在具有自签名证书的 Web 服务上使用 WSIT 安全性 (Glassfish)
我使用本指南为 Metro 创建证书: http://www.jroller.com/gmazza/entry /using_openssl_to_create_certificates
所以我现在有了 servicestore.jks 和 clientstore.jks。
当我检查密钥库时,我看到 servicestore.jks 中的 PrivateKeyEntry 是 myservicekey,trustedCertEntry 是 myclientkey。在 clientstore.jks 中反之亦然。
我在客户端 xml 和服务 wsit xml 中使用这些。我按照官方 WSIT 教程在 Netbeans 中执行此操作。一切都部署得很好。
因此,当测试来自客户端的方法调用时,我收到以下异常:
[#|2011-10-19T08:59:38.465+0200|信息|glassfish3.1.1|com.sun.metro.policy|_ThreadID=81;_ThreadName=http-thread-pool-8080(1);| WSP5018: 从文件加载 WSIT 配置: 文件:/opt/glassfish3/glassfish/domains/domain1/applications/testwebapp/WEB-INF/classes/META-INF/wsit-client.xml。|#]
[#|2011-10-19T08:59:41.167+0200|严重|glassfish3.1.1|javax.enterprise.resource.xml.webservices.security|_ThreadID=84;_ThreadName=http-thread-pool-8080( 4);|WSS1533: 自签名证书验证失败。|#]
[#|2011-10-19T08:59:41.171+0200|严重|glassfish3.1.1|com.sun.xml.wss.provider.wsit|_ThreadID=84;_ThreadName=http-thread-pool-8080( 4);|WSITPVD0035: 验证入站消息的安全性时出错。 com.sun.xml.wss.XWSSecurityException:自签名验证 证书失败 在 com.sun.xml.wss.impl.misc.WSITProviderSecurityEnvironment.validateCertificate(WSITProviderSecurityEnvironment.java:937) 在 com.sun.xml.ws.security.opt.impl.incoming.X509BinarySecurityToken.validate(X509BinarySecurityToken.java:185) 在 com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(SecurityRecipient.java:396) 在 com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipient.java:275) 在 com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:225) 在 com.sun.xml.wss.provider.wsit.WSITServerAuthContext.verifyInboundMessage(WSITServerAuthContext.java:586) …………
当我尝试在客户端 xml 中使用错误密码时,我得到了一个不同的异常,当我使用错误的文件名时,我得到了一个文件未找到异常。所以它至少找到了客户商店。
所以我认为服务密钥库可能有问题(我认为它可能使用默认的 glassfish 而不是我自己的),并在 domain.xml 中找到了一些选项。所以我改变了这些:
-Dcom.sun.enterprise.security.httpsOutboundKeyAlias=myservicekey -Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/servicestore.jks -Djavax.net.ssl.keyStorePassword=sspas -Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/servicestore.jks -Djavax.net.ssl.trustStorePassword=sspass -DSERVER_KEY_ALIAS=myservicekey -DCLIENT_KEY_ALIAS=myclientkey
但是当我重新启动服务器时,我收到此异常并且无法登录管理控制台:
............引起:java.io.IOException:密钥库被篡改 或密码不正确 在 sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772) 在 sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) 在 java.security.KeyStore.load(KeyStore.java:1214) 在 com.sun.enterprise.security.ssl.impl.SecuritySupportImpl.loadKS(SecuritySupportImpl.java:254) 在 com.sun.enterprise.security.ssl.impl.SecuritySupportImpl.loadStores(SecuritySupportImpl.java:208) ... 63 更多 引起:java.security.UnrecoverableKeyException:密码验证失败 在 sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770) ... 67 更多
然后我在 WSIT 教程中阅读了以下内容: 为了在 Glassfish 上使用 WSIT 安全性,您必须将可信存储导入 GlassFish 的密钥库,并从 NetBeans IDE 指定这些证书。
那么我不能使用自己的密钥库吗?更改domain.xml 时我错过了什么吗?或者我在整个jvm选项之前就出错了?
I used this guide to create certificates for Metro: http://www.jroller.com/gmazza/entry/using_openssl_to_create_certificates
So I now have servicestore.jks and clientstore.jks.
When I check the keystores I see that the PrivateKeyEntry in servicestore.jks is myservicekey and the trustedCertEntry is myclientkey. Vice versa in clientstore.jks.
I use these in the client xml and service wsit xml. I followed the official WSIT tutorial to do this in Netbeans. Everything deploys fine.
So when testing a method call from the client I get the following exception:
[#|2011-10-19T08:59:38.465+0200|INFO|glassfish3.1.1|com.sun.metro.policy|_ThreadID=81;_ThreadName=http-thread-pool-8080(1);|WSP5018:
Loaded WSIT configuration from file:
file:/opt/glassfish3/glassfish/domains/domain1/applications/testwebapp/WEB-INF/classes/META-INF/wsit-client.xml.|#][#|2011-10-19T08:59:41.167+0200|SEVERE|glassfish3.1.1|javax.enterprise.resource.xml.webservices.security|_ThreadID=84;_ThreadName=http-thread-pool-8080(4);|WSS1533:
Validation of self signed certificate failed.|#][#|2011-10-19T08:59:41.171+0200|SEVERE|glassfish3.1.1|com.sun.xml.wss.provider.wsit|_ThreadID=84;_ThreadName=http-thread-pool-8080(4);|WSITPVD0035:
Error in Verifying Security in Inbound Message.
com.sun.xml.wss.XWSSecurityException: Validation of self signed
certificate failed
at com.sun.xml.wss.impl.misc.WSITProviderSecurityEnvironment.validateCertificate(WSITProviderSecurityEnvironment.java:937)
at com.sun.xml.ws.security.opt.impl.incoming.X509BinarySecurityToken.validate(X509BinarySecurityToken.java:185)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(SecurityRecipient.java:396)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipient.java:275)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:225)
at com.sun.xml.wss.provider.wsit.WSITServerAuthContext.verifyInboundMessage(WSITServerAuthContext.java:586)
.............
When I tried using a bad password in the client xml I got a different exception and when I used a wrong filename I got a file not found exception. So it finds the clientstore at least.
So I thought there might be something wrong with the service keystore (I'm thinking it might be using a default glassfish one and not my own) and found some options in the domain.xml. So I changed these:
-Dcom.sun.enterprise.security.httpsOutboundKeyAlias=myservicekey
-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/servicestore.jks
-Djavax.net.ssl.keyStorePassword=sspas
-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/servicestore.jks
-Djavax.net.ssl.trustStorePassword=sspass
-DSERVER_KEY_ALIAS=myservicekey
-DCLIENT_KEY_ALIAS=myclientkey
but when I restart the server I get this exception and can't get to the login of the admin console:
............. Caused by: java.io.IOException: Keystore was tampered
with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1214)
at com.sun.enterprise.security.ssl.impl.SecuritySupportImpl.loadKS(SecuritySupportImpl.java:254)
at com.sun.enterprise.security.ssl.impl.SecuritySupportImpl.loadStores(SecuritySupportImpl.java:208)
... 63 more Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
... 67 more
Then I read the following in the WSIT tutorial: In order to use WSIT security on Glassfish, you will have to import your trusted stores into GlassFish's keystore and specify those certificates from NetBeans IDE.
So I can't use my own keystores? Did I miss anything when changing the domain.xml? Or did I go wrong before the whole jvm options thing?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
从预期消息“自签名证书验证失败”中,我得出结论,服务器不信任对肥皂消息进行签名/加密的客户端证书。
您应该检查 glassfish 使用哪个信任库以及它是否包含客户端证书。我对 glassfish 不太了解,但是 这里似乎是一些指示。 servicestore.jks 是否用作信任库并且确实包含确切的某些客户端证书。人们可以轻松地重新生成 clientstore.jks 并忘记重新创建信任库。
如果信任库包含预期的证书并且确实被 glassfish 使用,您还应该检查客户端发送的是哪个证书。查看标头并查找 BinarySecurityToken。根据您选择的 WSIT,它包含消息中使用的证书。
From the expection message "Validation of self signed certificate failed", I would conclude the server does not trust the client certificate which signs/encrypt the soap message.
You should check which truststore is used by glassfish and whether it contains the client certificate. I don't know much about glassfish, but here seems to be some directions. Is the servicestore.jks used as the truststore and really contains the exact some client certifcate. One could easily regenerate the clientstore.jks and forget to recreate the truststore.
If the truststore contains the expected certificate and is actually used by glassfish, you should also check which certificate is sent by the client. Look into the header and have a look for the BinarySecurityToken. Depending on your choice of WSIT, it contains the certifcate used in the message.