Java 使用Apache CXF WebClient在WAS 8.5中获取证书链接错误
在WebSphere8.5(IBMJDK8)上使用ApacheCxfWebClient(版本-3.3.4)调用补丁请求时,我们遇到了“证书链接错误”,使用“use.async.http.conductor”。我们使用“tlsClientParameters.setUseHttpsURLConnectionDefaultSslSocketFactory(true)”来修复其他请求的证书问题——“POST/GET”,这些请求不使用“use.async.http.conductor”。我们尝试手动设置TrustManagers和KeyManagers,但补丁无法正常工作Java 使用Apache CXF WebClient在WAS 8.5中获取证书链接错误,java,ssl,ssl-certificate,websphere,cxf-client,Java,Ssl,Ssl Certificate,Websphere,Cxf Client,在WebSphere8.5(IBMJDK8)上使用ApacheCxfWebClient(版本-3.3.4)调用补丁请求时,我们遇到了“证书链接错误”,使用“use.async.http.conductor”。我们使用“tlsClientParameters.setUseHttpsURLConnectionDefaultSslSocketFactory(true)”来修复其他请求的证书问题——“POST/GET”,这些请求不使用“use.async.http.conductor”。我们尝试手动设置
private WebClient getWebClient(String servicePath, List<Object> providers) {
WebClient client = providers != null ? WebClient.create(servicePath, providers, true)
: WebClient.create(servicePath);
client.header(AUTHORIZATION_HEADER, requestInfoBean.getAuthorizationDto().getJwtToken());
client.header(DEVICE_ID_HEADER, requestInfoBean.getAuthorizationDto().getDeviceId());
setTLSClientParameters(client);
return client;
}
private void setTLSClientParameters(WebClient client) {
Conduit conduit = WebClient.getConfig(client).getConduit();
if (conduit instanceof HTTPConduit) {
HTTPConduit httpConduit = (HTTPConduit) conduit;
TLSClientParameters tlsClientParameters = getOrCreateAndSetTLSClientParameters(httpConduit);
tlsClientParameters.setUseHttpsURLConnectionDefaultSslSocketFactory(true);
tlsClientParameters.setUseHttpsURLConnectionDefaultHostnameVerifier(false);
tlsClientParameters.setDisableCNCheck(true);
try {
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);
tlsClientParameters.setTrustManagers(tmf.getTrustManagers());
tlsClientParameters.setKeyManagers(new KeyManager[0]);
tlsClientParameters.setSslContext(SSLUtils.getSSLContext(tlsClientParameters));
} catch (GeneralSecurityException e) {
}
httpConduit.setTlsClientParameters(tlsClientParameters);
}
}
private TLSClientParameters getOrCreateAndSetTLSClientParameters(HTTPConduit httpConduit) {
TLSClientParameters tlsClientParameters = httpConduit.getTlsClientParameters();
if (tlsClientParameters == null) {
tlsClientParameters = new TLSClientParameters();
httpConduit.setTlsClientParameters(tlsClientParameters);
}
return tlsClientParameters;
}
代码抛出下面的证书链接异常
Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=***, O=***, L=***, ST=***, C=** is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)
at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:220)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:749)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:661)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:607)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:607)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:368)
... 25 more
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:316)
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108)
... 31 more
原因:java.security.cert.CertPathValidator异常:CN=***,O=***,L=***,ST=***,C=**颁发的证书不可信;内因是:
java.security.cert.CertPathValidator异常:证书链接错误
位于com.ibm.security.cert.BasicChecker(BasicChecker.java:111)
在com.ibm.security.cert.pkixcertpachvalidatorimpl.engineValidate(pkixcertpachvalidatorimpl.java:220)
位于com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:749)
位于com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:661)
位于com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:607)
位于com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:607)
位于com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:368)
... 25多
原因:java.security.cert.CertPathValidator异常:证书链接错误
位于com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:316)
位于com.ibm.security.cert.BasicChecker(BasicChecker.java:108)
... 还有31个
请注意,代码在Tomcat9服务器上运行良好。我们还在Websphere truststore和JVM中导入了所需的证书(完整的证书链),但问题仍然存在。。您是否能够发出不同的HTTP请求类型,并且证书确实适用于这些类型?很有趣。您是否能够发出不同的HTTP请求类型,并且证书对这些类型有效?
Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=***, O=***, L=***, ST=***, C=** is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)
at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:220)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:749)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:661)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:607)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:607)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:368)
... 25 more
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:316)
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108)
... 31 more