【问题标题】:Java Web Service Client Certificate Configuration for Secure(Https) Connections in JdeveloperJdeveloper 中用于安全(Https)连接的 Java Web 服务客户端证书配置
【发布时间】:2013-01-10 07:12:40
【问题描述】:

我正在使用 Java 开发 Web 服务集成与 Oracle Jdeveloper 用于 UPS 运输。我已经导入了 WSDL 文件并且它们被完美地分配了。但是我无法运行它,因为 Jdeveloper 抛出异常,因为它无法识别其证书。我已经下载了所需的证书并使用 keytool 命令将其安装在密钥库中,但没有任何改变。然后我生成了一个新的密钥库并在其中安装了我的证书,但是 Oracle 使用了 DemoIdentity.jks 和 DemoTrust.jks 密钥库。我无法让 Oracle 默认使用我的新密钥库。

这是我得到的日志和错误:

<26.Oca.2013 14:02:08 EET> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias DemoIdentity from the jks keystore file C:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\DemoIdentity.jks.> 
<26.Oca.2013 14:02:09 EET> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file C:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\DemoTrust.jks.> 
<26.Oca.2013 14:02:09 EET> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file C:\Oracle\MIDDLE~1\JDK160~1\jre\lib\security\cacerts.> 
<26.Oca.2013 14:02:09 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=Entrust Root Certification Authority - G2,OU=(c) 2009 Entrust\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:09 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=thawte Primary Root CA - G3,OU=(c) 2008 thawte\, Inc. - For authorized use only,OU=Certification Services Division,O=thawte\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:09 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:09 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:09 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=VeriSign Universal Root Certification Authority,OU=(c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=Entrust Root Certification Authority - G2,OU=(c) 2009 Entrust\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=thawte Primary Root CA - G3,OU=(c) 2008 thawte\, Inc. - For authorized use only,OU=Certification Services Division,O=thawte\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=VeriSign Universal Root Certification Authority,OU=(c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 
<26.Oca.2013 14:02:10 EET> <Warning> <Security> <BEA-090504> <Certificate chain received from localhost - 127.0.0.1 --> wwwcie.ups.com failed hostname verification check. Certificate contained MST-PC(My computer name) but check expected wwwcie.ups.com> 

请给我您关于如何解决此问题的想法。任何推荐将不胜感激。 谢谢。

P.S:我正在使用 Oracle JDeveloper 11g 第 1 版、jdk160_24、Weblogic Server 10.3、Win7 64 位。

【问题讨论】:

    标签: web-services oracle https certificate jdeveloper


    【解决方案1】:

    首先,SSL 是单向还是双向?

    单向意味着只有服务服务器(具有您尝试访问的 WS 的服务器)必须与您识别。为了让服务服务器识别您,您必须从其页面下载它提供的证书(有关如何执行此操作的大量教程)。警告:您必须获得整个证书链!将这些证书添加到您的 Trust 密钥库。

    双向意味着你也必须认同他们。为此,您应该从服务提供商处获得证书并将其添加到您的客户身份密钥库中。

    此时您应该有 2 个单独的密钥库。一,信任密钥库,是保存所有安全服务器证书的存储(您信任它们,因此得名)。其次是身份密钥库,以特定别名保存您的身份的存储。其他服务器将使用此信息来确定他们是否信任您。

    现在进行 WLS 配置:

    首先,如果您要使用 SSL,请不要使用演示身份和演示信任设置。将其更改为自定义身份和自定义信任。将密钥库设置为您创建的密钥库。如果服务器将仅使用单向 SSL,那么您可以将身份存储设置为演示身份,但仍然必须在自定义身份和自定义信任设置下完成(只需从默认值复制路径、密码等)。在 server->SSL 下设置 Identity,你就完成了。

    其他:

    您可能想要关闭主机名验证(服务器->SSL->高级)。这有时 导致很多问题。

    如果仍然不起作用,请在 java 选项中添加以下标志:

    -Dweblogic.security.SSL.verbose=true

    -Dweblogic.security.SSL.enable.renegotiation=true

    -Dsun.security.ssl.allowUnsafeRenegotiation=true

    【讨论】:

    • 这是一种单向 SSL。有一个证书链,是的。我已经将它们全部安装到我创建的密钥库中。但是我无法从 DemoIdentity 和 DemoTrust 更改默认密钥库。我仍然不知道如何将它们更改为自定义身份和自定义信任。我假设我应该在您的帖子末尾添加标志到 WebLogic 启动脚本。我希望我能得到你更多的帮助。非常感谢您的回复。
    • 进入您的控制台窗口 (server:7001/console)。将会话设置为编辑(查看窗口的左上角)并单击以下内容:服务器->您的托管服务器->配置->密钥库。在此窗口中,您将看到“Demo Identity and Demo Trust”,旁边有一个名为“Change”的按钮。单击它,应显示一个带有密钥库选项的窗口。选择我们您想要的。
    【解决方案2】:

    Sun JDK (Java Developer Kit)(版本:1.6.0_13 和 1.5.0_18)的最新更新与以下 Oracle WebLogic Server 版本中的 SSL(安全套接字层)实现不兼容:

    • 11gR1 (10.3.1)
    • 10gR3 (10.3.0)
    • 10.0 和 10.0 的所有维护版本
    • 9.0、9.1、9.2 和 9.2 MP4 之前的 9.2 的所有维护版本 R27.6.4(1.6.0_13 和 1.5.0_18)及更高版本的 Oracle JRockit 版本也出现此问题。

    解决方法

    1) 使用较早版本的JDK - JDK1.6.0_12 及更早版本即可。

     or
    

    2) 将 \jdk\jre\lib\security\cacerts 的信任库文件替换为早期 JDK 的信任库文件

    【讨论】:

      猜你喜欢
      • 2020-10-23
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2011-03-21
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多