我可以让 HttpClient 使用 Weblogic 的自定义密钥库/信任库设置吗？

发布于 2024-11-09 23:49:16 字数 603 浏览 6 评论 0原文

我的应用程序使用部署在 Weblogic 10.3 上的 Apache HttpClient 3.1 来执行使用 SSL 相互身份验证的 POST。我可以使用以下系统属性来配置密钥库并使其正常工作。 truststore：-

-Djavax.net.ssl.keyStore=C:\Keystore\KEYSTORE.jks
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore=C:\Truststore\TRUSTSTORE.jks
-Djavax.net.ssl.trustStorePassword=changeit

有什么方法可以让 HttpClient 识别并使用 Weblogic 自定义 keystore 和密钥库吗？ 信任库设置（在控制台/config.xml中配置）。除此之外，这将提供保持密码“隐藏”并且在配置文件/控制台等中不以纯文本形式可见的能力。

任何人都可以启发我吗？

原文

My application is using Apache's HttpClient 3.1 deployed on Weblogic 10.3 to perform a POST using SSL mutual authentication. I can get this to work using the following system properties to configure the keystore & truststore:-

-Djavax.net.ssl.keyStore=C:\Keystore\KEYSTORE.jks
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore=C:\Truststore\TRUSTSTORE.jks
-Djavax.net.ssl.trustStorePassword=changeit

Is there any way to get HttpClient to recognize and use the Weblogic custom keystore & truststore settings (as configured in the console / config.xml). Amongst other things this would provide the ability to keep the passwords "hidden" and not visible as plain text in config files / console etc.

Can anyone enlighten me?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

夜巴黎 2024-11-16 23:49:16

我已经能够通过实现自定义 TrustStrategy：

import sun.security.provider.certpath.X509CertPath;
import weblogic.security.pk.CertPathValidatorParameters;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPath;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;

public class WeblogicSSLTrustStrategy implements TrustStrategy {

  @Override
  public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException {
    validator = CertPathValidator.getInstance("WLSCertPathValidator");
    CertPath certPath = new X509CertPath(Arrays.asList(chain));

    // supply here the weblogic realm name, configured in weblogic console
    // "myrealm" is the default one
    CertPathParameters params = new CertPathValidatorParameters("myrealm", null, null);
    try {
      validator.validate(certPath, params);
    } catch (CertPathValidatorException e) {
      throw new CertificateException(e);
    } catch (InvalidAlgorithmParameterException e) {
      throw new CertificateException(e);
    }

    return true;
  }
}

此代码基于 Weblogic 文档。该策略可以通过 SSLSocketFactory 传递给 HttpClient：

SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme("http", 80, PlainSocketFactory.getSocketFactory()));

SSLSocketFactory sslSocketFactory = new SSLSocketFactory(new WeblogicSSLTrustStrategy());
schemeRegistry.register(new Scheme("https", 443, sslSocketFactory));

PoolingClientConnectionManager connectionManager = new PoolingClientConnectionManager(schemeRegistry);

DefaultHttpClient httpClient = new DefaultHttpClient(connectionManager);

唯一未知的参数是 Weblogic 领域名称，可以从 Weblogic JMX API 获取，或者简单地预先配置。这样就不需要实例化信任存储或重新配置 Weblogic 启动参数。

I have been able to get HttpClient to use the custom weblogic trust store certificates for SSL connection by implementing custom TrustStrategy:

import sun.security.provider.certpath.X509CertPath;
import weblogic.security.pk.CertPathValidatorParameters;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPath;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;

public class WeblogicSSLTrustStrategy implements TrustStrategy {

  @Override
  public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException {
    validator = CertPathValidator.getInstance("WLSCertPathValidator");
    CertPath certPath = new X509CertPath(Arrays.asList(chain));

    // supply here the weblogic realm name, configured in weblogic console
    // "myrealm" is the default one
    CertPathParameters params = new CertPathValidatorParameters("myrealm", null, null);
    try {
      validator.validate(certPath, params);
    } catch (CertPathValidatorException e) {
      throw new CertificateException(e);
    } catch (InvalidAlgorithmParameterException e) {
      throw new CertificateException(e);
    }

    return true;
  }
}

This code is based on Weblogic documentation. The strategy can be passed to HttpClient via SSLSocketFactory:

SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme("http", 80, PlainSocketFactory.getSocketFactory()));

SSLSocketFactory sslSocketFactory = new SSLSocketFactory(new WeblogicSSLTrustStrategy());
schemeRegistry.register(new Scheme("https", 443, sslSocketFactory));

PoolingClientConnectionManager connectionManager = new PoolingClientConnectionManager(schemeRegistry);

DefaultHttpClient httpClient = new DefaultHttpClient(connectionManager);

The only unknown parameter is the Weblogic Realm name, which can be taken from Weblogic JMX API, or simply preconfigured. This way it does not require to instantiate the trust store or to reconfigure Weblogic startup parameters.

回复收藏 0 原文

飘过的浮云 2024-11-16 23:49:16

您可以使用 KeyStoreMBean。但请预先警告，由于以下原因，这可能不是一项简单的练习：

这将需要在 JMX 客户端中以明文形式存储密钥库密码（现在您将在应用程序中编写一个密钥库密码）。这是不安全的，安全审核可能会因此失败，具体取决于审核的目的。
由于 JMX 服务配置，MBean 可能无法在运行时访问，或者必须在不同场景中以不同方式访问。假设 WebLogic 11g，这些值可能会通过将 JMXMBean 的 EditMBeanServerEnabled 属性的值设置为 false。

回复收藏 0 原文

~没有更多了~