 BST|Thread.java:1164|Negotiated protocol version: TLSv1.2
…
[29/03/21 10:37:26:367 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.365 BST|Thread.java:1164|Ignore unavailable extension: status_request_v2
[29/03/21 10:37:26:369 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.367 BST|Thread.java:1164|Consumed extension: renegotiation_info
[29/03/21 10:37:26:370 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.369 BST|Thread.java:1164|Session initialized: Session(1617010646369|SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
[29/03/21 10:37:26:372 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.371 BST|Thread.java:1164|Ignore unavailable extension: server_name
…
[29/03/21 10:37:26:380 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.380 BST|Thread.java:1164|Ignore unavailable extension: status_request_v2
[29/03/21 10:37:26:381 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.380 BST|Thread.java:1164|Ignore unavailable extension: extended_master_secret
[29/03/21 10:37:26:387 BST] 0000008c SystemOut O javax.net.ssl|WARNING|8C|WebContainer : 1|2021-03-29 10:37:26.382 BST|Thread.java:1164|Ignore impact of unsupported extension: renegotiation_info
[29/03/21 10:37:26:390 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.388 BST|Thread.java:1164|Raw read (
0000: 16 03 03 01 cf 0b 00 01 cb 00 01 c8 00 01 c5 30 ...............0
0010: 82 01 c1 30 82 01 2a 02 11 00 a2 75 59 bc 83 45 ...0.......uY..E
.
0260: e8 c6 b2 6c ac 7d 76 15 a0 94 72 cd 50 e8 37 75 ...l..v...r.P.7u
02a0: 0f 18 ae c5 2f 8d 16 03 03 00 04 0e 00 00 00 ...............
)
[29/03/21 10:37:26:392 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.390 BST|Thread.java:1164|READ: TLSv1.2 handshake, length = 463
[29/03/21 10:37:26:394 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.393 BST|Thread.java:1164|Consuming server Certificate handshake message (
"Certificates": [
"certificate" : {
"version" : "v1",
"serial number" : "00 A2 75 59 BC 83 45 CD 7D 9E B0 D9 8B E3 FD 9B 92",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=dbserver01.miracle.com",
"not before" : "2021-03-21 02:10:55.000 GMT",
"not after" : "2031-03-19 02:10:55.000 GMT",
"subject" : "CN=dbserver01.miracle.com",
"subject public key" : "RSA"}
]
)
[29/03/21 10:37:26:404 BST] 0000008c SystemOut O javax.net.ssl|SEVERE|8C|WebContainer : 1|2021-03-29 10:37:26.403 BST|Thread.java:1164|Fatal (BAD_CERTIFICATE): PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed (
"throwable" : {
com.ibm.jsse2.util.j: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at com.ibm.jsse2.util.h.a(h.java:174)
at com.ibm.jsse2.util.h.b(h.java:185)
at com.ibm.jsse2.util.g.a(g.java:10)
at com.ibm.jsse2.bq.a(bq.java:32)
at com.ibm.jsse2.bq.a(bq.java:70)
at com.ibm.jsse2.bq.checkServerTrusted(bq.java:10)
at com.ibm.jsse2.y$c.a(y$c.java:99)
at com.ibm.jsse2.y$c.a(y$c.java:10)
at com.ibm.jsse2.y$c.consume(y$c.java:6)
at com.ibm.jsse2.p.consume(p.java:43)
at com.ibm.jsse2.Z.a(Z.java:73)
at com.ibm.jsse2.bf$a$b.a(bf$a$b.java:2)
at com.ibm.jsse2.bf$a$b.run(bf$a$b.java:3)
at java.security.AccessController.doPrivileged(AccessController.java:774)
at com.ibm.jsse2.bf$a.run(bf$a.java:26)
at oracle.net.nt.SSLSocketChannel.runTasks(SSLSocketChannel.java:602)
at oracle.net.nt.SSLSocketChannel.doSSLHandshake(SSLSocketChannel.java:434)
at oracle.net.nt.SSLSocketChannel.write(SSLSocketChannel.java:128)
at oracle.net.ns.NIOPacket.writeToSocketChannel(NIOPacket.java:350)
at oracle.net.ns.NIOConnectPacket.writeToSocketChannel(NIOConnectPacket.java:247)
at oracle.net.ns.NSProtocolNIO.negotiateConnection(NSProtocolNIO.java:117)
at oracle.net.ns.NSProtocol.connect(NSProtocol.java:340)
at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1596)
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:588)
at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:793)
at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:57)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:747)
at oracle.jdbc.pool.OracleDataSource.getPhysicalConnection(OracleDataSource.java:406)
at oracle.jdbc.pool.OracleDataSource.getConnection(OracleDataSource.java:291)
at oracle.jdbc.pool.OracleDataSource.getConnection(OracleDataSource.java:206)
at oracle.jdbc.pool.OracleConnectionPoolDataSource.getPhysicalConnection(OracleConnectionPoolDataSource.java:148)
at oracle.jdbc.pool.OracleConnectionPoolDataSource.getPooledConnection(OracleConnectionPoolDataSource.java:91)
at com.ibm.ws.rsadapter.DSConfigHelper.run(DSConfigHelper.java:1273)
at com.ibm.ws.security.auth.ContextManagerImpl.runAs(ContextManagerImpl.java:5446)
at com.ibm.ws.security.auth.ContextManagerImpl.runAsSystem(ContextManagerImpl.java:5662)
at com.ibm.ws.security.core.SecurityContext.runAsSystem(SecurityContext.java:255)
at com.ibm.ws.rsadapter.spi.ServerFunction.run(ServerFunction.java:571)
at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
at com.ibm.ws.rsadapter.DSConfigHelper.getPooledConnection(DSConfigHelper.java:1288)
at com.ibm.ws.rsadapter.DSConfigHelper.getPooledConnection(DSConfigHelper.java:1196)
at com.ibm.ws.rsadapter.DSConfigurationHelper.getConnectionFromDSOrPooledDS(DSConfigurationHelper.java:2076)
at com.ibm.ws.rsadapter.DSConfigurationHelper.getConnectionFromDSOrPooledDS(DSConfigurationHelper.java:1952)
at com.ibm.ws.rsadapter.DSConfigurationHelper.testConnectionForGUI(DSConfigurationHelper.java:2820)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at com.ibm.ws.management.DataSourceConfigHelperMBean.testConnectionToDataSource2(DataSourceConfigHelperMBean.java:556)
at com.ibm.ws.management.DataSourceConfigHelperMBean.testConnection(DataSourceConfigHelperMBean.java:484)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at sun.reflect.misc.Trampoline.invoke(MethodUtil.java:83)
at sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at sun.reflect.misc.MethodUtil.invoke(MethodUtil.java:287)
at javax.management.modelmbean.RequiredModelMBean.run(RequiredModelMBean.java:1263)
at java.security.AccessController.doPrivileged(AccessController.java:708)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at javax.management.modelmbean.RequiredModelMBean.invokeMethod(RequiredModelMBean.java:1257)
at javax.management.modelmbean.RequiredModelMBean.invoke(RequiredModelMBean.java:1096)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:831)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:813)
at com.ibm.ws.management.AdminServiceImpl.run(AdminServiceImpl.java:1353)
at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
at com.ibm.ws.management.AdminServiceImpl.invoke(AdminServiceImpl.java:1246)
at com.ibm.ws.management.commands.AdminServiceCommands$InvokeCmd.execute(AdminServiceCommands.java:251)
at com.ibm.ws.console.core.mbean.MBeanHelper.invoke(MBeanHelper.java:246)
at com.ibm.ws.console.core.mbean.ResourceMBeanHelper.testNode(ResourceMBeanHelper.java:860)
at com.ibm.ws.console.core.mbean.ResourceMBeanHelper.testConnection(ResourceMBeanHelper.java:292)
at com.ibm.ws.console.resources.database.jdbc.DataSourceDetailAction.testConnection(DataSourceDetailAction.java:713)
at com.ibm.ws.console.resources.database.jdbc.DataSourceCollectionAction.execute(DataSourceCollectionAction.java:339)
at org.apache.struts.action.RequestProcessor.processActionPerform(Unknown Source)
at org.apache.struts.action.RequestProcessor.process(Unknown Source)
at org.apache.struts.action.ActionServlet.process(Unknown Source)
at org.apache.struts.action.ActionServlet.doPost(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1235)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:779)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:478)
at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:179)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:143)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:78)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:979)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1119)
at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.dispatch(WebAppRequestDispatcher.java:1408)
at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.forward(WebAppRequestDispatcher.java:198)
at org.apache.struts.action.RequestProcessor.doForward(Unknown Source)
at org.apache.struts.tiles.TilesRequestProcessor.doForward(Unknown Source)
at org.apache.struts.action.RequestProcessor.processForwardConfig(Unknown Source)
at org.apache.struts.tiles.TilesRequestProcessor.processForwardConfig(Unknown Source)
at org.apache.struts.action.RequestProcessor.process(Unknown Source)
at org.apache.struts.action.ActionServlet.process(Unknown Source)
at org.apache.struts.action.ActionServlet.doPost(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1235)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:779)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:478)
at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:179)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:143)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:96)
at com.ibm.ws.console.core.servlet.WSCUrlFilter.setUpCommandAssistance(WSCUrlFilter.java:984)
at com.ibm.ws.console.core.servlet.WSCUrlFilter.continueStoringTaskState(WSCUrlFilter.java:531)
at com.ibm.ws.console.core.servlet.WSCUrlFilter.doFilter(WSCUrlFilter.java:352)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:197)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:979)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1119)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:82)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:963)
at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:382)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:465)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:532)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:318)
at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:88)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1909)
Caused by: java.security.cert.CertPathValidatorException: signature check failed
at com.ibm.security.cert.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:130)
at com.ibm.security.cert.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:232)
at com.ibm.security.cert.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:136)
at com.ibm.security.cert.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:75)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:304)
at com.ibm.jsse2.util.h.a(h.java:74)
... 127 more
Caused by: java.security.SignatureException: Signature length not correct: got 128 but was expecting 256
at com.ibm.crypto.provider.RSASignature.engineVerify(Unknown Source)
at java.security.Signature$Delegate.engineVerify(Signature.java:1403)
at java.security.Signature.verify(Signature.java:777)
at com.ibm.security.x509.X509CertImpl.verify(X509CertImpl.java:739)
at com.ibm.security.cert.BasicChecker.verifySignature(BasicChecker.java:182)
at com.ibm.security.cert.BasicChecker.check(BasicChecker.java:163)
at com.ibm.security.cert.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:120)
步数
以下是我的设置,但设置对实现 TLS 1.2 应该没有影响。
Centos VM1 上的 WAS v9.0.5.6。与“user1”一起安装。使用 Websphere 提供 IBM Java 8。
Oracle Client 19c 在同一个 Centos VM1 上。使用“oracle”用户安装的 Oracle 客户端。
Centos VM2 上的 Oracle 数据库 19c。使用“oracle”用户安装的数据库。
已使用this link完成服务器端和客户端证书配置。按照说明生成并交换自签名证书 on/between 服务器和客户端。
为了进行测试,请保持密码不含特殊字符。当密码包含特殊字符时,我遇到了问题。
在 Oracle 客户端主机(我是 Centos VM1)上将 Oracle PKCS12 转换为 Java 密钥库。我对“oracle”用户使用了以下命令。
orapki wallet pkcs12_to_jks -wallet "/home/oracle/wallet" -pwd abcd123 -jksKeyStoreLoc "/home/oracle/jkswallet/ewallet.jks" -jksKeyStorepwd abcd123
将“home/oracle/jkswallet”和“home/oracle/jkswallet/ewallet.jks”的权限更改为 755,以便“user1”可以访问 运行在同一台服务器上。
在 WAS 上使用 ojdbc8.jar 创建一个普通的“JDBC 提供程序”。不需要其他罐子。使用之前创建的 JDBC 提供程序创建“数据源”。除了数据源之外,还为用户名和密码创建“JAAS - J2C 身份验证数据”。
我在“数据源”中使用了以下url格式
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=172.16.77.11)(PORT=2484)))(CONNECT_DATA=(SERVICE_NAME=PROD01PDB)))
在“数据源”下的“自定义属性”中添加一个 属性
姓名:connectionProperties
值:javax.net.ssl.keyStore=/home/oracle/jkswallet/ewallet.jks; javax.net.ssl.keyStoreType=JKS; javax.net.ssl.keyStorePassword=abcd123; javax.net.ssl.trustStore=/home/oracle/jkswallet/ewallet.jks; javax.net.ssl.trustStoreType=JKS; javax.net.ssl.trustStorePassword=abcd123; oracle.net.ssl_version=1.2; oracle.net.ssl_server_dn_match=false
终于修整了调试日志
[06/04/21 16:14:30:947 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:30.946 BST|Thread.java:1164|found key for : orakey (
"certificate" : {
"version" : "v1",
"serial number" : "00 E5 74 A4 14 70 21 C0 6D 42 78 B1 AF 86 B3 7F 09",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=appserver01",
"not before" : "2021-04-06 01:35:51.000 BST",
"not after" : "2031-04-04 01:35:51.000 BST",
"subject" : "CN=appserver01",
"subject public key" : "RSA"}
)
[06/04/21 16:14:30:956 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:30.955 BST|Thread.java:1164|adding as trusted certificates (
"certificate" : {
"version" : "v1",
"serial number" : "00 E5 74 A4 14 70 21 C0 6D 42 78 B1 AF 86 B3 7F 09",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=appserver01",
"not before" : "2021-04-06 01:35:51.000 BST",
"not after" : "2031-04-04 01:35:51.000 BST",
"subject" : "CN=appserver01",
"subject public key" : "RSA"},
"certificate" : {
"version" : "v1",
"serial number" : "00 AB 2C F7 0B 59 C2 76 AE CC F0 21 EF DA 8B D7 D1",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=dbserver01.miracle.com",
"not before" : "2021-04-06 01:50:52.000 BST",
"not after" : "2031-04-04 01:50:52.000 BST",
"subject" : "CN=dbserver01.miracle.com",
"subject public key" : "RSA"}
)
application_layer_protocol_negotiation
[06/04/21 16:14:32:709 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.708 BST|Thread.java:1164|Ignore, context unavailable extension: status_request_v2
[06/04/21 16:14:32:714 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.712 BST|Thread.java:1164|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "7B 73 62 0A 5B C3 CC 62 19 FC C1 78 03 30 F4 39 7C F8 A3 81 F9 02 4C BB 7A 35 8D F7 55 8A 8A 83",
"session id" : "",
"cipher suites" : "[SSL_RSA_WITH_AES_256_GCM_SHA384(0x009D)]",
"compression methods" : "00",
"extensions" : [
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.2]
},
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
[06/04/21 16:14:32:736 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.735 BST|Thread.java:1164|READ: TLSv1.2 handshake, length = 81
[06/04/21 16:14:32:741 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.740 BST|Thread.java:1164|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "60 6C 7A D8 CC A6 0C B4 A4 5E 49 53 44 B4 68 77 7D 18 01 D6 04 10 DD E8 A6 E5 8D 6C EE DC 54 2A",
"session id" : "11 E9 ED 05 27 69 4E B8 A4 FA 28 0F 4C 19 AD 2F D6 55 47 ED A1 EB 0E 91 E6 E6 7B 53 D9 E0 0C DA",
"cipher suite" : "SSL_RSA_WITH_AES_256_GCM_SHA384(0x009D)",
"compression methods" : "00",
"extensions" : [
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
[06/04/21 16:14:32:804 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.803 BST|Thread.java:1164|READ: TLSv1.2 handshake, length = 463
[06/04/21 16:14:32:820 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.817 BST|Thread.java:1164|Consuming server Certificate handshake message (
"Certificates": [
"certificate" : {
"version" : "v1",
"serial number" : "00 AB 2C F7 0B 59 C2 76 AE CC F0 21 EF DA 8B D7 D1",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=dbserver01.miracle.com",
"not before" : "2021-04-06 01:50:52.000 BST",
"not after" : "2031-04-04 01:50:52.000 BST",
"subject" : "CN=dbserver01.miracle.com",
"subject public key" : "RSA"}
]
)
[06/04/21 16:14:32:831 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.830 BST|Thread.java:1164|Found trusted certificate (
"certificate" : {
"version" : "v1",
"serial number" : "00 AB 2C F7 0B 59 C2 76 AE CC F0 21 EF DA 8B D7 D1",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=dbserver01.miracle.com",
"not before" : "2021-04-06 01:50:52.000 BST",
"not after" : "2031-04-04 01:50:52.000 BST",
"subject" : "CN=dbserver01.miracle.com",
"subject public key" : "RSA"}
)
[06/04/21 16:14:32:916 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.915 BST|Thread.java:1164|JsseJCE: Using cipher RSA/SSL/PKCS1Padding from provider IBMJCE version 1.8
[06/04/21 16:14:32:922 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.920 BST|Thread.java:1164|RSAClientKeyExchange: Using cipher for wrap RSA/SSL/PKCS1Paddingfrom provider from init IBMJCE version 1.8
[06/04/21 16:14:32:928 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.926 BST|Thread.java:1164|Produced RSA ClientKeyExchange handshake message (
"RSA ClientKeyExchange": {
"client_version": TLSv1.2
"encrypted": {
0000: 24 64 33 4f 9f 90 85 77 fe 9d c2 f4 ac 75 78 56 .d3O...w.....uxV
......
0060: 21 21 f9 68 c9 2e 79 60 cc fe d1 78 1d 5a 69 c1 ...h..y....x.Zi.
0070: 4e 73 47 eb b6 39 3f 07 0a 89 62 fb 29 78 c5 f9 NsG..9....b..x..
}
}
)
[06/04/21 16:14:33:052 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.050 BST|Thread.java:1164|Produced ChangeCipherSpec message
[06/04/21 16:14:33:054 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.052 BST|Thread.java:1164|Produced client Finished handshake message (
"Finished": {
"verify data": {
0000: 56 66 52 df 64 68 37 a0 de 28 28 18
}'}
)
[06/04/21 16:14:33:055 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.054 BST|Thread.java:1164|WRITE: TLS12 handshake, length = 134
[06/04/21 16:14:33:291 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.290 BST|Thread.java:1164|found key for : orakey (
"certificate" : {
"version" : "v1",
"serial number" : "00 E5 74 A4 14 70 21 C0 6D 42 78 B1 AF 86 B3 7F 09",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=appserver01",
"not before" : "2021-04-06 01:35:51.000 BST",
"not after" : "2031-04-04 01:35:51.000 BST",
"subject" : "CN=appserver01",
"subject public key" : "RSA"}
)
[06/04/21 16:14:33:294 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.293 BST|Thread.java:1164|adding as trusted certificates (
"certificate" : {
"version" : "v1",
"serial number" : "00 E5 74 A4 14 70 21 C0 6D 42 78 B1 AF 86 B3 7F 09",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=appserver01",
"not before" : "2021-04-06 01:35:51.000 BST",
"not after" : "2031-04-04 01:35:51.000 BST",
"subject" : "CN=appserver01",
"subject public key" : "RSA"},
"certificate" : {
"version" : "v1",
"serial number" : "00 AB 2C F7 0B 59 C2 76 AE CC F0 21 EF DA 8B D7 D1",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=dbserver01.miracle.com",
"not before" : "2021-04-06 01:50:52.000 BST",
"not after" : "2031-04-04 01:50:52.000 BST",
"subject" : "CN=dbserver01.miracle.com",
"subject public key" : "RSA"}
)
[06/04/21 16:14:33:389 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.387 BST|Thread.java:1164|Ignore, context unavailable extension: status_request_v2
[06/04/21 16:14:33:405 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.391 BST|Thread.java:1164|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "59 4F CB D5 24 6A E7 DC D4 75 4C 1D EC F9 84 2F BC D5 EC 24 EB BC 69 4F 35 29 88 0F 42 46 B7 0E",
"session id" : "",
"cipher suites" : "[SSL_RSA_WITH_AES_256_GCM_SHA384(0x009D)]",
"compression methods" : "00",
"extensions" : [
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.2]
},
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
[06/04/21 16:14:33:424 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.422 BST|Thread.java:1164|READ: TLSv1.2 handshake, length = 81
[06/04/21 16:14:33:427 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.426 BST|Thread.java:1164|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "60 6C 7A D9 FB 0C 6F 09 5C 10 3A 03 F4 01 E2 4A 58 60 72 D1 9D 7B 3A D7 2F 91 12 32 7C CF 85 0D",
"session id" : "2A 9D 32 23 12 52 AC 29 B8 69 D5 50 60 FE 15 4E C8 68 1C 8A AA C1 71 0E 42 55 EF BD CE 88 95 53",
"cipher suite" : "SSL_RSA_WITH_AES_256_GCM_SHA384(0x009D)",
"compression methods" : "00",
"extensions" : [
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
[06/04/21 16:14:33:521 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.519 BST|Thread.java:1164|READ: TLSv1.2 handshake, length = 463
[06/04/21 16:14:33:522 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.521 BST|Thread.java:1164|Consuming server Certificate handshake message (
"Certificates": [
"certificate" : {
"version" : "v1",
"serial number" : "00 AB 2C F7 0B 59 C2 76 AE CC F0 21 EF DA 8B D7 D1",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=dbserver01.miracle.com",
"not before" : "2021-04-06 01:50:52.000 BST",
"not after" : "2031-04-04 01:50:52.000 BST",
"subject" : "CN=dbserver01.miracle.com",
"subject public key" : "RSA"}
]
)
[06/04/21 16:14:33:524 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.523 BST|Thread.java:1164|Found trusted certificate (
"certificate" : {
"version" : "v1",
"serial number" : "00 AB 2C F7 0B 59 C2 76 AE CC F0 21 EF DA 8B D7 D1",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=dbserver01.miracle.com",
"not before" : "2021-04-06 01:50:52.000 BST",
"not after" : "2031-04-04 01:50:52.000 BST",
"subject" : "CN=dbserver01.miracle.com",
"subject public key" : "RSA"}
)
[06/04/21 16:14:33:555 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.554 BST|Thread.java:1164|Produced RSA ClientKeyExchange handshake message (
"RSA ClientKeyExchange": {
"client_version": TLSv1.2
"encrypted": {
0000: 3f b0 62 d5 f6 31 b9 b5 02 37 29 3e 63 e0 38 f8 ..b..1...7..c.8.
0010: 0e f5 03 a3 d3 ad 00 a1 06 92 c7 ff 65 a4 44 5b ............e.D.
…
0060: 2e 52 49 75 fb 9d b3 00 96 77 53 29 46 f5 60 ae .RIu.....wS.F...
0070: b2 84 59 db f1 fc 66 6e 5f 41 51 75 da 52 c5 4a ..Y...fn.AQu.R.J
}
}
)
[06/04/21 16:14:33:579 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.575 BST|Thread.java:1164|Produced client Finished handshake message (
"Finished": {
"verify data": {
0000: 69 8c 88 f6 6a 03 b6 81 ad d6 58 c1
}'}
)
IBMJCE version 1.8
[06/04/21 16:14:33:716 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.714 BST|Thread.java:1164|Consuming server Finished handshake message (
"Finished": {
"verify data": {
0000: 84 65 d5 89 28 fc 35 0c 47 a0 e3 42
}'}
)
[06/04/21 16:14:34:642 BST] 00000078 DSConfigurati I DSRA8025I: Successfully connected to DataSource.
您使用的 JDBC 驱动程序是什么版本?如果您使用的是最新的 18.3,则可以在 URL 中传递连接属性。查看此 blog 12.2 及更低版本。
我正在尝试实现从 Websphere Application Server v9.0.5.6 到 Oracle 19c 数据库的 TLS 1.2。 WAS 和 Oracle 都在 Centos 7 上的不同虚拟机 运行 上。使用 Websphere 提供 IBM Java 8 和 Oracle 提供 ojdbc8.jar(来自 Oracle 19c 客户端)。非 SSL 连接在 WAS 控制台中工作正常。
我已完成以下操作来实施 TLS 1.2。
- 二手 this link and completed the Oracle Database side SSL configuration. For testing I even made the client side configuration on WAS vm and tested using sqlplus (with oracle user and oracle 19c client) and I was able to connect and get TCPS as provided in this query.
- 然后我将 Oracle DB 自签名证书添加到 'WAS_HOME/AppServer/profiles/AppSrv01/etc/trust.p12'。我使用 iKeyman 将数据库证书添加到 WAS。然后在数据源中添加自定义 属性 “connectionProperties”的值为 javax.net.ssl.trustStore=WAS_HOME/AppServer/profiles/AppSrv01/etc/trust.p12; javax.net.ssl.trustStore类型=PKCS12; oracle.net.ssl_version=1.2; javax.net.ssl.trustStore密码=***
- 代替第2点,我也尝试了JKS。将 Oracle DB 自签名证书添加到 'WAS_HOME/AppServer/java/8.0/jre/lib/security/cacerts'。我使用 iKeyman 将数据库证书添加到 WAS。然后在数据源“connectionProperties”中添加自定义 属性,值为 javax.net.ssl.keyStore= WAS_HOME/AppServer/java/8.0/jre/lib/security/cacerts; javax.net.ssl.keyStore类型=JKS; oracle.net.ssl_version=1.2; javax.net.ssl.keyStore密码=***
我启用了调试日志,在这两种情况下我都收到了错误 'java.security.SignatureException: Signature length not correct: got 128 but was expecting 256'
任何人都可以就错误或如何成功实现从 WAS 到 Oracle DB 的 TLS 1.2 提出建议吗?
Sysout 日志
[29/03/21 10:37:15:975 BST] 0000008c FileRepositor A ADMR0010I: Document cells/appserver01Node01Cell/security.xml is modified.
[29/03/21 10:37:15:978 BST] 0000008c FileRepositor A ADMR0010I: Document cells/appserver01Node01Cell/nodes/appserver01Node01/trust.p12 is modified.
[29/03/21 10:37:26:165 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.164 BST|Thread.java:1164|adding as trusted certificates (
"certificate" : {
"version" : "v3",
"serial number" : "30 F6 93 B4",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=dbserver01.miracle.com",
"not before" : "2021-03-28 04:43:25.000 BST",
"not after" : "2031-02-04 03:43:25.000 GMT",
"subject" : "CN=dbserver01.miracle.com",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 57 d7 09 3f d2 5e db c3 43 93 6f af 82 4a fc 7d W.......C.o..J..
0010: 16 74 be 60 .t..
]
]
}
]},
"certificate" : {
"version" : "v3",
"serial number" : "38 5D 50 BF 82",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=appserver01.miracle.com, OU=Root Certificate, OU=appserver01Node01Cell, OU=appserver01Node01, O=IBM, C=US",
"not before" : "2021-03-25 21:09:10.000 GMT",
"not after" : "2036-03-21 21:09:10.000 GMT",
"subject" : "CN=appserver01.miracle.com, OU=Root Certificate, OU=appserver01Node01Cell, OU=appserver01Node01, O=IBM, C=US",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4c 3e 62 ab 29 d9 6c 08 L.b...l.
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:AppSrv01-BASE-5d9b3381-f22f-4812-a07b-c1e59b63d0a5]]
}
]}
)
[29/03/21 10:37:26:171 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.166 BST|Thread.java:1164|keyStore is: /home/sunny/IBM/WebSphere/AppServer/java/8.0/jre/lib/security/cacerts
[29/03/21 10:37:26:172 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.171 BST|Thread.java:1164|keyStore type is: jks
[29/03/21 10:37:26:178 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.173 BST|Thread.java:1164|keyStore provider is:
…..
[29/03/21 10:37:26:218 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.217 BST|Thread.java:1164|Ignore unsupported cipher suite: TLS_AES_256_GCM_SHA384
[29/03/21 10:37:26:220 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.218 BST|Thread.java:1164|Ignore unsupported cipher suite: TLS_CHACHA20_POLY1305_SHA256
……
[29/03/21 10:37:26:261 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.256 BST|Thread.java:1164|Ignore unsupported cipher suite: TLS_CHACHA20_POLY1305_SHA256
[29/03/21 10:37:26:264 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.262 BST|Thread.java:1164|Ignore unsupported cipher suite: TLS_AES_128_GCM_SHA256
[29/03/21 10:37:26:287 BST] 0000008c SystemOut O javax.net.ssl|WARNING|8C|WebContainer : 1|2021-03-29 10:37:26.284 BST|Thread.java:1164|Unable to indicate server name
…
[29/03/21 10:37:26:303 BST] 0000008c SystemOut O javax.net.ssl|INFO|8C|WebContainer : 1|2021-03-29 10:37:26.300 BST|Thread.java:1164|No available application protocols
[29/03/21 10:37:26:304 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.303 BST|Thread.java:1164|Ignore, context unavailable extension: application_layer_protocol_negotiation
[29/03/21 10:37:26:306 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.304 BST|Thread.java:1164|Ignore, context unavailable extension: status_request_v2
[29/03/21 10:37:26:307 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.306 BST|Thread.java:1164|Ignore, context unavailable extension: renegotiation_info
[29/03/21 10:37:26:310 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.309 BST|Thread.java:1164|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "88 57 8E A5 C0 F4 72 B7 2C F9 EA 52 C1 8B D8 D4 3E 09 5D 3A BB 50 9C 5D 78 54 DD 19 AA 81 A9 63",
"session id" : "",
"cipher suites" : "[SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), SSL_RSA_WITH_AES_256_GCM_SHA384(0x009D), SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), SSL_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), SSL_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), SSL_RSA_WITH_AES_128_GCM_SHA256(0x009C), SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031),
………..
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), SSL_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), SSL_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA(0xC008), SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA(0x0016), SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA(0x0013), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"supported_groups (10)": {
"versions": [secp256r1, secp384r1, secp521r1]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.2]
}
]
}
)
[29/03/21 10:37:26:312 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.311 BST|Thread.java:1164|WRITE: TLS12 handshake, length = 262
[29/03/21 10:37:26:314 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.313 BST|Thread.java:1164|Raw write (
0000: 16 03 03 01 06 01 00 01 02 03 03 88 57 8e a5 c0 ............W...
0010: f4 72 b7 2c f9 ea 52 c1 8b d8 d4 3e 09 5d 3a bb .r....R.........
.
00e0: 08 04 08 05 08 06 08 09 08 0a 08 0b 04 01 05 01 ................
00f0: 06 01 04 02 03 03 03 01 03 02 02 03 02 01 02 02 ................
0100: 00 17 00 00 00 2b 00 03 02 03 03 ...........
)
[29/03/21 10:37:26:321 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.320 BST|Thread.java:1164|Raw read (
0000: 16 03 03 00 51 02 00 00 4d 03 03 60 61 9f d6 32 ....Q...M...a..2
0010: 63 9b cf 09 dc a2 95 64 8d c0 cb 0f e5 ed 1b 1b c......d........
0040: b5 10 28 2a 9d e0 ed 5e a8 f9 a5 13 c0 30 00 00 .............0..
.
02d0: 2b f9 e5 e8 c0 60 be 3b 11 68 2a 0d 1f 60 18 b3 .........h......
02e0: e6 d5 0b 7e 12 03 9e 72 2f 88 f3 54 26 18 18 ca .......r...T....
02f0: e5 ae 0a 2f db b9 0f 18 ae c5 2f 8d 16 03 03 00 ................
0300: 04 0e 00 00 00 .....
)
[29/03/21 10:37:26:323 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.322 BST|Thread.java:1164|READ: TLSv1.2 handshake, length = 81
[29/03/21 10:37:26:328 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.327 BST|Thread.java:1164|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "60 61 9F D6 32 63 9B CF 09 DC A2 95 64 8D C0 CB 0F E5 ED 1B 1B E3 C9 2B 7F 06 6D 03 58 6D DF 4F",
"session id" : "3A EC 80 A8 76 B9 C2 33 CD 59 71 86 01 77 6F 4B 64 3A 0A A6 B5 10 28 2A 9D E0 ED 5E A8 F9 A5 13",
"cipher suite" : "SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)",
"compression methods" : "00",
"extensions" : [
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
[29/03/21 10:37:26:335 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.334 BST|Thread.java:1164|Ignore unavailable extension: supported_versions
[29/03/21 10:37:26:336 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.335 BST|Thread.java:1164|Negotiated protocol version: TLSv1.2
…
[29/03/21 10:37:26:367 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.365 BST|Thread.java:1164|Ignore unavailable extension: status_request_v2
[29/03/21 10:37:26:369 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.367 BST|Thread.java:1164|Consumed extension: renegotiation_info
[29/03/21 10:37:26:370 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.369 BST|Thread.java:1164|Session initialized: Session(1617010646369|SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
[29/03/21 10:37:26:372 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.371 BST|Thread.java:1164|Ignore unavailable extension: server_name
…
[29/03/21 10:37:26:380 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.380 BST|Thread.java:1164|Ignore unavailable extension: status_request_v2
[29/03/21 10:37:26:381 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.380 BST|Thread.java:1164|Ignore unavailable extension: extended_master_secret
[29/03/21 10:37:26:387 BST] 0000008c SystemOut O javax.net.ssl|WARNING|8C|WebContainer : 1|2021-03-29 10:37:26.382 BST|Thread.java:1164|Ignore impact of unsupported extension: renegotiation_info
[29/03/21 10:37:26:390 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.388 BST|Thread.java:1164|Raw read (
0000: 16 03 03 01 cf 0b 00 01 cb 00 01 c8 00 01 c5 30 ...............0
0010: 82 01 c1 30 82 01 2a 02 11 00 a2 75 59 bc 83 45 ...0.......uY..E
.
0260: e8 c6 b2 6c ac 7d 76 15 a0 94 72 cd 50 e8 37 75 ...l..v...r.P.7u
02a0: 0f 18 ae c5 2f 8d 16 03 03 00 04 0e 00 00 00 ...............
)
[29/03/21 10:37:26:392 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.390 BST|Thread.java:1164|READ: TLSv1.2 handshake, length = 463
[29/03/21 10:37:26:394 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.393 BST|Thread.java:1164|Consuming server Certificate handshake message (
"Certificates": [
"certificate" : {
"version" : "v1",
"serial number" : "00 A2 75 59 BC 83 45 CD 7D 9E B0 D9 8B E3 FD 9B 92",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=dbserver01.miracle.com",
"not before" : "2021-03-21 02:10:55.000 GMT",
"not after" : "2031-03-19 02:10:55.000 GMT",
"subject" : "CN=dbserver01.miracle.com",
"subject public key" : "RSA"}
]
)
[29/03/21 10:37:26:404 BST] 0000008c SystemOut O javax.net.ssl|SEVERE|8C|WebContainer : 1|2021-03-29 10:37:26.403 BST|Thread.java:1164|Fatal (BAD_CERTIFICATE): PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed (
"throwable" : {
com.ibm.jsse2.util.j: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at com.ibm.jsse2.util.h.a(h.java:174)
at com.ibm.jsse2.util.h.b(h.java:185)
at com.ibm.jsse2.util.g.a(g.java:10)
at com.ibm.jsse2.bq.a(bq.java:32)
at com.ibm.jsse2.bq.a(bq.java:70)
at com.ibm.jsse2.bq.checkServerTrusted(bq.java:10)
at com.ibm.jsse2.y$c.a(y$c.java:99)
at com.ibm.jsse2.y$c.a(y$c.java:10)
at com.ibm.jsse2.y$c.consume(y$c.java:6)
at com.ibm.jsse2.p.consume(p.java:43)
at com.ibm.jsse2.Z.a(Z.java:73)
at com.ibm.jsse2.bf$a$b.a(bf$a$b.java:2)
at com.ibm.jsse2.bf$a$b.run(bf$a$b.java:3)
at java.security.AccessController.doPrivileged(AccessController.java:774)
at com.ibm.jsse2.bf$a.run(bf$a.java:26)
at oracle.net.nt.SSLSocketChannel.runTasks(SSLSocketChannel.java:602)
at oracle.net.nt.SSLSocketChannel.doSSLHandshake(SSLSocketChannel.java:434)
at oracle.net.nt.SSLSocketChannel.write(SSLSocketChannel.java:128)
at oracle.net.ns.NIOPacket.writeToSocketChannel(NIOPacket.java:350)
at oracle.net.ns.NIOConnectPacket.writeToSocketChannel(NIOConnectPacket.java:247)
at oracle.net.ns.NSProtocolNIO.negotiateConnection(NSProtocolNIO.java:117)
at oracle.net.ns.NSProtocol.connect(NSProtocol.java:340)
at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1596)
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:588)
at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:793)
at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:57)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:747)
at oracle.jdbc.pool.OracleDataSource.getPhysicalConnection(OracleDataSource.java:406)
at oracle.jdbc.pool.OracleDataSource.getConnection(OracleDataSource.java:291)
at oracle.jdbc.pool.OracleDataSource.getConnection(OracleDataSource.java:206)
at oracle.jdbc.pool.OracleConnectionPoolDataSource.getPhysicalConnection(OracleConnectionPoolDataSource.java:148)
at oracle.jdbc.pool.OracleConnectionPoolDataSource.getPooledConnection(OracleConnectionPoolDataSource.java:91)
at com.ibm.ws.rsadapter.DSConfigHelper.run(DSConfigHelper.java:1273)
at com.ibm.ws.security.auth.ContextManagerImpl.runAs(ContextManagerImpl.java:5446)
at com.ibm.ws.security.auth.ContextManagerImpl.runAsSystem(ContextManagerImpl.java:5662)
at com.ibm.ws.security.core.SecurityContext.runAsSystem(SecurityContext.java:255)
at com.ibm.ws.rsadapter.spi.ServerFunction.run(ServerFunction.java:571)
at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
at com.ibm.ws.rsadapter.DSConfigHelper.getPooledConnection(DSConfigHelper.java:1288)
at com.ibm.ws.rsadapter.DSConfigHelper.getPooledConnection(DSConfigHelper.java:1196)
at com.ibm.ws.rsadapter.DSConfigurationHelper.getConnectionFromDSOrPooledDS(DSConfigurationHelper.java:2076)
at com.ibm.ws.rsadapter.DSConfigurationHelper.getConnectionFromDSOrPooledDS(DSConfigurationHelper.java:1952)
at com.ibm.ws.rsadapter.DSConfigurationHelper.testConnectionForGUI(DSConfigurationHelper.java:2820)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at com.ibm.ws.management.DataSourceConfigHelperMBean.testConnectionToDataSource2(DataSourceConfigHelperMBean.java:556)
at com.ibm.ws.management.DataSourceConfigHelperMBean.testConnection(DataSourceConfigHelperMBean.java:484)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at sun.reflect.misc.Trampoline.invoke(MethodUtil.java:83)
at sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at sun.reflect.misc.MethodUtil.invoke(MethodUtil.java:287)
at javax.management.modelmbean.RequiredModelMBean.run(RequiredModelMBean.java:1263)
at java.security.AccessController.doPrivileged(AccessController.java:708)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at javax.management.modelmbean.RequiredModelMBean.invokeMethod(RequiredModelMBean.java:1257)
at javax.management.modelmbean.RequiredModelMBean.invoke(RequiredModelMBean.java:1096)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:831)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:813)
at com.ibm.ws.management.AdminServiceImpl.run(AdminServiceImpl.java:1353)
at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
at com.ibm.ws.management.AdminServiceImpl.invoke(AdminServiceImpl.java:1246)
at com.ibm.ws.management.commands.AdminServiceCommands$InvokeCmd.execute(AdminServiceCommands.java:251)
at com.ibm.ws.console.core.mbean.MBeanHelper.invoke(MBeanHelper.java:246)
at com.ibm.ws.console.core.mbean.ResourceMBeanHelper.testNode(ResourceMBeanHelper.java:860)
at com.ibm.ws.console.core.mbean.ResourceMBeanHelper.testConnection(ResourceMBeanHelper.java:292)
at com.ibm.ws.console.resources.database.jdbc.DataSourceDetailAction.testConnection(DataSourceDetailAction.java:713)
at com.ibm.ws.console.resources.database.jdbc.DataSourceCollectionAction.execute(DataSourceCollectionAction.java:339)
at org.apache.struts.action.RequestProcessor.processActionPerform(Unknown Source)
at org.apache.struts.action.RequestProcessor.process(Unknown Source)
at org.apache.struts.action.ActionServlet.process(Unknown Source)
at org.apache.struts.action.ActionServlet.doPost(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1235)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:779)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:478)
at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:179)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:143)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:78)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:979)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1119)
at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.dispatch(WebAppRequestDispatcher.java:1408)
at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.forward(WebAppRequestDispatcher.java:198)
at org.apache.struts.action.RequestProcessor.doForward(Unknown Source)
at org.apache.struts.tiles.TilesRequestProcessor.doForward(Unknown Source)
at org.apache.struts.action.RequestProcessor.processForwardConfig(Unknown Source)
at org.apache.struts.tiles.TilesRequestProcessor.processForwardConfig(Unknown Source)
at org.apache.struts.action.RequestProcessor.process(Unknown Source)
at org.apache.struts.action.ActionServlet.process(Unknown Source)
at org.apache.struts.action.ActionServlet.doPost(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1235)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:779)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:478)
at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:179)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:143)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:96)
at com.ibm.ws.console.core.servlet.WSCUrlFilter.setUpCommandAssistance(WSCUrlFilter.java:984)
at com.ibm.ws.console.core.servlet.WSCUrlFilter.continueStoringTaskState(WSCUrlFilter.java:531)
at com.ibm.ws.console.core.servlet.WSCUrlFilter.doFilter(WSCUrlFilter.java:352)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:197)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:979)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1119)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:82)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:963)
at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:382)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:465)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:532)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:318)
at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:88)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1909)
Caused by: java.security.cert.CertPathValidatorException: signature check failed
at com.ibm.security.cert.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:130)
at com.ibm.security.cert.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:232)
at com.ibm.security.cert.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:136)
at com.ibm.security.cert.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:75)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:304)
at com.ibm.jsse2.util.h.a(h.java:74)
... 127 more
Caused by: java.security.SignatureException: Signature length not correct: got 128 but was expecting 256
at com.ibm.crypto.provider.RSASignature.engineVerify(Unknown Source)
at java.security.Signature$Delegate.engineVerify(Signature.java:1403)
at java.security.Signature.verify(Signature.java:777)
at com.ibm.security.x509.X509CertImpl.verify(X509CertImpl.java:739)
at com.ibm.security.cert.BasicChecker.verifySignature(BasicChecker.java:182)
at com.ibm.security.cert.BasicChecker.check(BasicChecker.java:163)
at com.ibm.security.cert.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:120)
步数
以下是我的设置,但设置对实现 TLS 1.2 应该没有影响。
Centos VM1 上的 WAS v9.0.5.6。与“user1”一起安装。使用 Websphere 提供 IBM Java 8。
Oracle Client 19c 在同一个 Centos VM1 上。使用“oracle”用户安装的 Oracle 客户端。
Centos VM2 上的 Oracle 数据库 19c。使用“oracle”用户安装的数据库。已使用this link完成服务器端和客户端证书配置。按照说明生成并交换自签名证书 on/between 服务器和客户端。 为了进行测试,请保持密码不含特殊字符。当密码包含特殊字符时,我遇到了问题。
在 Oracle 客户端主机(我是 Centos VM1)上将 Oracle PKCS12 转换为 Java 密钥库。我对“oracle”用户使用了以下命令。
orapki wallet pkcs12_to_jks -wallet "/home/oracle/wallet" -pwd abcd123 -jksKeyStoreLoc "/home/oracle/jkswallet/ewallet.jks" -jksKeyStorepwd abcd123将“home/oracle/jkswallet”和“home/oracle/jkswallet/ewallet.jks”的权限更改为 755,以便“user1”可以访问 运行在同一台服务器上。
在 WAS 上使用 ojdbc8.jar 创建一个普通的“JDBC 提供程序”。不需要其他罐子。使用之前创建的 JDBC 提供程序创建“数据源”。除了数据源之外,还为用户名和密码创建“JAAS - J2C 身份验证数据”。
我在“数据源”中使用了以下url格式
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=172.16.77.11)(PORT=2484)))(CONNECT_DATA=(SERVICE_NAME=PROD01PDB)))在“数据源”下的“自定义属性”中添加一个 属性
姓名:connectionProperties
值:javax.net.ssl.keyStore=/home/oracle/jkswallet/ewallet.jks; javax.net.ssl.keyStoreType=JKS; javax.net.ssl.keyStorePassword=abcd123; javax.net.ssl.trustStore=/home/oracle/jkswallet/ewallet.jks; javax.net.ssl.trustStoreType=JKS; javax.net.ssl.trustStorePassword=abcd123; oracle.net.ssl_version=1.2; oracle.net.ssl_server_dn_match=false
终于修整了调试日志
[06/04/21 16:14:30:947 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:30.946 BST|Thread.java:1164|found key for : orakey (
"certificate" : {
"version" : "v1",
"serial number" : "00 E5 74 A4 14 70 21 C0 6D 42 78 B1 AF 86 B3 7F 09",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=appserver01",
"not before" : "2021-04-06 01:35:51.000 BST",
"not after" : "2031-04-04 01:35:51.000 BST",
"subject" : "CN=appserver01",
"subject public key" : "RSA"}
)
[06/04/21 16:14:30:956 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:30.955 BST|Thread.java:1164|adding as trusted certificates (
"certificate" : {
"version" : "v1",
"serial number" : "00 E5 74 A4 14 70 21 C0 6D 42 78 B1 AF 86 B3 7F 09",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=appserver01",
"not before" : "2021-04-06 01:35:51.000 BST",
"not after" : "2031-04-04 01:35:51.000 BST",
"subject" : "CN=appserver01",
"subject public key" : "RSA"},
"certificate" : {
"version" : "v1",
"serial number" : "00 AB 2C F7 0B 59 C2 76 AE CC F0 21 EF DA 8B D7 D1",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=dbserver01.miracle.com",
"not before" : "2021-04-06 01:50:52.000 BST",
"not after" : "2031-04-04 01:50:52.000 BST",
"subject" : "CN=dbserver01.miracle.com",
"subject public key" : "RSA"}
)
application_layer_protocol_negotiation
[06/04/21 16:14:32:709 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.708 BST|Thread.java:1164|Ignore, context unavailable extension: status_request_v2
[06/04/21 16:14:32:714 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.712 BST|Thread.java:1164|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "7B 73 62 0A 5B C3 CC 62 19 FC C1 78 03 30 F4 39 7C F8 A3 81 F9 02 4C BB 7A 35 8D F7 55 8A 8A 83",
"session id" : "",
"cipher suites" : "[SSL_RSA_WITH_AES_256_GCM_SHA384(0x009D)]",
"compression methods" : "00",
"extensions" : [
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.2]
},
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
[06/04/21 16:14:32:736 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.735 BST|Thread.java:1164|READ: TLSv1.2 handshake, length = 81
[06/04/21 16:14:32:741 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.740 BST|Thread.java:1164|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "60 6C 7A D8 CC A6 0C B4 A4 5E 49 53 44 B4 68 77 7D 18 01 D6 04 10 DD E8 A6 E5 8D 6C EE DC 54 2A",
"session id" : "11 E9 ED 05 27 69 4E B8 A4 FA 28 0F 4C 19 AD 2F D6 55 47 ED A1 EB 0E 91 E6 E6 7B 53 D9 E0 0C DA",
"cipher suite" : "SSL_RSA_WITH_AES_256_GCM_SHA384(0x009D)",
"compression methods" : "00",
"extensions" : [
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
[06/04/21 16:14:32:804 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.803 BST|Thread.java:1164|READ: TLSv1.2 handshake, length = 463
[06/04/21 16:14:32:820 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.817 BST|Thread.java:1164|Consuming server Certificate handshake message (
"Certificates": [
"certificate" : {
"version" : "v1",
"serial number" : "00 AB 2C F7 0B 59 C2 76 AE CC F0 21 EF DA 8B D7 D1",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=dbserver01.miracle.com",
"not before" : "2021-04-06 01:50:52.000 BST",
"not after" : "2031-04-04 01:50:52.000 BST",
"subject" : "CN=dbserver01.miracle.com",
"subject public key" : "RSA"}
]
)
[06/04/21 16:14:32:831 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.830 BST|Thread.java:1164|Found trusted certificate (
"certificate" : {
"version" : "v1",
"serial number" : "00 AB 2C F7 0B 59 C2 76 AE CC F0 21 EF DA 8B D7 D1",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=dbserver01.miracle.com",
"not before" : "2021-04-06 01:50:52.000 BST",
"not after" : "2031-04-04 01:50:52.000 BST",
"subject" : "CN=dbserver01.miracle.com",
"subject public key" : "RSA"}
)
[06/04/21 16:14:32:916 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.915 BST|Thread.java:1164|JsseJCE: Using cipher RSA/SSL/PKCS1Padding from provider IBMJCE version 1.8
[06/04/21 16:14:32:922 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.920 BST|Thread.java:1164|RSAClientKeyExchange: Using cipher for wrap RSA/SSL/PKCS1Paddingfrom provider from init IBMJCE version 1.8
[06/04/21 16:14:32:928 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.926 BST|Thread.java:1164|Produced RSA ClientKeyExchange handshake message (
"RSA ClientKeyExchange": {
"client_version": TLSv1.2
"encrypted": {
0000: 24 64 33 4f 9f 90 85 77 fe 9d c2 f4 ac 75 78 56 .d3O...w.....uxV
......
0060: 21 21 f9 68 c9 2e 79 60 cc fe d1 78 1d 5a 69 c1 ...h..y....x.Zi.
0070: 4e 73 47 eb b6 39 3f 07 0a 89 62 fb 29 78 c5 f9 NsG..9....b..x..
}
}
)
[06/04/21 16:14:33:052 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.050 BST|Thread.java:1164|Produced ChangeCipherSpec message
[06/04/21 16:14:33:054 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.052 BST|Thread.java:1164|Produced client Finished handshake message (
"Finished": {
"verify data": {
0000: 56 66 52 df 64 68 37 a0 de 28 28 18
}'}
)
[06/04/21 16:14:33:055 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.054 BST|Thread.java:1164|WRITE: TLS12 handshake, length = 134
[06/04/21 16:14:33:291 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.290 BST|Thread.java:1164|found key for : orakey (
"certificate" : {
"version" : "v1",
"serial number" : "00 E5 74 A4 14 70 21 C0 6D 42 78 B1 AF 86 B3 7F 09",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=appserver01",
"not before" : "2021-04-06 01:35:51.000 BST",
"not after" : "2031-04-04 01:35:51.000 BST",
"subject" : "CN=appserver01",
"subject public key" : "RSA"}
)
[06/04/21 16:14:33:294 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.293 BST|Thread.java:1164|adding as trusted certificates (
"certificate" : {
"version" : "v1",
"serial number" : "00 E5 74 A4 14 70 21 C0 6D 42 78 B1 AF 86 B3 7F 09",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=appserver01",
"not before" : "2021-04-06 01:35:51.000 BST",
"not after" : "2031-04-04 01:35:51.000 BST",
"subject" : "CN=appserver01",
"subject public key" : "RSA"},
"certificate" : {
"version" : "v1",
"serial number" : "00 AB 2C F7 0B 59 C2 76 AE CC F0 21 EF DA 8B D7 D1",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=dbserver01.miracle.com",
"not before" : "2021-04-06 01:50:52.000 BST",
"not after" : "2031-04-04 01:50:52.000 BST",
"subject" : "CN=dbserver01.miracle.com",
"subject public key" : "RSA"}
)
[06/04/21 16:14:33:389 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.387 BST|Thread.java:1164|Ignore, context unavailable extension: status_request_v2
[06/04/21 16:14:33:405 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.391 BST|Thread.java:1164|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "59 4F CB D5 24 6A E7 DC D4 75 4C 1D EC F9 84 2F BC D5 EC 24 EB BC 69 4F 35 29 88 0F 42 46 B7 0E",
"session id" : "",
"cipher suites" : "[SSL_RSA_WITH_AES_256_GCM_SHA384(0x009D)]",
"compression methods" : "00",
"extensions" : [
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.2]
},
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
[06/04/21 16:14:33:424 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.422 BST|Thread.java:1164|READ: TLSv1.2 handshake, length = 81
[06/04/21 16:14:33:427 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.426 BST|Thread.java:1164|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "60 6C 7A D9 FB 0C 6F 09 5C 10 3A 03 F4 01 E2 4A 58 60 72 D1 9D 7B 3A D7 2F 91 12 32 7C CF 85 0D",
"session id" : "2A 9D 32 23 12 52 AC 29 B8 69 D5 50 60 FE 15 4E C8 68 1C 8A AA C1 71 0E 42 55 EF BD CE 88 95 53",
"cipher suite" : "SSL_RSA_WITH_AES_256_GCM_SHA384(0x009D)",
"compression methods" : "00",
"extensions" : [
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
[06/04/21 16:14:33:521 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.519 BST|Thread.java:1164|READ: TLSv1.2 handshake, length = 463
[06/04/21 16:14:33:522 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.521 BST|Thread.java:1164|Consuming server Certificate handshake message (
"Certificates": [
"certificate" : {
"version" : "v1",
"serial number" : "00 AB 2C F7 0B 59 C2 76 AE CC F0 21 EF DA 8B D7 D1",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=dbserver01.miracle.com",
"not before" : "2021-04-06 01:50:52.000 BST",
"not after" : "2031-04-04 01:50:52.000 BST",
"subject" : "CN=dbserver01.miracle.com",
"subject public key" : "RSA"}
]
)
[06/04/21 16:14:33:524 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.523 BST|Thread.java:1164|Found trusted certificate (
"certificate" : {
"version" : "v1",
"serial number" : "00 AB 2C F7 0B 59 C2 76 AE CC F0 21 EF DA 8B D7 D1",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=dbserver01.miracle.com",
"not before" : "2021-04-06 01:50:52.000 BST",
"not after" : "2031-04-04 01:50:52.000 BST",
"subject" : "CN=dbserver01.miracle.com",
"subject public key" : "RSA"}
)
[06/04/21 16:14:33:555 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.554 BST|Thread.java:1164|Produced RSA ClientKeyExchange handshake message (
"RSA ClientKeyExchange": {
"client_version": TLSv1.2
"encrypted": {
0000: 3f b0 62 d5 f6 31 b9 b5 02 37 29 3e 63 e0 38 f8 ..b..1...7..c.8.
0010: 0e f5 03 a3 d3 ad 00 a1 06 92 c7 ff 65 a4 44 5b ............e.D.
…
0060: 2e 52 49 75 fb 9d b3 00 96 77 53 29 46 f5 60 ae .RIu.....wS.F...
0070: b2 84 59 db f1 fc 66 6e 5f 41 51 75 da 52 c5 4a ..Y...fn.AQu.R.J
}
}
)
[06/04/21 16:14:33:579 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.575 BST|Thread.java:1164|Produced client Finished handshake message (
"Finished": {
"verify data": {
0000: 69 8c 88 f6 6a 03 b6 81 ad d6 58 c1
}'}
)
IBMJCE version 1.8
[06/04/21 16:14:33:716 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.714 BST|Thread.java:1164|Consuming server Finished handshake message (
"Finished": {
"verify data": {
0000: 84 65 d5 89 28 fc 35 0c 47 a0 e3 42
}'}
)
[06/04/21 16:14:34:642 BST] 00000078 DSConfigurati I DSRA8025I: Successfully connected to DataSource.
您使用的 JDBC 驱动程序是什么版本?如果您使用的是最新的 18.3,则可以在 URL 中传递连接属性。查看此 blog 12.2 及更低版本。