发表新帖
发表新帖

certificate not trusted by Websphere

前端 未结
关注
6 1222
谎友^
谎友^ 2021-01-12 02:58

I have a web application that call a SOAP Web service secured via SSL .(https://zzzzzzzzzzzz/xxxxx).

The server send two certificates (Root and Leaf) s

相关标签:
6条回答
  • 不要未来只要你来
    2021-01-12 03:35

    I test a million websphere configuration .

    The only procedure that work is the procedure described in this link :

    http://blog.xebia.com/2012/10/01/mutual-ssl-authentication-using-websphere-application-server-and-cxf/

    By defining the cxf intercpter : 

    <cxf:bus>
 <cxf:outInterceptors>
   <bean class="---------------------.WebsphereSslOutInterceptor" />
</cxf:outInterceptors>
</cxf:bus>

    For more details , please see :

    https://github.com/vlussenburg/websphere-cxf-extensions#websphere-cxf-extensions

    Thanks a lot for your helps guys .

    0 讨论(0)
  • 隐瞒了意图╮
    2021-01-12 03:41

    Thanks for all the above response. Able to resolve the issue java.security.cert.CertPathValidatorException: Certificate chaining error with following configuration.

    1. Found that the following javax properties returned null value in the WebSphere.
      • javax.net.ssl.trustStore,
      • javax.net.ssl.trustStorePassword
      • javax.net.ssl.trustStoreType

    For more details, please see this link,

    java - path to trustStore - set property doesn't work?

    1. Configured the properties as below in the WebSphere

      Select Servers > Application Servers > server_name > Process Definition > Java Virtual Machine > Custom Properties > New.

    a) javax.net.ssl.trustStore = jre_install_dir\lib\security\cacerts

    Example: C:\Program Files\WebSphere\AppServer\java\jre\lib\security\cacerts

    b) javax.net.ssl.trustStorePassword = changeit (default)

    c) javax.net.ssl.trustStoreType = jks

    For more details, please see this link,

    http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.isim.doc_6.0%2Finstalling%2Ftsk%2Ftsk_ic_ins_first_security_truststore.htm

    After the configuration was able to see in the logs that certificates being added to the trust store.

    Thanks, Uday Nilajkar

    0 讨论(0)
  • 独厮守ぢ
    2021-01-12 03:42

    Here are the steps to import a certificate to the JVM for a HTTPS WS call:

    A) Obtain the Certificate to be Imported

    1. Each browser displays certificates in different ways, but they are usually quite similar. On the browser's URL bar, there is usually a zone that you can click on to display SSL certificate information. For example, you may see a padlock in the status bar, and clicking on the padlock opens the certificate information. Once the certificate information is open, click on the "Certification Path" information. There normally will be a way to export each of the signing certificates (trusted roots). Export the certifiers in the "Base-64 encoded X.509 (.CER)" format. The exported file in this format will be an ASCII text file that has "BEGIN CERTIFICATE" and "END CERTIFICATE" lines at the top and bottom. Once you have exported the certificates that signed the remote server's SSL certificate you can then import them into the JVM.

    B) Import the certificate

    1. Start the ikeyman utility. The utility (ikeyman.bat or ikeyman.sh) is in the WAS_HOME\bin.
    2. From the Key Database File menu, select Open.
    3. In the key database type, select JKS.
    4. In the File Name field, type cacerts.
    5. In the Location field, type WAS_HOME\java\jre\lib\security.
    6. In the Password Prompt window, type the password for the keystore in the Password and Confirm Password window. The default password is changeit. Click OK.
    7. Add the certificate you created for the LDAP server into this certificate store.
    8. In the main window, in the Key database content area, select Signer Certificates from the list. Click Add.
    9. In the Certificate file name field, browse and locate the server certificate file that was created for the LDAP server, which is in Binary Der data. Verify that the appropriate directory is displayed in the Location field. Click OK.
    10. In the prompt, type a label for this certificate. For example, type LDAPCA. Click OK.
    0 讨论(0)
  • 无人共我
    2021-01-12 03:47

    The problem here is that the certificate path builder (A part of the Java Cert path API) cannot build the certificate chain during the SSL handshake. During the handshake the SSL peer host send its certificate (identity) to the client, for the client to trust that particular certificate a chain of trust must be built on the client side, that what is happening when you get the fault. The problem here is that the chain of trust cannot be created since you are missing either the signer certificate and/or the root certificate in your truststore (trust anchor).

    Note that the PKIX trustmanager performs a "scope of trust" validation which means that you do not need a complete certificate chain on the client side to fulfill the trust relationship with the SSL peer, you will only need the signer/intermediate certificates in your truststore. In fact, if you should put the leaf certificate in the truststore, that should also make things work, since that states that you have explicit trust of that particular certificate and a certificate chain validation is not needed.

    0 讨论(0)
  • 谎友^
    2021-01-12 03:48

    Maybe you should look at the following technote.

    If you are at a certain fix pack level you can set the value com.ibm.websphere.ssl.retrieveLeafCert to true and get the leaf certificate when Retrieving from Port.

    0 讨论(0)
  • Happy的楠姐
    2021-01-12 03:52

    You should add all certificate chain in your configuration. Usually certificate has at least root certificate of Authorization Center or chain similar certificates.

    WAS requires signed certificate by default.

    0 讨论(0)
 看不清?
提交回复
热议问题