- android - 多次调用 OnPrimaryClipChangedListener
- android - 无法更新 RecyclerView 中的 TextView 字段
- android.database.CursorIndexOutOfBoundsException : Index 0 requested, 光标大小为 0
- android - 使用 AppCompat 时,我们是否需要明确指定其 UI 组件(Spinner、EditText)颜色
最近我们开始将我们的应用程序从 websphere-liberty 16.0.0.2 迁移到版本 17.0.0.2(在这两种情况下都使用 javaee7 配置文件)。在 server.xml 中使用相同的 SSL 配置,由于 SSL 握手失败,应用程序无法通过 https 调用远程休息服务。这是我的 server.xml
<?xml version="1.0" encoding="UTF-8"?>
<server description="Default server">
<featureManager>
<feature>appSecurity-2.0</feature>
<feature>transportSecurity-1.0</feature>
<feature>jaxrs-2.0</feature>
<feature>json-1.0</feature>
<feature>javaMail-1.5</feature>
<feature>ssl-1.0</feature>
</featureManager>
<sslDefault sslRef="defaultSSLSettings" />
<ssl id="defaultSSLSettings" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" clientAuthentication="true" sslProtocol="TLSv1" />
<keyStore id="defaultKeyStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/key.jks" password="**********" />
<keyStore id="defaultTrustStore" location="/opt/ibm/wlp/output/defaultServer/resources/security/trust.jks" password="***********" />
<basicRegistry id="basic" realm="BasicRealm">
<!-- <user name="yourUserName" password="" /> -->
</basicRegistry>
<variable name="defaultHostName" value="default-host.com" />
<!-- To allow access to this server from a remote client host="*" has been added to the following element -->
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" httpsPort="9443" />
<!-- Automatically expand WAR files and EAR files -->
<applicationManager autoExpand="true"/>
<logging logDirectory="/var/log/wlp" traceSpecification="*=INFO:SSL=all" traceFileName="trace.log" consoleLogLevel="info" copySystemStreams="true"/>
</server>
websphere-liberty v.16 的 server.xml 中的唯一区别是没有启用 transportSecurity-1.0 功能。
应用程序通过 https 调用的 rest 服务提供由“GeoTrust Global CA”签名的 SSL 证书。如果将证书导入信任库“trust.jks”,那么一切正常,但我希望证书在握手期间被自动接受,因为它不是自签名的。
websphere-liberty 17.0.0.2 做了哪些与 SSL 相关的改动?是否需要在 server.xml 中进行额外的安全配置?
服务器版本:
WebSphere Application Server 17.0.0.2 (1.0.17.cl170220170523-1818) on IBM J9 VM, version pxa6480sr4fp10-20170727_01 (SR4 FP10) (en_US)
WebSphere Application Server 16.0.0.2 (1.0.13.cl160220160526-2258) on IBM J9 VM, version pxa6480sr3fp10-20160720_02 (SR3 FP10) (en_US)
错误堆栈跟踪:
server_1 | [INFO ] FFDC1015I: An FFDC Incident has been created: "java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
server_1 | java.security.cert.CertPathValidatorException: The certificate issued by CN=GeoTrust Global CA, O=GeoTrust Inc., C=US is not trusted; internal cause is:
server_1 | java.security.cert.CertPathValidatorException: Certificate chaining error com.ibm.ws.ssl.core.WSX509TrustManager checkServerTrusted" at ffdc_17.08.09_14.50.00.0.log
server_1 | [ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.api.ibm.com, O=International Business Machines, L=Armonk, ST=New York, C=US was sent from the target host. The signer might need to be added to local trust store /opt/ibm/wlp/output/defaultServer/resources/security/trust.jks, located in SSL configuration alias defaultSSLSettings. The extended error message from the SSL handshake exception is: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
server_1 | java.security.cert.CertPathValidatorException: The certificate issued by CN=GeoTrust Global CA, O=GeoTrust Inc., C=US is not trusted; internal cause is:
server_1 | java.security.cert.CertPathValidatorException: Certificate chaining error
server_1 | [WARNING ] Interceptor for {https://dev.api.ibm.com/scx/test}WebClient has thrown exception, unwinding now
server_1 | Could not send Message.
server_1 | [ERROR ] 2017-08-09 14:50:00 ExceptionMapper:23 - javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://dev.api.ibm.com/scx/test/customer/321321321: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.
server_1 | javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://dev.api.ibm.com/scx/test/customer/321321321: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.
server_1 | at org.apache.cxf.jaxrs.client.AbstractClient.checkClientException(AbstractClient.java:632)
server_1 | at org.apache.cxf.jaxrs.client.AbstractClient.preProcessResult(AbstractClient.java:608)
server_1 | at org.apache.cxf.jaxrs.client.WebClient.doResponse(WebClient.java:1105)
server_1 | at org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:1042)
server_1 | at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:895)
server_1 | at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:863)
server_1 | at org.apache.cxf.jaxrs.client.WebClient.invoke(WebClient.java:426)
server_1 | at org.apache.cxf.jaxrs.client.WebClient$SyncInvokerImpl.method(WebClient.java:1554)
server_1 | at org.apache.cxf.jaxrs.client.WebClient$SyncInvokerImpl.method(WebClient.java:1549)
server_1 | at org.apache.cxf.jaxrs.client.WebClient$SyncInvokerImpl.get(WebClient.java:1469)
server_1 | at org.apache.cxf.jaxrs.client.spec.InvocationBuilderImpl.get(InvocationBuilderImpl.java:80)
server_1 | at com.ibm.si.saas.sbs.service.SBSApiService.getCustomer(SBSApiService.java:84)
server_1 | at com.ibm.si.saas.sbs.resource.SbsEndpointApiResource.getConsoles(SbsEndpointApiResource.java:49)
server_1 | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
server_1 | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
server_1 | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
server_1 | at java.lang.reflect.Method.invoke(Method.java:508)
server_1 | at com.ibm.ws.jaxrs20.server.LibertyJaxRsServerFactoryBean.performInvocation(LibertyJaxRsServerFactoryBean.java:632)
server_1 | at com.ibm.ws.jaxrs20.server.LibertyJaxRsInvoker.performInvocation(LibertyJaxRsInvoker.java:118)
server_1 | at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
server_1 | at com.ibm.ws.jaxrs20.server.LibertyJaxRsInvoker.invoke(LibertyJaxRsInvoker.java:252)
server_1 | at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:189)
server_1 | at com.ibm.ws.jaxrs20.server.LibertyJaxRsInvoker.invoke(LibertyJaxRsInvoker.java:423)
server_1 | at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:99)
server_1 | at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:61)
server_1 | at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:99)
server_1 | at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
server_1 | at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:124)
server_1 | at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:274)
server_1 | at com.ibm.ws.jaxrs20.endpoint.AbstractJaxRsWebEndpoint.invoke(AbstractJaxRsWebEndpoint.java:134)
server_1 | at com.ibm.websphere.jaxrs.server.IBMRestServlet.handleRequest(IBMRestServlet.java:149)
server_1 | at com.ibm.websphere.jaxrs.server.IBMRestServlet.doGet(IBMRestServlet.java:115)
server_1 | at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
server_1 | at com.ibm.websphere.jaxrs.server.IBMRestServlet.service(IBMRestServlet.java:99)
server_1 | at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1290)
server_1 | at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:778)
server_1 | at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:475)
server_1 | at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1161)
server_1 | at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:4983)
server_1 | at com.ibm.ws.webcontainer31.osgi.webapp.WebApp31.handleRequest(WebApp31.java:528)
server_1 | at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.handleRequest(DynamicVirtualHost.java:315)
server_1 | at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1025)
server_1 | at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:280)
server_1 | at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:967)
server_1 | at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:359)
server_1 | at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:318)
server_1 | at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:471)
server_1 | at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:405)
server_1 | at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:285)
server_1 | at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:256)
server_1 | at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:174)
server_1 | at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:83)
server_1 | at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:504)
server_1 | at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:574)
server_1 | at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:929)
server_1 | at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1018)
server_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
server_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
server_1 | at java.lang.Thread.run(Thread.java:785)
server_1 | Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://dev.api.ibm.com/scx/test/customer/321321321: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.
server_1 | at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
server_1 | at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:83)
server_1 | at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:57)
server_1 | at java.lang.reflect.Constructor.newInstance(Constructor.java:437)
server_1 | at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1385)
server_1 | at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1369)
server_1 | at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
server_1 | at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:653)
server_1 | at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
server_1 | at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
server_1 | at org.apache.cxf.jaxrs.client.AbstractClient.doRunInterceptorChain(AbstractClient.java:704)
server_1 | at org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:1041)
server_1 | ... 55 more
server_1 | Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.
server_1 | at com.ibm.jsse2.k.a(k.java:17)
server_1 | at com.ibm.jsse2.at.a(at.java:851)
server_1 | at com.ibm.jsse2.D.a(D.java:333)
server_1 | at com.ibm.jsse2.D.a(D.java:113)
server_1 | at com.ibm.jsse2.E.a(E.java:79)
server_1 | at com.ibm.jsse2.E.a(E.java:107)
server_1 | at com.ibm.jsse2.D.r(D.java:610)
server_1 | at com.ibm.jsse2.D.a(D.java:372)
server_1 | at com.ibm.jsse2.at.a(at.java:558)
server_1 | at com.ibm.jsse2.at.i(at.java:73)
server_1 | at com.ibm.jsse2.at.a(at.java:357)
server_1 | at com.ibm.jsse2.at.startHandshake(at.java:723)
server_1 | at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:215)
server_1 | at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:34)
server_1 | at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1561)
server_1 | at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1489)
server_1 | at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:491)
server_1 | at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:80)
server_1 | at org.apache.cxf.transport.http.URLConnectionHTTP
server_1 | Conduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:370)
server_1 | at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1586)
server_1 | at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1615)
server_1 | at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1559)
server_1 | at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1356)
server_1 | ... 61 more
server_1 | Caused by: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.
server_1 | at com.ibm.ws.ssl.core.WSX509TrustManager.checkServerTrusted(WSX509TrustManager.java:322)
server_1 | at com.ibm.jsse2.az.checkServerTrusted(az.java:78)
server_1 | at com.ibm.jsse2.E.a(E.java:5)
server_1 | ... 79 more
这是尝试使用 openssl 连接时的输出:
openssl s_client -CAfile /opt/ibm/java/jre/lib/security/cacerts -connect dev.api.ibm.com:443
Certificate chain
0 s:/C=US/ST=New York/L=Armonk/O=International Business Machines/CN=*.api.ibm.com
i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2859 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 9509AB7194AB9DE0ABE219ECAE442C5D2C93145946FC2285CB9C4F5CCC81514F
Session-ID-ctx:
Master-Key: 335D047C41E5FE75096E53C9CBACC7C1CC8F6254872599EFE93C7AD5935638181AAF9240656BD44A858723C38108BB31
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1502310152
Timeout : 300 (sec)
Verify return code: 0 (ok)
最佳答案
您描述事物的方式听起来像是在运行 Liberty 16.0.0.2 时在您的场景中使用了 JSSE SSL 上下文。如果 cacerts 文件被用于信任,那么它一定是。老实说,如果您不在代码中提供 ssl 引用,我认为 jaxrs 应该回退到 Liberty SSLContext。我对此可能是错的,将不得不进行调查。
因此,在 17.0.0.2 并使用 transportSecurity-1.0 功能,您现在使用的是 Liberty SSLContext。这是 transportSecurity-1.0 的正确行为,如果 server.xml 文件中没有 ssl 配置,jaxrs 只会回退到 JSSE 默认的 SSLContext。 transportSecurity-1.0 功能支持新的出站 SSL 功能,出站默认值,https://www.ibm.com/support/knowledgecenter/en/was_beta_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_config_ssl_outbound.html。和出站 SSL 过滤器功能,https://www.ibm.com/support/knowledgecenter/en/was_beta_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/rwlp_config_ssl_outbound_filter.html .
因此,如果您使用 transportSecurity-1.0 功能,您将需要将签名者添加到您的 Liberty 信任库中,Liberty 不会自动接受签名者。
如果使用 ssl-1.0 功能,我将不得不调查行为应该是什么。
关于java - 从 websphere-liberty 16 迁移到版本 17 后出现 SSLHandshakeException,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/45594314/
是否有任何文档提供有关 Liberty Core、Liberty Base、Liberty Network Deployment 版本之间差异的信息? 我想使用 Liberty 并将我的应用程序部署到
从开发人员的角度来看,Installation Manager安装的WebSphere Application Server(1.5GB)与WebSphere Application Server V
我有一个基本问题,用谷歌搜索但找不到答案 例如我在WAS liberty上创建了一个应用服务器 example : bin/server create simpleServer 如何从 WAS li
我们如何在 IBM liberty 中定义和更改自定义属性值,当从 WAS 迁移到 liberty 时,在 WAS 中的属性下方(Web 容器设置 > Web 容器 > 自定义properties >
我想将 Open Liberty 运行时的语言更改为 en_US从 Eclipse IDE 中,但我不知道如何。 也尝试使用 JVM 参数的首选项来设置它,但它没有用。 -Duser.language
只有当服务器收到它的第一个请求时,Liberty Profile 才会加载我们部署到它的 EAR 和 WAR。我们如何告诉它在服务器启动时立即加载应用程序? 我们使用的是最新的 8.5.5 WLP。
我正在将一个打包的自由服务器部署到包含我的应用程序的 Bluemix 中。 我想更新我的应用程序,但在此之前,我想知道备份当前已启动和运行的应用程序的最佳方法是什么?如果我的更新不好,我想恢复我的应用
关闭。这个问题需要更多focused .它目前不接受答案。 想改善这个问题吗?更新问题,使其仅关注一个问题 editing this post . 4年前关闭。 Improve this questi
我正在寻找扩展包含在 Bluemix 中的 WebSphere Liberty buildpack 以及来 self 们的应用程序架构的一些第三方库,因此 EAR 文件的大小将减少很多,并且 cf p
即使相同的 WAR 在远程服务器上工作,我似乎也无法在本地工作。当我在本地访问我的应用程序时,出现“找不到上下文根”错误。 Liberty 配置文件版本为 8.5.5.5。 以下是相关文件: 服务器.
我知道 Liberty 是免费的,但想确认 IBM WAS Liberty Network Deployment 配置文件 也是免费的吗?我们也可以构建集群。 This文章说: Liberty pro
我尝试在 Liberty Profile 中运行现有的 WebSphere 应用程序,但遇到了问题。该应用程序在服务器中配置了一个资源环境条目,我需要将其转换为 Liberty Profile 资源。
这个问题在这里已经有了答案: Webpshere Liberty support for Java 9 (1 个回答) 关闭 5 年前。 在装有 Oracle Java 9.0.1 的 macOS
我尝试将 PostgreSQL 与我的 MicroProfile 应用程序一起使用,但无法加载驱动程序。我的 server.xml 包含以下内容: 我尝试通过 m
IBM WebSphere Liberty Profile提供 "wmqJmsClient-2.0"互动功能 IBM MQ Open Liberty 是否有等价物? [更新] 如果不是(看起来),如何
是否可以使用官方镜像在运行到Docker容器的独立Web Sphere Liberty Server上启用“部署”选项?当我登录到adminCenter时,我只能看到以下选项: 最佳答案 仅当使用集合
我使用了 open-liberty 19.0.0.6 。但是此应用程序服务器无法在 docker 容器上使用 ssl 端口 (https) 。 收到这个 nullPointerException :
有人能给我提供一些有关使用 Liberty 嵌入式 JMS 消息传递提供程序在 WLS liberty 配置文件版本 16.0.0.2 上设置 DLQ 的引用吗?我有一个配置了 spring jms
最近遇到了使用 Jailbreak detection 保护 iOS 应用程序的问题在 OS 12.1 上,带有 Liberty Lite已启用 我在 AppDelegate 和初始 ViewCont
能够在本地Docker容器中部署Liberty Docker镜像,并且可以访问Liberty服务器。 我将自由镜像推送到安装在系统中的Minishift上,但是在创建docker容器时,面临如下错误:
我是一名优秀的程序员,十分优秀!