Wso2 APIM网关无法';找不到验证签名的公共证书
在网关验证JWT令牌的过程中,我们遇到了一个阻塞错误 我们正在测试一个集成环境,在两个不同的虚拟机上使用两个docker容器。第一个vm包含APIM 3.0.0,第二个vm包含IS 5.9 as密钥管理器。是与Azure AD联合的 我们通过IS获得了一个格式良好的JWT令牌,其中包含来自Azure的用户数据,但APIM无法找到一个公共证书来验证具有给定别名的签名。两个wso2组件都有自己的client-truststore.jks,并使用重新创建的公共证书进行更新(我们用VM的公共IP替换了localhost) 以下是一些有用的细节: 这是APIM容器日志中的错误:Wso2 APIM网关无法';找不到验证签名的公共证书,wso2,wso2-am,wso2is,Wso2,Wso2 Am,Wso2is,在网关验证JWT令牌的过程中,我们遇到了一个阻塞错误 我们正在测试一个集成环境,在两个不同的虚拟机上使用两个docker容器。第一个vm包含APIM 3.0.0,第二个vm包含IS 5.9 as密钥管理器。是与Azure AD联合的 我们通过IS获得了一个格式良好的JWT令牌,其中包含来自Azure的用户数据,但APIM无法找到一个公共证书来验证具有给定别名的签名。两个wso2组件都有自己的client-truststore.jks,并使用重新创建的公共证书进行更新(我们用VM的公共IP替换了l
[2020-01-30 15:20:00,072] WARN - SourceHandler I/O error: Received fatal alert: certificate_unknown
[2020-01-30 15:20:00,404] ERROR - GatewayUtils Couldn't find a public certificate to verify signature with alias ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256
[2020-01-30 15:20:00,405] ERROR - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Unclassified Authentication Failure
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody42(APIAuthenticationHandler.java:433) ~[org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:413) ~[org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody36(APIAuthenticationHandler.java:349) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:320) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.apache.synapse.rest.API.process(API.java:366) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:325) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:98) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) [axis2_1.6.1.wso2v38.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:367) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:412) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:181) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) [axis2_1.6.1.wso2v38.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_222]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_222]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]
{
"keys":[
{
"kty":"RSA",
"e":"AQAB",
"use":"sig",
"kid":"ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA",
"alg":"RS256",
"n":"nwcvFrmKaAV3WLgNaronqMHZB5BK7czaRwaKAyM0PTR1KzSa3DJw3CtLtcyz6zvU72JmgFMRyu65H_ly51bCOI6UrpJrKs9bW50fVgjrlqAkCHYIP81s6YgmmLJ-LVZqhAN8g8FH_3b27zbzZ6crspaDmFjSfou4t_A6UTSvQRFbCzp9i5WmQLRHHDy74v9zJWeXCSVA9CknXV4dqpPGMVjJOQzmcaRmZs_rWpdasQUul-D59pY22FrtIziZDLVTerGDGir_dJJboFCzS_DXRch44NJk3cU4lrCcsAP2RXyNhVjJPgmilEnr1aRnxY-WNm_5QKGh37Ez8dLJVVw6LQ"
},
{
"kty":"RSA",
"e":"AQAB",
"use":"sig",
"kid":"ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256",
"alg":"RS256",
"n":"nwcvFrmKaAV3WLgNaronqMHZB5BK7czaRwaKAyM0PTR1KzSa3DJw3CtLtcyz6zvU72JmgFMRyu65H_ly51bCOI6UrpJrKs9bW50fVgjrlqAkCHYIP81s6YgmmLJ-LVZqhAN8g8FH_3b27zbzZ6crspaDmFjSfou4t_A6UTSvQRFbCzp9i5WmQLRHHDy74v9zJWeXCSVA9CknXV4dqpPGMVjJOQzmcaRmZs_rWpdasQUul-D59pY22FrtIziZDLVTerGDGir_dJJboFCzS_DXRch44NJk3cU4lrCcsAP2RXyNhVjJPgmilEnr1aRnxY-WNm_5QKGh37Ez8dLJVVw6LQ"
}
]
}
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900900</ams:code>
<ams:message>Unclassified Authentication Failure</ams:message>
<ams:description>Unclassified Authentication Failure</ams:description>
</ams:fault>
这些是由提供的键:
[2020-01-30 15:20:00,072] WARN - SourceHandler I/O error: Received fatal alert: certificate_unknown
[2020-01-30 15:20:00,404] ERROR - GatewayUtils Couldn't find a public certificate to verify signature with alias ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256
[2020-01-30 15:20:00,405] ERROR - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Unclassified Authentication Failure
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody42(APIAuthenticationHandler.java:433) ~[org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:413) ~[org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody36(APIAuthenticationHandler.java:349) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:320) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.apache.synapse.rest.API.process(API.java:366) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:325) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:98) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) [axis2_1.6.1.wso2v38.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:367) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:412) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:181) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) [axis2_1.6.1.wso2v38.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_222]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_222]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]
{
"keys":[
{
"kty":"RSA",
"e":"AQAB",
"use":"sig",
"kid":"ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA",
"alg":"RS256",
"n":"nwcvFrmKaAV3WLgNaronqMHZB5BK7czaRwaKAyM0PTR1KzSa3DJw3CtLtcyz6zvU72JmgFMRyu65H_ly51bCOI6UrpJrKs9bW50fVgjrlqAkCHYIP81s6YgmmLJ-LVZqhAN8g8FH_3b27zbzZ6crspaDmFjSfou4t_A6UTSvQRFbCzp9i5WmQLRHHDy74v9zJWeXCSVA9CknXV4dqpPGMVjJOQzmcaRmZs_rWpdasQUul-D59pY22FrtIziZDLVTerGDGir_dJJboFCzS_DXRch44NJk3cU4lrCcsAP2RXyNhVjJPgmilEnr1aRnxY-WNm_5QKGh37Ez8dLJVVw6LQ"
},
{
"kty":"RSA",
"e":"AQAB",
"use":"sig",
"kid":"ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256",
"alg":"RS256",
"n":"nwcvFrmKaAV3WLgNaronqMHZB5BK7czaRwaKAyM0PTR1KzSa3DJw3CtLtcyz6zvU72JmgFMRyu65H_ly51bCOI6UrpJrKs9bW50fVgjrlqAkCHYIP81s6YgmmLJ-LVZqhAN8g8FH_3b27zbzZ6crspaDmFjSfou4t_A6UTSvQRFbCzp9i5WmQLRHHDy74v9zJWeXCSVA9CknXV4dqpPGMVjJOQzmcaRmZs_rWpdasQUul-D59pY22FrtIziZDLVTerGDGir_dJJboFCzS_DXRch44NJk3cU4lrCcsAP2RXyNhVjJPgmilEnr1aRnxY-WNm_5QKGh37Ez8dLJVVw6LQ"
}
]
}
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900900</ams:code>
<ams:message>Unclassified Authentication Failure</ams:message>
<ams:description>Unclassified Authentication Failure</ams:description>
</ams:fault>
这是邮差电话的结果:
[2020-01-30 15:20:00,072] WARN - SourceHandler I/O error: Received fatal alert: certificate_unknown
[2020-01-30 15:20:00,404] ERROR - GatewayUtils Couldn't find a public certificate to verify signature with alias ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256
[2020-01-30 15:20:00,405] ERROR - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Unclassified Authentication Failure
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody42(APIAuthenticationHandler.java:433) ~[org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:413) ~[org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody36(APIAuthenticationHandler.java:349) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:320) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.apache.synapse.rest.API.process(API.java:366) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:325) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:98) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) [axis2_1.6.1.wso2v38.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:367) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:412) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:181) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) [axis2_1.6.1.wso2v38.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_222]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_222]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]
{
"keys":[
{
"kty":"RSA",
"e":"AQAB",
"use":"sig",
"kid":"ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA",
"alg":"RS256",
"n":"nwcvFrmKaAV3WLgNaronqMHZB5BK7czaRwaKAyM0PTR1KzSa3DJw3CtLtcyz6zvU72JmgFMRyu65H_ly51bCOI6UrpJrKs9bW50fVgjrlqAkCHYIP81s6YgmmLJ-LVZqhAN8g8FH_3b27zbzZ6crspaDmFjSfou4t_A6UTSvQRFbCzp9i5WmQLRHHDy74v9zJWeXCSVA9CknXV4dqpPGMVjJOQzmcaRmZs_rWpdasQUul-D59pY22FrtIziZDLVTerGDGir_dJJboFCzS_DXRch44NJk3cU4lrCcsAP2RXyNhVjJPgmilEnr1aRnxY-WNm_5QKGh37Ez8dLJVVw6LQ"
},
{
"kty":"RSA",
"e":"AQAB",
"use":"sig",
"kid":"ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256",
"alg":"RS256",
"n":"nwcvFrmKaAV3WLgNaronqMHZB5BK7czaRwaKAyM0PTR1KzSa3DJw3CtLtcyz6zvU72JmgFMRyu65H_ly51bCOI6UrpJrKs9bW50fVgjrlqAkCHYIP81s6YgmmLJ-LVZqhAN8g8FH_3b27zbzZ6crspaDmFjSfou4t_A6UTSvQRFbCzp9i5WmQLRHHDy74v9zJWeXCSVA9CknXV4dqpPGMVjJOQzmcaRmZs_rWpdasQUul-D59pY22FrtIziZDLVTerGDGir_dJJboFCzS_DXRch44NJk3cU4lrCcsAP2RXyNhVjJPgmilEnr1aRnxY-WNm_5QKGh37Ez8dLJVVw6LQ"
}
]
}
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900900</ams:code>
<ams:message>Unclassified Authentication Failure</ams:message>
<ams:description>Unclassified Authentication Failure</ams:description>
</ams:fault>
有效载荷
{
"at_hash": "hGnuod6ShKRrlkH_P-k4QA",
"sub": "d6206844-e54b-4ec2-8ace-26b46da24df2",
"ver": "1.0",
"richAccettazionePrivacy": "***************",
"iss": "https://***************:9443/oauth2/token",
"given_name": "***************",
"richAttivazioneCarta": "***************",
"tid": "962b4d1f-a68b-433e-aa78-265ef05d1047",
"aud": [
"dSdZgafomIsRXYQr6XyxIZyjp74a",
"***************"
],
"nbf": 1580399831,
"azp": "dSdZgafomIsRXYQr6XyxIZyjp74a",
"extension_codiceFiscale": "***************",
"scope": "openid",
"auth_time": "1580399827",
"name": "***************",
"exp": 1580403431,
"iat": 1580399831,
"personaId": "***************",
"family_name": "***************",
"jti": "c3b8c9bf-029c-4e51-8969-07f898e5654f",
"email": "***************"
}
如何解决这个问题
用于签名的私钥的公共证书
应将令牌添加到
“网关\证书\别名”别名。有关详细信息,请参见导入
将公共证书保存到客户端信任存储中
参考:我们解决了将Identity Server公共证书添加到Api Manager客户端信任库中的问题,其别名等于令牌头中的Kid。正如您所见,别名ZDGZMWM0MTU3NGI3ODKYTVKN2Q2N2NmyZI5ZWU4ZJCXYTCYYZLKZArs256没有公共证书。你能做的就是
keytool-export-alias wso2carbon-file wso2.crt-keystore wso2carbon.jks
在该目录中运行此代码。密码是wso2carbon。
这将创建wsp2carbon证书副本的副本keytool-import-trustcacerts-keystore client-truststore.jks-别名zdgzmwm0mtu3ngi3odkyytvkn2q2n2nmyzi5zwu4zjcxytcyzlkza_RS256-文件wso2.crt
在API-M_HOME/repository/resources/security/中运行此代码,将wso2carbon公钥添加到信任存储中那么,这个JWT是用它的新密钥库生成的吗?您是否已将该证书添加到网关的信任存储中?对两者都是。我还验证了在信任库(apim和is)中导入的公共证书可以验证JWT.io websiteHi Bee上的JWT签名,感谢您的回复。按照官方指示,我已经在两个信任存储上导入了两个公共证书(apim和is),但问题总是发生。除了检查信托商店,还有其他可能的检查吗?