配置WebSphere 8 SSL (应用程序之间的HTTPS)

Question

我在WAS8中安装了两个web应用程序，它们需要使用HTTPS进行通信(这可能不是在WAS中处理通信的最佳方式，但这些应用程序是按原样提供的，我通常在Tomcat中运行它们，不会造成任何问题)。

在Tomcat中，我只需为服务器设置一个证书，然后从web浏览器中保存客户机证书，并将其添加到执行Tomcat的JVM中。我必须在密钥存储和信任存储中都有认证面信息，因为tomcat服务器同时充当客户端和服务器(因为它是应用程序间的通信)。

我需要在WAS中设置类似的东西。到目前为止，我已经进入管理控制台，并将默认证书从默认密钥存储导入到默认信任存储中。

在重新启动服务器并尝试在应用程序之间进行通信之后，我得到以下异常：

R javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr     R  at com.ibm.jsse2.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:167)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr     R  at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr     R  at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr     R  at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr     R  at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
[5/22/13 8:05:05:353 EDT] 000000ee SystemErr     R  at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr     R  at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:562)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr     R  at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr     R  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr     R  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
[5/22/13 8:05:05:354 EDT] 000000ee SystemErr     R  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:732)

更新/更多数据：

我为VM添加了一些ssl调试参数，并得到了以下内容：

[5/22/13 8:40:46:002 EDT] 00000094 SystemOut     O %% Invalidated:  [Session-10, SSL_RSA_WITH_RC4_128_MD5]
[5/22/13 8:40:46:002 EDT] 00000094 SystemOut     O pool-3-thread-1, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
[5/22/13 8:40:46:002 EDT] 00000094 SystemOut     O pool-3-thread-1, WRITE: TLSv1 Alert, length = 2
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, READ: TLSv1 Alert, length = 2
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, RECV TLSv1 ALERT:  fatal, certificate_unknown
[5/22/13 8:40:46:003 EDT] 00000094 SystemOut     O pool-3-thread-1, called closeSocket()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, called closeOutbound()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, closeOutboundInternal()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, SEND TLSv1 ALERT:  warning, description = close_notify
[5/22/13 8:40:46:003 EDT] 00000094 SystemOut     O pool-3-thread-1, handling exception: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
    java.security.cert.CertPathValidatorException: The certificate issued by CN=rothbard, OU=Root Certificate, OU=rothbardNode01Cell, OU=rothbardNode01, O=IBM, C=US is not trusted; internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, WRITE: TLSv1 Alert, length = 2
[5/22/13 8:40:46:003 EDT] 00000094 SystemOut     O pool-3-thread-1, IOException in getSession():  javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
    java.security.cert.CertPathValidatorException: The certificate issued by CN=rothbard, OU=Root Certificate, OU=rothbardNode01Cell, OU=rothbardNode01, O=IBM, C=US is not trusted; internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, called closeInbound()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, closeInboundInternal()
[5/22/13 8:40:46:003 EDT] 0000005c SystemOut     O WebContainer : 5, closeOutboundInternal()
[5/22/13 8:40:46:004 EDT] 00000094 SystemOut     O pool-3-thread-1, called close()
[5/22/13 8:40:46:004 EDT] 00000094 SystemOut     O pool-3-thread-1, called closeInternal(true)

MORE:我已经复制了这个问题，或者至少是一个类似的问题，除了使用http，这可能是实际问题所在。因此，问题可能是如何使http-客户端正确地使用WAS中的链接证书。

Answer 1

我的特殊问题最终是因为我需要将整个证书链导入JVM受信任的证书，而不仅仅是web应用程序的证书。