java - JMXConnector 无法连接到 ssl keystore

Question

我正在尝试使用 ssl keystore 连接到另一台机器上的 MBean 服务器，但我看到了这个错误。我在另一台服务器上也有一个 keystore 和信任库。我还注意到两台机器都有不同的 java 版本。我不确定那是问题所在还是我遗漏了什么。

 java.rmi.ConnectIOException: Exception creating connection to: 10.1.7.259; nested exception is:
        java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
        at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:631)
        at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:216)
        at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
        at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:130)
        at javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source)
        at javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2432)
        at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:308)
        at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
        at com.stop.monitor.giab.JMXListenerClient.connect(JMXListenerClient.java:153)
        at com.stop.monitor.giab.JMXListenerClient.main(JMXListenerClient.java:72)
Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
        at javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:248)
        at javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:262)
        at javax.rmi.ssl.SslRMIClientSocketFactory.createSocket(SslRMIClientSocketFactory.java:121)
        at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:613)
        ... 9 more
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
        at java.security.Provider$Service.newInstance(Provider.java:1617)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
        at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
        at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
        at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:122)
        at javax.rmi.ssl.SslRMIClientSocketFactory.getDefaultClientSocketFactory(SslRMIClientSocketFactory.java:207)
        at javax.rmi.ssl.SslRMIClientSocketFactory.createSocket(SslRMIClientSocketFactory.java:117)
        at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:613)
        at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:216)
        at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
        at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:342)
        at sun.rmi.transport.DGCImpl_Stub.dirty(Unknown Source)
        at sun.rmi.transport.DGCClient$EndpointEntry.makeDirtyCall(DGCClient.java:361)
        at sun.rmi.transport.DGCClient$EndpointEntry.registerRefs(DGCClient.java:303)
        at sun.rmi.transport.DGCClient.registerRefs(DGCClient.java:139)
        at sun.rmi.transport.ConnectionInputStream.registerRefs(ConnectionInputStream.java:94)
        at sun.rmi.transport.StreamRemoteCall.releaseInputStream(StreamRemoteCall.java:157)
        at sun.rmi.transport.StreamRemoteCall.done(StreamRemoteCall.java:313)
        at sun.rmi.server.UnicastRef.done(UnicastRef.java:451)
        at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
        at com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java:118)
        at com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:205)
        at javax.naming.InitialContext.lookup(InitialContext.java:417)
        at javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1957)
        at javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1924)
        at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:287)
        ... 3 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
        at java.security.KeyStore.load(KeyStore.java:1445)
        at sun.security.ssl.TrustManagerFactoryImpl.getCacertsKeyStore(TrustManagerFactoryImpl.java:226)
        at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultTrustManager(SSLContextImpl.java:767)
        at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:733)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
        at java.security.Provider$Service.newInstance(Provider.java:1595)
        ... 29 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
        ... 39 more

Answer 1

Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
from TrustManagerFactoryImpl
from SSLContextImpl$DefaultSSLContext.getDefaultTrustManager

通过使用 keytool -list 密码确保您的信任库有效(不要按回车键绕过它)。我认为不可能在 JKS 中创建在 Java 版本之间不兼容的 trustedcert 条目(在某些情况下是 privatekey 条目)但为了安全起见一边使用有问题的客户端使用的 JRE 的 keytool -- 当然是同一个文件。

确保系统属性 javax.net.ssl.trustStore 有文件名(如果不是默认的，JRE/lib/security/[jsse]cacerts)和 javax.net.ssl .trustStorePassword 具有正确的密码(始终)。

此外，如果信任库格式不是 JKS(或足够新的 Java 8 JRE 中的 PKCS12，keystore.type.compat 保留为默认值)指定 javax.net.ssl.trustStoreType 。但是知道如何创建不同寻常的商店的人不会问像你这样的问题。