我有一個web應用,當通過Netbeans調用時,它運行在Tomcat下。我試圖讓它在eclipse下運行。配置Tomcat的SSL連接器,由eclipse調用
應用程序正在運行,但其Web服務調用之一失敗並顯示「握手錯誤」消息。我已經閱讀了關於爲Tomcat配置SSL連接器以供使用的不同事情,但我沒有得到它的工作。
我的疑惑在於用於證書文件和證書密鑰文件的密碼。我此刻的以下接口:
<Connector
SSLCertificateFile="c:\Program Files\Java\jdk1.7.0_07\jre\lib\security\csi_keystore.jks"
SSLCertificateKeyFile="c:\Program Files\Java\jdk1.7.0_07\jre\lib\security\jssecacerts"
SSLCipherSuite="RC4-SHA:HIGH:!ADH:!SSLv2:@STRENGTH"
SSLEnabled="true"
SSLPassword="psw1"
SSLProtocol="all" acceptCount="100" disableUploadTimeout="true"
enableLookups="false" executor="tomcatThreadPool" maxThreads="200"
port="443" scheme="https" secure="true"/>
而且從NetBeans中運行時,傳遞到Tomcat以下參數:
-Dhttps.proxyHost=127.0.0.1 -Dhttps.proxyPort=8888 -DproxySet=true
-Xms1024m -Xmx1024m -server -Djava.awt.headless=true -XX:NewSize=256m
-XX:MaxNewSize=256m -XX:PermSize=512m -XX:MaxPermSize=512m
-XX:+UseConcMarkSweepGC -XX:+UseParNewGC
-Djavax.net.ssl.keyStore="C:\Program Files\Java\jdk1.7.0_07\jre\lib\security\csi_keystore.jks"
-Djavax.net.ssl.keyStorePassword=psw2
-Djavax.net.ssl.trustStore="C:\Program Files\Java\jdk1.7.0_07\jre\lib\security\jssecacerts"
-Djavax.net.ssl.trustStorePassword="psw2"
望着Tomcat文檔,我沒有看到「了SSLCertificateFile 「和」SSLCertificateKeyFile「參數在我得到的例子中;那些準確嗎?密碼是什麼?
該文檔包含參數「keystore」和「keypass」的示例;那些是等同的嗎?還是首選?我還需要密鑰文件和密碼嗎?
=== EDIT ===
好的,我現在明白,JSSE和APR是Tomcat使用SSL通信的不同的實施方式,並且對於每一個的配置是不同的。我確信我們正在使用JSSE; Netbeans的配置是
-Djavax.net.ssl.keyStore="C:\Program Files\Java\jdk1.7.0_07\jre\lib\security\csi_keystore.jks"
-Djavax.net.ssl.keyStorePassword=thePassword
-Djavax.net.ssl.trustStore="C:\Program Files\Java\jdk1.7.0_07\jre\lib\security\jssecacerts"
-Djavax.net.ssl.trustStorePassword="thePassword"
添加到命令行來執行所述服務器(以及其他參數),並且看起來像JSSE參數給我。所以我把下面的連接器插入server.xml中:
<Connector
SSLEnabled="true"
clientAuth="false"
keystoreFile="c:\Program Files\Java\jdk1.7.0_07\jre\lib\security\csi_keystore.jks"
keystorePass="changeit"
maxThreads="200"
port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https"
secure="true"
sslProtocol="TLS"
enableLookups="false"
/>
,但我沒有看到有關「的trustStore」或它的密碼有什麼。這些參數是否應該在server.xml中?或者你看到我做錯了什麼?
我已經打開了詳細的調試(-Djavax.net.debug=all
);在異常點,我得到的是下面幾行:
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C C5 D8 0A 7E A5 D1 18 87 5A D6 EE EB ............Z...
Padded plaintext before ENCRYPTION: len = 36
0000: 14 00 00 0C C5 D8 0A 7E A5 D1 18 87 5A D6 EE EB ............Z...
0010: 7D D4 BE 23 3C DB 78 99 10 43 94 45 10 09 20 8A ...#<.x..C.E.. .
0020: C7 41 74 B0 .At.
main, WRITE: TLSv1 Handshake, length = 36
[Raw write]: length = 41
0000: 16 03 01 00 24 5A 3F 83 45 A2 AA 61 7E F6 11 2D ....$Z?.E..a...-
0010: 43 9D 15 A7 46 D7 FC 6B F5 F2 26 BB 3E 35 D5 ED C...F..k..&.>5..
0020: 0D 3F 81 84 6B BF 12 69 48 .?..k..iH
[Raw read]: length = 5
0000: 15 03 01 00 02 .....
[Raw read]: length = 2
0000: 02 28 .(
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
%% Invalidated: [Session-4, SSL_RSA_WITH_RC4_128_SHA]
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
DEBUG:[22:01:36] Could not close WebServiceConnection
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1977)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1093)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1328)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1090)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
at org.springframework.ws.transport.http.HttpUrlConnection.getRequestOutputStream(HttpUrlConnection.java:84)
,當然,更多的...
你使用什麼樣的證書的配置Tomcat的更多信息?自簽名證書還是CA生成的證書? –
這是我們所稱的站點Web服務站點的CA證書。 – arcy
您是否在密鑰庫中安裝了CA根證書和證書? (爲「錨」信任您的證書鏈,你必須輸入密鑰庫中的CA根證書) –