首先,我对使用Java设置密钥库等知识不多。
我试图调用SOAP Web服务,获得了wsdl,生成了代码,等等。在我部署它并尝试触发WS调用之前,一切似乎都还不错。
这是我的设置:
运行代码时,出现以下异常:
Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://tallyservices-qa.olson.com/tallyDemo2WebServices/tallyDemo2/sms: Received fatal alert: certificate_unknown at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1336) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1320) at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622) at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) ... 27 more Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1837) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1019) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1203) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1230) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1214) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1031) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230) at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:170) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1280) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1231) at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:183) at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47) at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1293) ... 30 more
我在这里遵循了建议:如何使用私钥将.pfx文件转换为密钥库?将该证书安装到我的密钥库中:
keytool -importkeystore -srckeystore C:\somefolder\mypfxfile.pxf -srcstoretype pkcs12 -destkeystore C:\somefolder\clientcert.jks -deststoretype JKS
我得到:
Enter destination keystore password: <mypassword> Re-enter new password: <mypassword> Enter source keystore password: <pxf_password> Entry for alias 67eb31f6 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
到目前为止,一切看起来都很不错,我跳了tomcat,再次点击了Servlet,仍然遇到相同的错误。
我在这里还想念什么?我需要告诉tomcat证书或其他内容吗?
在此先感谢您为我在密钥库和证书区域中的不便提供帮助和歉意。
编辑: 所以我从CarloPellegrini的帮助中找到了,我需要将密钥库添加到tomcat:现在,我的tomcat是使用其他JAVA_OPTS参数启动的:
"-Djavax.net.ssl.trustStore=C:\somefolder\clientcert.jks -Djavax.net.ssl.trustStorePassword=somepassword"
现在我得到了:
Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
从这里开始:错误-trustAnchors参数必须为非空并获取了java.security.InvalidAlgorithmParameterException:使用cas时trustAnchors参数必须为非空-似乎找不到我的truststore?
我想到了我之前的命令:
实际上将pxf放到 密钥库中 ,而不是信任 库中 ?
当我检查密钥库列表时:
C:\somefolder>keytool -list -keystore "C:\somefolder\clientcert.jks" Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry 67eb31f6, 13-Feb-2013, PrivateKeyEntry, Certificate fingerprint (MD5): ... some fingerprint ...
所以我不确定我在这里想念什么
我找到了解决方案,我应该使用keyStore而不是trustStore,但是更重要的是,我正在使用的库(cxf 2.7.1)似乎存在问题,我必须直接在代码中设置SSL属性:
// BEGIN FIX to avoid certificate error, need to set this up in the code for cxf String storePath = System.getProperty("javax.net.ssl.keyStore"); String storePassword = System.getProperty("javax.net.ssl.keyStorePassword"); String storeType = System.getProperty("javax.net.ssl.keyStoreType"); KeyStore keyStore = KeyStore.getInstance(storeType); keyStore.load(new FileInputStream(storePath), storePassword.toCharArray()); KeyManagerFactory factory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); factory.init(keyStore, storePassword.toCharArray()); KeyManager[] keyManagers = factory.getKeyManagers(); Client client = ClientProxy.getClient(port); HTTPConduit conduit = (HTTPConduit) client.getConduit(); conduit.setTlsClientParameters(new TLSClientParameters()); conduit.getTlsClientParameters().setKeyManagers(keyManagers);
