2013-09-24
场景
项目对账系统涉及到第三方支付平台交易记录采集,通讯协议为HTTPS单向认证(客户端需要认证支付平台网关是否可信,支付平台网关不在协议层验证客户端是否可任),通讯层主要集成了Apache HttpClient组件。
项目测试过程中在测试环境(Linux)采集过三个月左右交易记录,通讯层这块没有任何问题,项目上线后发现异常日志中抛出大量与此项目相关异常信息,异常信息表述的主要意思为服务器提供的证书不被我们客户端信任。
异常信息
Caused by: sun.security.validator.ValidatorException: PKIX path

building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
        at sun.security.validator.Validator.validate(Validator.java:218)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
        at com.tvj.iphone.pay.unipay.AuthSSLX509TrustManager.checkServerTrusted(AuthSSLX509TrustManager.java:213)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1066)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:129)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:530)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1121)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
        at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)
        at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:508)
        at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
        at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
        at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
        at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
        at com.tvj.erp.payment.util.httpClient.HttpProtocolHandler.execute(HttpProtocolHandler.java:121)
        at com.tvj.erp.payment.util.httpClient.HttpProtocolHandler.execute(HttpProtocolHandler.java:65)
        at com.tvj.erp.payment.alipay.AbstractPaymentImpl4Alipay.doRequest(AbstractPaymentImpl4Alipay.java:148)
        at com.tvj.erp.payment.alipay.AbstractPaymentImpl4Alipay.innerCollectsPaymentData(AbstractPaymentImpl4Alipay.java:94)
        at com.tvj.erp.payment.alipay.AbstractPaymentImpl4Alipay.collectsPaymentData(AbstractPaymentImpl4Alipay.java:82)
        at com.tvj.erp.payment.acquis.DefaultPaymentDataAcquisitionStratety.doDataAcquisition(DefaultPaymentDataAcquisitionStratety.java:48)
        at com.tvj.erp.payment.PaymentDataAcquisition.doCollectsData(PaymentDataAcquisition.java:60)
        ... 2 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
        ... 31 more
解决办法
两个文件
1、%JAVA_HOME%\jre\lib\security\cacerts
2、%JAVA_HOME%\jre\lib\security\jssecerts

两种办法:
一、添加信任证书
这块也有两种办法,
1.1、指定运行时系统变量设置trustStore
"-Djavax.net.ssl.trustStore=/path/to/jssecacerts"
"-Djavax.net.ssl.trustStorePassword=truststorepassword"
1.2、使用keytool手动导入证书
二、实现自定义证书信任管理逻辑(这样做有风险)

三、Java安全#为JRE环境导入信任证书
1、使用浏览器访问目标网站,下载证书存储成cer格式
2、使用keytool导入
2.1、确认信任服务器cer文件路径/tmp/Base64.alipay.cer
2.2、确认JAVA_HOME,
2.3、keytool -import -trustcacerts -alias alipay.com -file /tmp/Base64_Alipay.cer -keystore /opt/jrockit-jdk1.6.0_20/jre/lib/security/cacerts -storepass changeit
2.4、执行中需要确认导入(y)
2.5、验证查看证书信息
2.5.1、keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts -alias alipay.com
2.5.2、输入密码changeit
2.5.3、检查输入结果
 

2013-10-07
整理java#keytool工具
这个工具的用途主要是管理java安全相关的认证证书、密钥,对证书或密钥条目的导入、导出、删除、变更。
1、创建证书
keytool -genkeypair -alias "org.ybygjy.ca" -keyalg "RSA" -keystore "d:\ca.keystore"
2、查看证书库
keytool -list -keystore d:\ca.keystore
3、导出到证书文件
keytool -export -alias org.ybygjy.ca -file d:\org.ybygjy.crt -keystore d:\ca.keystore
4、导入证书
keytool -import -keystore d:\ca.keystore -file d:\org.ybygjy.crt
5、查看证书
keytool -printcert -file d:\org.ybygjy.crt
6、删除条目
keytool -delete -keystore d:\ca.keystore -alias org.ybygjy.ca
7、修改条目口令
keytool -keypasswd -alias org.ybygjy.ca -keystore d:\ca.keystore
keytool -keypasswd -alias org.ybygjy.ca -keypass abcdefaaf -new abeedcedc -storepass changeit -keystore d:\ca.keystore

资料
GitHub 加速计划 / li / linux-dash
10.39 K
1.2 K
下载
A beautiful web dashboard for Linux
最近提交(Master分支:2 个月前 )
186a802e added ecosystem file for PM2 4 年前
5def40a3 Add host customization support for the NodeJS version 4 年前
Logo

旨在为数千万中国开发者提供一个无缝且高效的云端环境,以支持学习、使用和贡献开源项目。

更多推荐