如何在 Axis2 Java 客户端中使用自签名证书?
我使用 org.codehaus.mojo axistools-maven-plugin 插件版本 1.4 生成了代码。我正在尝试通过 https 连接到 Web 服务。我已将服务器证书安装到 jssecacerts 中,并将此密钥存储复制到 /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/ 文件夹中。所以这意味着我在客户端密钥库中有服务器证书。我还将服务器私钥和证书导入到 kestore.ImportKey 密钥存储中。我想我将不得不使用它作为信任存储。现在,如何在 java 客户端中将所有这些连接在一起? 我在客户端使用自动生成的存根。我尝试使用以下但不起作用。
System.setProperty("javax.net.ssl.trustStore","certs/keystore.ImportKey");
System.setProperty("javax.net.ssl.trustStorePassword", "importkey");
我收到以下异常。
faultString: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
这些证书有效,因为我在同一主机的 HTTPS 客户端上使用相同的证书。此外,我还能够看到使用相同证书的成功的卷曲请求。实际上,我不确定如何使用自签名服务器证书通过 https 编写 Axis2 Soap Java 客户端。谁能指出我一步一步的例子。
I have generated code using org.codehaus.mojo axistools-maven-plugin plugin version 1.4. I am trying to connect to web service over https. I have installed server certificate into jssecacerts and copied this key store into /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/ folder. So this means I have server certificate in the client keystore. I have also imported server private key and certificate into kestore.ImportKey key store. I guess I will have to use this as trust store. Now, how to I connect all these together in java client?
I am using auto generated stub at client side. I tried using following but does not work.
System.setProperty("javax.net.ssl.trustStore","certs/keystore.ImportKey");
System.setProperty("javax.net.ssl.trustStorePassword", "importkey");
I am getting following exception.
faultString: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
The certificates are valid as I am using same certs over HTTPS client for the same host. Also, I was able to see successful curl request to using the same certs. Actually, I am not sure how to write Axis2 soap Java client over https using self signed server certificate. Can anyone point me to step by step example.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
在客户端,您不需要证书私钥来信任服务器。由于您在问题中写道,您在
keystore.ImportKey中导入了证书和密钥,我认为它们已作为PrivateKeyEntry导入(您可以使用keytool 进行验证密钥库中条目的类型)。但是,如果您想使用证书作为信任锚,则应将证书作为
TrustedCertificateEntry导入。可以使用keytool来实现:然后您可以在应用程序中配置信任库:
On the client side, you do not need the certificate private key to trust the server. Since you wrote in your question that you imported the certificate and key in
keystore.ImportKeyI think that they have been imported as aPrivateKeyEntry(you can verify withkeytoolthe type of entries in the keystore).However if you want to use the certificate as a trust anchor you should import the certificate as a
TrustedCertificateEntry. It can be achieved withkeytool:Then you can configure the truststore in your application:
谢谢@Jcs
这就是我解决问题的方法。当我尝试在浏览器中打开 Web 服务 URL 时,它要求提供客户端证书。这意味着,因为我已经在 jvm 的
jssecacert中导入了服务器证书,所以我的客户端缺少客户端证书。因此,我没有设置 javax.net.ssl.trustStore 和 javax.net.ssl.trustStorePassword 属性,而是设置了 javax.net.ssl.keyStore > 和 javax.net.ssl.keyStorePassword 属性并且工作正常。我之前错过了将私钥和证书导入密钥库的事实。 ImportKey 基本上是客户端身份,我很早就从某人那里收到了这些身份,说这些是服务器证书。那误导了我。因此,如果有人正在寻找解决方案,让我总结一下解决方案。下载服务器证书并导入到系统路径上的 JVM cacerts 或 jssecacerts 中。
我使用了这篇文章。
在浏览器中打开 Web 服务 URL,如果它要求客户端证书,则意味着服务器已设置为期望来自客户端的证书。如果是自签名证书,您必须已经拥有来自服务器的自签名证书。将这些导入到密钥库中,并在实际调用 Web 服务之前设置密钥库而不是信任库的系统属性,如下所示。这是因为您已经将服务器证书导入到客户端信任存储 (
cacerts) 中。代码:
此外,在我的例子中,服务器期望将用户令牌和密码设置到 SOAP 标头中。这就是我将其设置到 SOAP 标头中的方式:
我希望这详细解释了如何在 axis2 客户端中使用用户令牌和密码通过 https 调用 Web 服务时使用自签名证书和 WSSE 用户令牌和密码。
干杯!现在就出发吧。
Thanks @Jcs
This is how I solved the problem. When I tried opening the webservice URL in a browser, it asked for client certificate. This means, because I had already imported server certificate in
jssecacertin jvm, my client was missing the client certificate. So, instead of settingjavax.net.ssl.trustStoreandjavax.net.ssl.trustStorePasswordproperties I setjavax.net.ssl.keyStoreandjavax.net.ssl.keyStorePasswordproperties and it is working fine. I missed before the fact that the private key and certificate are imported into the keystore.ImportKeyare basically client identity which I received long back from someone saying those are server certificates. That was misleading me. So, let me summarize the solution if someone is looking for it.Download server certificate and import into JVM cacerts or jssecacerts on system path.
I used this post.
Open webservice URL in a browser and if it asks for client certificate it means server is set to expect certificate from client. In case of self signed certificate you must already have self signed certificate from server. Import these in a keystore and set the system properties for key store and not the trust store before actually making call to web service as shown below. This is because you already have imported server certificate into client trust store (
cacerts).Code:
In addition in my case, server is expecting user token and password set into SOAP headers. This is how I set this into SOAP headers:
I hope this explains in details how to use self signed certificates and WSSE user token and password in axis2 client calling web services over https using usertoken and password.
Cheers! good to go now.