我们最近做了一些安全修复测试,最初的错误是日志中有异常:
java.rmi.ConnectIOException: I/O exception connecting to BasicObjectEndpoint[30b8d547-6daa-46f6-bcaf-586cc7fd06da,SslEndpoint[xxxxxxxxxxxx:10001]]; nested exception is:
net.jini.io.UnsupportedConstraintException: Client not authenticated
at net.jini.jeri.BasicInvocationHandler.wrapSafeIOException(BasicInvocationHandler.java:893)
at net.jini.jeri.BasicInvocationHandler.invokeRemoteMethodOnce(BasicInvocationHandler.java:711)
at net.jini.jeri.BasicInvocationHandler.invokeRemoteMethod(BasicInvocationHandler.java:659)
at net.jini.jeri.BasicInvocationHandler.invoke(BasicInvocationHandler.java:528)
at com.sun.proxy.$Proxy7.getTicket(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at net.jini.activation.ActivatableInvocationHandler.invokeMethod0(ActivatableInvocationHandler.java:799)
at net.jini.activation.ActivatableInvocationHandler.invokeMethod(ActivatableInvocationHandler.java:714)
at net.jini.activation.ActivatableInvocationHandler.invokeRemoteMethod(ActivatableInvocationHandler.java:626)
at net.jini.activation.ActivatableInvocationHandler.invoke(ActivatableInvocationHandler.java:462)
at com.sun.proxy.$Proxy6.getTicket(Unknown Source)
at xxxxxxxx.security.auth.manager.remote.TicketManagerRemoteProxy.getTicket(TicketManagerRemoteProxy.java:122)
at xxxxxxxx.security.auth.manager.TicketUtils$1.run(TicketUtils.java:140)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at xxxxxxxx.security.auth.manager.TicketUtils.getTicket(TicketUtils.java:137)
at xxxxxxxx.security.auth.login.TicketLoginModule.login(TicketLoginModule.java:322)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at xxxxxxxx.jini.utils.lookup.ClientSessionContext.login(ClientSessionContext.java:240)
at xxxxxxxx.jini.utils.lookup.ClientSessionContext.getSubject(ClientSessionContext.java:337)
at xxxxxxxx.jini.utils.service.RemoteServerBase.getServerSubject(RemoteServerBase.java:469)
at xxxxxxxx.jini.utils.service.RemoteServerBase.init(RemoteServerBase.java:336)
at xxxxxxxx.jini.utils.service.RemoteServerBase.(RemoteServerBase.java:185)
at xxxxxxxx.jini.utils.service.AbstractServerImpl.(AbstractServerImpl.java:146)
at xxxxxxxx.preferences.PreferencesServiceRemoteImpl.(PreferencesServiceRemoteImpl.java:318)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.sun.jini.start.ActivateWrapper.(ActivateWrapper.java:491)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.sun.jini.phoenix.ActivationGroupImpl$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.jini.phoenix.ActivationGroupImpl.newInstance(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357)
at sun.rmi.transport.Transport$1.run(Transport.java:200)
at sun.rmi.transport.Transport$1.run(Transport.java:197)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:834)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: net.jini.io.UnsupportedConstraintException: Client not authenticated
at net.jini.jeri.ssl.SslConnection.establishCallContext(SslConnection.java:177)
at net.jini.jeri.ssl.SslEndpointImpl.connect(SslEndpointImpl.java:847)
at net.jini.jeri.connection.ConnectionManager.connect(ConnectionManager.java:228)
at net.jini.jeri.connection.ConnectionManager$ReqIterator.next(ConnectionManager.java:629)
at net.jini.jeri.BasicObjectEndpoint$1.next(BasicObjectEndpoint.java:371)
at net.jini.jeri.BasicInvocationHandler.invokeRemoteMethodOnce(BasicInvocationHandler.java:708)
... 65 more
Caused by: java.security.GeneralSecurityException: Credentials not found
at net.jini.jeri.ssl.ClientAuthManager.chooseClientAlias(ClientAuthManager.java:327)
at sun.security.ssl.AbstractKeyManagerWrapper.chooseClientAlias(SSLContextImpl.java:1490)
at sun.security.ssl.X509Authentication$X509PossessionGenerator.createClientPossession(X509Authentication.java:200)
at sun.security.ssl.X509Authentication$X509PossessionGenerator.createPossession(X509Authentication.java:175)
at sun.security.ssl.X509Authentication.createPossession(X509Authentication.java:88)
at sun.security.ssl.CertificateRequest$T12CertificateRequestConsumer.choosePossession(CertificateRequest.java:761)
at sun.security.ssl.CertificateRequest$T12CertificateRequestConsumer.consume(CertificateRequest.java:705)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394)
at net.jini.jeri.ssl.SslConnection.establishSuites(SslConnection.java:251)
at net.jini.jeri.ssl.SslConnection.establishNewSocket(SslConnection.java:240)
at net.jini.jeri.ssl.SslConnection.establishCallContext(SslConnection.java:155)
... 70 more
2020-11-20 15:11:27,313 ERROR RMI TCP Connection(1)-10.240.6.20 xxxxxxxx.jini.utils.lookup.ClientSessionContext - Login failed
javax.security.auth.login.LoginException: Login Failure: all modules ignored
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:906)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at xxxxxxxx.jini.utils.lookup.ClientSessionContext.login(ClientSessionContext.java:240)
at xxxxxxxx.jini.utils.lookup.ClientSessionContext.getSubject(ClientSessionContext.java:337)
at xxxxxxxx.jini.utils.service.RemoteServerBase.getServerSubject(RemoteServerBase.java:469)
at xxxxxxxx.jini.utils.service.RemoteServerBase.init(RemoteServerBase.java:336)
at xxxxxxxx.jini.utils.service.RemoteServerBase.(RemoteServerBase.java:185)
at xxxxxxxx.jini.utils.service.AbstractServerImpl.(AbstractServerImpl.java:146)
at xxxxxxxx.preferences.PreferencesServiceRemoteImpl.(PreferencesServiceRemoteImpl.java:318)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.sun.jini.start.ActivateWrapper.(ActivateWrapper.java:491)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.sun.jini.phoenix.ActivationGroupImpl$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.jini.phoenix.ActivationGroupImpl.newInstance(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357)
at sun.rmi.transport.Transport$1.run(Transport.java:200)
at sun.rmi.transport.Transport$1.run(Transport.java:197)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:834)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
2020-11-20 15:11:27,314 ERROR RMI TCP Connection(1)-10.240.6.20 xxxxxxxx.jini.utils.service.RemoteServerBase - Login exception
javax.security.auth.login.LoginException: Login Failure: all modules ignored
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:906)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at xxxxxxxx.jini.utils.lookup.ClientSessionContext.login(ClientSessionContext.java:240)
at xxxxxxxx.jini.utils.lookup.ClientSessionContext.getSubject(ClientSessionContext.java:337)
at xxxxxxxx.jini.utils.service.RemoteServerBase.getServerSubject(RemoteServerBase.java:469)
at xxxxxxxx.jini.utils.service.RemoteServerBase.init(RemoteServerBase.java:336)
at xxxxxxxx.jini.utils.service.RemoteServerBase.(RemoteServerBase.java:185)
at xxxxxxxx.jini.utils.service.AbstractServerImpl.(AbstractServerImpl.java:146)
at xxxxxxxx.preferences.PreferencesServiceRemoteImpl.(PreferencesServiceRemoteImpl.java:318)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.sun.jini.start.ActivateWrapper.(ActivateWrapper.java:491)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.sun.jini.phoenix.ActivationGroupImpl$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.jini.phoenix.ActivationGroupImpl.newInstance(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357)
at sun.rmi.transport.Transport$1.run(Transport.java:200)
at sun.rmi.transport.Transport$1.run(Transport.java:197)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:834)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
我们使用了一些非常古老的技术jini,它是基于rmi的。
我们发现问题是我们公司的信任库使用了一种加密算法——sha256withrsa,这与jdk的算法是不兼容的,在添加了一个新的jvm参数:jdk.tls.disabledalgorithms=ecdsa,rsassa pss,dsa之后,这个问题在本地测试中得到了解决。
但是,我们测试了其他一些场景。
1.
CentOS Linux release 7.8.2003 (Core)
openjdk version "1.8.0_272"
OpenJDK Runtime Environment (build 1.8.0_272-b10)
OpenJDK 64-Bit Server VM (build 25.272-b10, mixed mode)
jdk folder name is java-1.8.0-openjdk-1.8.0.272.b10-1.el7_9.x86_64, which is installed by yum.
在这种环境下修复看起来很好。
2.
CentOS Linux release 8.2.2004 (Core)
openjdk version "1.8.0_272"
OpenJDK Runtime Environment (build 1.8.0_272-b10)
OpenJDK 64-Bit Server VM (build 25.272-b10, mixed mode)
jdk folder name is java-1.8.0-openjdk-1.8.0.272.b10-1.el8_2.x86_64, which is installed by yum
部分名称el8\u 2与上面的el7\u 9不同
修复程序不适用于此环境,我们仍然会在上面的日志中看到相同的异常。
就java安全性而言,centos 7和centos 8上的OpenJDK版本1.8.0Đ似乎表现不同,centos 8似乎更受限制。
请就可能的原因提出一些意见和建议。
提前谢谢。
暂无答案!
目前还没有任何答案,快来回答吧!