在 EJB 中使用 SSL 出现异常：密钥库被篡改，或密码不正确

发布于 2024-11-29 17:00:51 字数 1359 浏览 0 评论 0原文

我已按照 Oracle 教程中的说明创建新的具有新密码的“keystore.jks”和“cacerts.jks”文件（不使用默认的“changeit”）。更准确地说，我使用以下 3 个命令来生成文件：

1. keytool -genkey -alias s1as -keyalg RSA -keypass newpass -storepass newpass -keystore keystore.jks
2. keytool -export -alias s1as -storepass newpass -file server.cer -keystore keystore.jks
3. keytool -import -v -trustcacerts -alias s1as -file server.cer -keystore cacerts.jks -keypass newpass -storepass newpass

将新的“keystore.jks”和“cacerts.jks”文件复制到“/domains/domain1/config”文件夹并启动应用程序服务器后，我遇到以下异常：

IllegalStateException: Keystore was tampered with, or password was incorrect

但是，我认为密码应该是正确的，因为当我配置 GlassFish 使用新文件时，我确实将这一行添加到 JVM 选项中：

-Djavax.net.ssl.keyStorePassword=newpass

我尝试将旧的“keystore.jks”文件与新的使用命令：

keytool -list -v -keystore keystore.jks

我注意到旧文件的结果中，除了 s1as 证书的信息外，还包含以下行：

Extensions:
#1 ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 1B 31 49 23 1C 5B 17 1D    9F 02 86 FD F7 2B 44 F4   .1I#.[.........+D.
0010: 1B E3 7A C6
]
]

新文件的结果不包含与上述行类似的任何内容。在我的应用程序中，我打算使用自签名证书。如果有人能给我一些关于如何解决这个问题的建议，我将不胜感激。

最好的问候，

詹姆斯·特兰

原文

I have followed the instruction in Oracle Tutorial to create new "keystore.jks" and "cacerts.jks" files with new password (not using the default "changeit"). To be more precise, I used the following 3 commands to generate the files:

1. keytool -genkey -alias s1as -keyalg RSA -keypass newpass -storepass newpass -keystore keystore.jks
2. keytool -export -alias s1as -storepass newpass -file server.cer -keystore keystore.jks
3. keytool -import -v -trustcacerts -alias s1as -file server.cer -keystore cacerts.jks -keypass newpass -storepass newpass

After I copy the new "keystore.jks" and "cacerts.jks" files into "/domains/domain1/config" folder and start the App server, I ran into the following exception:

IllegalStateException: Keystore was tampered with, or password was incorrect

However, I think the password should be correct because when I was configuring GlassFish to use the new files, I did add this line to the JVM options:

-Djavax.net.ssl.keyStorePassword=newpass

I tried to compare the old "keystore.jks" file with the new one using the command:

keytool -list -v -keystore keystore.jks

I noticed that in the result for the old file, other than the s1as certificate's information, it also contains the following line:

Extensions:
#1 ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 1B 31 49 23 1C 5B 17 1D    9F 02 86 FD F7 2B 44 F4   .1I#.[.........+D.
0010: 1B E3 7A C6
]
]

The result for the new file doesn't contain anything similar to the above lines. In my app, I intend to use self-signed certificate. I'd be very grateful if someone could give me some advice on how to tackle this problem.

Best regards,

James Tran

分享到QQ

分享到微博