我需要一些帮助来修复我的项目中的证书异常。我收到 java.security.cert.CertificateException:可以处理证书数据下面是客户端应用程序的环境详细信息:
第三方Web服务提供商最近升级到SHA-256 。通过上面的客户端设置,我收到握手异常。我们尝试使用Bouncy Castle jar来支持SHA-256。在此之后,我在进行Webservice调用时会看到以下异常:
WebContainer : 0, SEND TLSv1 ALERT: fatal, description = certificate_unknown
WebContainer : 0, WRITE: TLSv1 Alert, length = 2
WebContainer : 0, called closeSocket()
WebContainer : 0, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate data canot be processed
Exception javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate data canot be processed
Finalizer, called close()
Finalizer, called closeInternal(true)
我拥有的密钥库和信任库来自默认的JDK版本:
keyStore is: /usr/local/opt/was/was60/java/jre/lib/security/cacerts
keyStore type is : jks
init keystore
trustStore is: /usr/local/opt/was/was60/java/jre/lib/security/cacerts
trustStore type is : jks
以下是更多日志:
SystemErrR AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate data canot be processed
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate data canot be processed
at com.ibm.jsse2.bx.a(bx.java:114)
at com.ibm.jsse2.by.a(by.java:24)
at com.ibm.jsse2.by.a(by.java:444)
at com.ibm.jsse2.w.a(w.java:281)
at com.ibm.jsse2.w.a(w.java:105)
at com.ibm.jsse2.v.a(v.java:25)
at com.ibm.jsse2.by.a(by.java:272)
at com.ibm.jsse2.by.m(by.java:198)
at com.ibm.jsse2.by.startHandshake(by.java:68)
at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
at org.apache.axis.client.Call.invoke(Call.java:2767)
at org.apache.axis.client.Call.invoke(Call.java:2443)
at org.apache.axis.client.Call.invoke(Call.java:2366)
at org.apache.axis.client.Call.invoke(Call.java:1812)
at com.cingular.csi.CSI.Namespaces.v94.wsdl.CingularWirelessCSI_wsdl.InquireWirelineServiceAppointmentReservationsSoapHttpBindingStub.inquireWireline
最后,还有几点需要注意:
WAS和JDK都无法升级,因为应用程序稳定。
使用的SocketFactory是:com.ibm.jsse2.SSLSocketFactoryImpl
尝试过javax.net.SSLSocketFactoryImpl。它在SocketContext本身失败了。
尝试使用keytool将第三方服务器证书添加到我的信任库(cacerts)。它也没用。
还尝试分别使用DummyClientKeyFile.jks和DummyClientTrustFile.jks作为Keystore和truststore文件而不是JDK的cacerts,但是徒劳无功。
我已经坚持这个问题了两个多星期了。感谢任何帮助。
答案 0 :(得分:0)
IBM的1.4.2 JVM不支持使用SHA256密码签名的证书。当我们遇到这个问题并且响应是:
时,我提出了PMR来确认这一点"您需要恢复使用旧式密码或升级。我们 从Java 1.5开始支持SHA 256。这是不可能的 返回端口功能。"
如果您发现Java 1.4.2支持此类证书,请检查与此相关的供应商JVM - 它可能是Oracle,因为它们的1.4.2 JVM确实支持SHA256签名证书。
<强>更新
解决此问题的方法是: