ESB与不安全后端服务之间的相互SSL,"Null cert链“。
ESB与不安全后端服务之间的相互SSL,"Null cert链“。
提问于 2015-02-12 12:48:24
我得到了以下错误:
ERROR {org.apache.synapse.transport.passthru.SourceHandler} - I/O error: null cert chain {org.apache.synapse.transport.passthru.SourceHandler}同时尝试在我的(自定义)代理服务和两个不安全的后端服务之间启用相互SSL。
以下是我迄今所做的工作:
- 启用
<parameter name="SSLVerifyClient">require</parameter> - 使用Java工具提取carbon_home/respository/resources/security/wso2carbon.jks中两个后端服务器的公共证书:
密钥工具as-5.2.1\repository\resources\security\client-truststore.jks -export -keystore C:\I_T\WS02\wso2 -file C:\wssecurity \wso2\wso2ASpublic.cert
- 将这些证书导入ESB信任存储: 键盘工具C:\I_T\WS02\wso2esb-4.8.1\repository\resources\security\client-truststore.jks -import -file C:\wssecurity\wso2\wso2DSSpublic.cert -keystore -storepass wso2carbon -alias wso2carbonDSS
- 对服务器客户端信任库中的ESB证书也进行了同样的操作。
我怀疑步骤2-4是不必要的,因为信任存储已经包含了这些证书。
也许这就是造成问题的原因?
回答 1
Stack Overflow用户
回答已采纳
发布于 2015-03-12 15:23:06
如果有人想知道如何实现,我就解决了这个问题:
SOAP_CLIENT
|
|
|
|----------- Single SSL (a)
|
|
________________ENTERPRISE_SERVICE_BUS_________________
|| ||
|| ||
|| ||
(b) Mutual SSL--------------|| ||--------------Mutual SSL (c)
|| ||
|| ||
|| ||
APPLICATION_SERVER DATA_SERVICE_SERVER======================================================================
Key stores :
Soap(client) : soapui_ks.jks - Key store - Password : soapui
ESB : wso2esb_ks.jks - Key store - Password : wso2esb
--------------- wso2esb_ks - Key entry alias - Password : wso2esb
wso2esb_ts.jks - Trust store - Password : wso2esb
--------------- wso2esb_ts - Key entry alias - Password : wso2esb
--------------- as - Imported trusted certificate from wso2as_ks.jks
--------------- dss - Imported trusted certificate from wso2dss_ks.jks
--------------- soapclient - Imported trusted certificate from soapui_ks.jks
AS : wso2as_ks.jks - Key store - Password : wso2as
--------------- wso2as_ks - Key entry alias - Password : wso2as
wso2as_ts.jks - Trust store - Password : wso2as
--------------- wso2as_ts - Key entry alias - Password : wso2as
--------------- esb - Imported trusted certificate from wso2esb_ks.jks
DSS : wso2dss_ks.jks - Key store - Password : wso2dss
--------------- wso2dss_ks - Key entry alias - Password : wso2dss
wso2dss_ts.jks - Trust store - Password : wso2dss
--------------- wso2dss_ts - Key entry alias - Password : wso2dss
--------------- esb - Imported trusted certificate from wso2esb_ks.jks
=================================================================================================================================================================
Configuration :
(a) Change the following in the servers(server_home) to point to the new keystores/trustores.
In esb : Changed configuration files of the following files to point to the new keystores and their passwords (as above) :
[server_home]/repository/conf/carbon.xml
[server_home]/repository/conf/axis2/axis2.xml - also set <parameter name="SSLVerifyClient">require</parameter>
[server_home]/repository/conf/security/cipher-text.properties
[server_home]/repository/conf/security/secret-conf.properties
[server_home]/repository/conf/sec.policy
Restart server.
In soap , double click on the root project folder , navigate to WS-Security Configurations tab , then add the soapui_ts.jks as a TRUST store using soapui as the password. Then when you open a request in that project, in the Request Properties panel , set the previously configured soapui_ts.jks as the value for the SSL Keystore property.
Should all be good.页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/28477898
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号