apache cxf jaxwsproxyfactorybean对外部https的ssl配置调用失败

kmpatx3s  于 2021-07-13  发布在  Java
关注(0)|答案(1)|浏览(556)

我部署了一个spring微服务docker。我使用jaxwsproxyfactorybean来调用外部服务器(soap/wsdl),使用它一切正常http://externalserver:

JaxWsProxyFactoryBean jaxWsProxyFactoryBean = new JaxWsProxyFactoryBean();
jaxWsProxyFactoryBean.setAddress("http://externalServer");
...

当我在setaddress中调用https时,问题就出现了。
我使用keytool在keystore中注册了被调用服务器的密钥/证书,并保存到/root/.keystore(标准)中,从pfx导入它。当我尝试调用https时,出现以下错误:

org.apache.cxf.transport.https.SSLUtils  : Default key managers cannot be initialized: Password must not be null

好吧,我少了一个密码。但是这个恶意密码放在哪里了?在application.yml中?系统内属性[密钥库中使用的密码是标准密码(changeit)]
编辑
下面是日志的快照:

DEBUG 1 --- [  XNIO-1 task-1] org.apache.cxf.transport.https.SSLUtils  : The location of the key store has not been set via a system parameter or through configuration so the default value of /root/.keystore will be used.
DEBUG 1 --- [  XNIO-1 task-1] org.apache.cxf.transport.https.SSLUtils  : The key store password has not been set via a system property or through configuration, reading data from the keystore will fail.
DEBUG 1 --- [  XNIO-1 task-1] org.apache.cxf.transport.https.SSLUtils  : The key password has not been set via a system property or through configuration, reading data from the keystore will fail.
DEBUG 1 --- [  XNIO-1 task-1] org.apache.cxf.transport.https.SSLUtils  : The keystore type has not been set in configuration so the default value of JKS will be used.
WARN 1 --- [  XNIO-1 task-1] org.apache.cxf.transport.https.SSLUtils  : Default key managers cannot be initialized: Password must not be null

使用标准密钥库,但没有密码。

2sbarzqh

2sbarzqh1#

从您的问题的评论部分查看我们的对话,我可以得出结论,您的apachecxf没有配置ssl。您需要做的是读取包含可信证书的密钥库并将其加载到 SSLContext 与trustmanagerfactory和trustmanager。
下面是您可以尝试的配置示例:

import org.apache.cxf.bus.CXFBusFactory;
import org.apache.cxf.configuration.jsse.TLSClientParameters;
import org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.transport.http.HTTPConduitConfigurer;

import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import java.security.KeyStore;

public class App {

    public static void main(String[] args) throws Exception {
        InputStream identityAsInputStream = Files.newInputStream(Paths.get("/path/to/your/identity.jks"));
        KeyStore identity = KeyStore.getInstance(KeyStore.getDefaultType());
        identity.load(identityAsInputStream, "keystore-password".toCharArray());

        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(identity, "key-password".toCharArray());
        KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();

        InputStream trustStoreInputStream = Files.newInputStream(Paths.get("/path/to/your/truststore.jks"));
        KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
        trustStore.load(trustStoreInputStream, "truststore-password".toCharArray());

        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(trustStore);
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();

        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(keyManagers, trustManagers, null);

        JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();
        factory.setAddress("https://some-secure-server.com/");

        factory.setBus(new CXFBusFactory().createBus());
        factory.getBus().setExtension((name, address, httpConduit) -> {
            TLSClientParameters tls = new TLSClientParameters();
            tls.setSSLSocketFactory(sslContext.getSocketFactory());
            httpConduit.setTlsClientParameters(tls);
        }, HTTPConduitConfigurer.class);

        WebClient webClient = factory.createWebClient();
    }
}

这里还有一个cxf客户机的工作示例,用于基于ssl的单向和双向身份验证:github-示例apachecxf客户机ssl配置

相关问题