这几天帮助同事解决了一个SSL证书过期的问题,在解决过程中,也学习了不少知识,也锻炼了自己的思维能力。
一、产生Weblogic Server的证书命令如下
keytool -genkey -alias weblogic -keyalg RSA -keysize 1024 -dname "CN=10.10.10.12,OU=testing,O=mingtian,L=beijing,S=beijing,C=CN" -keypass 111111 -keystore ./weblogic.jks -storepass 111111
keytool -certreq -alias weblogic -sigalg "MD5withRSA" -file ./certreq.pem -keypass 111111 -keystore ./weblogic.jks -storepass 111111
echo 请使用certreq.pem申请服务器证书
echo 请将服务器证书(server.cer)和根证书(root.cer)复制到本目录中
pause
#将CA添加到Java信任的CA清单中
keytool -import -alias root -trustcacerts -file ./root.cer -keystore ./weblogic.jks -storepass 111111
#导入Server的证书文件
keytool -import -alias server -trustcacerts -file ./server.cer -keypass 111111 -keystore ./weblogic.jks -storepass 111111
keytool -genkey -keystore "cacerts" -storepass 111111 -keyalg RSA
keytool -import -alias root -trustcacerts -file ./root.cer -keystore ./cacerts -storepass 111111
copy weblogic.jks weblogictrust.jks
二、产生Apache证书如下
openssl genrsa -out server.key 1024
openssl req -config openssl.cfg -new -key server.key -out server.csr
用server.csr申请服务器证书,下载BASE64格式服务器证书,命名为server.cer
下载BASE64格式CA证书,命名为ca.cer
del server.csr
三、SSL认证关系
1)User和Apache是双向认证
2)Apache和Weblogic是单向认证
四、问题
现在Apache总是不信任Weblogic,错误的日志如下
================New Request: [GET //usim/NumberUsageStat!default.action HTTP/1.1] =================
Thu Apr 14 08:51:05 2011 <5047130274226520> INFO: SSL is configured
Thu Apr 14 08:51:05 2011 <5047130274226520> INFO: SSL configured successfully
Thu Apr 14 08:51:05 2011 <5047130274226520> Using Uri //usim/NumberUsageStat!default.action
Thu Apr 14 08:51:05 2011 <5047130274226520> After trimming path: '//usim/NumberUsageStat!default.action'
Thu Apr 14 08:51:05 2011 <5047130274226520> The final request string is '//usim/NumberUsageStat!default.action'
Thu Apr 14 08:51:05 2011 <5047130274226520> SEARCHING id=[10.1.252.123:9002] from current ID=[10.1.252.123:9001]
Thu Apr 14 08:51:05 2011 <5047130274226520> SEARCHING id=[10.1.252.123:9002] from current ID=[10.1.252.123:9002]
Thu Apr 14 08:51:05 2011 <5047130274226520> The two ids matched
Thu Apr 14 08:51:05 2011 <5047130274226520> @@@FOUND...id=[10.1.252.123:9002], server_name=[218.206.191.83], server_port=[443]
Thu Apr 14 08:51:05 2011 <5047130274226520> attempt #0 out of a max of 5
Thu Apr 14 08:51:05 2011 <5047130274226520> general list: trying connect to '10.1.252.123'/9002/9002 at line 2696 for '//usim/NumberUsageStat!default.action'
Thu Apr 14 08:51:05 2011 <5047130274226520> New SSL URL: match = 0 oid = 22
Thu Apr 14 08:51:05 2011 <5047130274226520> Connect returns -1, and error no set to 245, msg 'Operation now in progress'
Thu Apr 14 08:51:05 2011 <5047130274226520> EINPROGRESS in connect() - selecting
Thu Apr 14 08:51:05 2011 <5047130274226520> Setting peerID for new SSL connection
Thu Apr 14 08:51:05 2011 <5047130274226520> 0000 0000 0a01 fc7b 0000 0000 0000 232a .......{......#*
Thu Apr 14 08:51:05 2011 <5047130274226520> Local Port of the socket is 54637
Thu Apr 14 08:51:05 2011 <5047130274226520> Remote Host 10.1.252.123 Remote Port 9002
Thu Apr 14 08:51:05 2011 <5047130274226520> general list: created a new connection to '10.1.252.123'/9002 for '//usim/NumberUsageStat!default.action', Local port:54637
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs from clnt:[Accept]=[image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/QVOD, */*]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs from clnt:[Referer]=[http://218.206.191.83/CTRMApplicationWeb/jsp/usim/usim.jsp?url=/usim/NumberUsageStat!default.action&itemid=2071&e=615045379]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs from clnt:[Accept-Language]=[zh-cn]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs from clnt:[Accept-Encoding]=[gzip, deflate]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs from clnt:[User-Agent]=[Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; GreenBrowser)]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs from clnt:[Host]=[218.206.191.83]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs from clnt:[Connection]=[Keep-Alive]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs from clnt:[Cookie]=[JSESSIONID=JKV8NmDP7YqlgdJnK2CkmZGSNyTvldHzMj6Cc112Q3l72tynfzJ7!1628161420]
Thu Apr 14 08:51:05 2011 <5047130274226520> URL::sendHeaders(): meth='GET' file='//usim/NumberUsageStat!default.action' protocol='HTTP/1.1'
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[Accept]=[image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/QVOD, */*]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[Referer]=[http://218.206.191.83/CTRMApplicationWeb/jsp/usim/usim.jsp?url=/usim/NumberUsageStat!default.action&itemid=2071&e=615045379]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[Accept-Language]=[zh-cn]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[Accept-Encoding]=[gzip, deflate]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[User-Agent]=[Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; GreenBrowser)]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[Host]=[218.206.191.83]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[Cookie]=[JSESSIONID=JKV8NmDP7YqlgdJnK2CkmZGSNyTvldHzMj6Cc112Q3l72tynfzJ7!1628161420]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[Connection]=[Keep-Alive]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[WL-Proxy-SSL]=[true]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[WL-Proxy-Client-Cert]=[MIIGEzCCBPugAwIBAgIKE+zNOgAAAAABEDANBgkqhkiG9w0BAQUFADBVMRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEY21jYzEUMBIGCgmSJomT8ixkARkWBHVzaW0xEjAQBgNVBAMTCXVzaW0uY21jYzAeFw0xMDA1MTkwOTAxMDZaFw0xMTA1MTkwOTAxMDZaMGQxEzARBgoJkiaJk/IsZAEZFgNjb20xFDASBgoJkiaJk/IsZAEZFgRjbWNjMRQwEgYKCZImiZPyLGQBGRYEdXNpbTEOMAwGA1UEAxMFVXNlcnMxETAPBgNVBAMTCGNoZW5nZmFuMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkIB/ql2dbOESzjeH5L+Nmnb605aQ2r3FgMyHRn/p9BMvHI6gA3oFMxs02mHjNVHdV9m7YZcdbqkkVIfMfzWjLZs797S3qSPjowmva0+8KkklvJFUEHg3RnXM3RV0MjMzv5K05fofTyEug0zHIFkzYh0zqofPMblg2l3uGxugMuwIDAQABo4IDWDCCA1QwCwYDVR0PBAQDAgWgMCkGA1UdJQQiMCAGCisGAQQBgjcKAwQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNVHQ4EFgQUezbV6S0IA5ve8EiwNmllO1viEK0wHwYDVR0jBBgwFoAU2r2X8DH98mgxXAfOEifHaZ2IVI0wggEXBgNVHR8EggEOMIIBCjCCAQagggECoIH/hoG9bGRhcDovLy9DTj11c2ltLmNtY2MsQ049aHAtODA0YzY5Y2QzN2Q5LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXVzaW0sREM9Y21jYyxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50hj1odHRwOi8vaHAtODA0YzY5Y2QzN2Q5LnVzaW0uY21jYy5jb20vQ2VydEVucm9sbC91c2ltLmNtY2MuY3JsMIIBKwYIKwYBBQUHAQEEggEdMIIBGTCBrQYIKwYBBQUHMAKGgaBsZGFwOi8vL0NOPXVzaW0uY21jYyxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz11c2ltLERDPWNtY2MsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MGcGCCsGAQUFBzAChltodHRwOi8vaHAtODA0YzY5Y2QzN2Q5LnVzaW0uY21jYy5jb20vQ2VydEVucm9sbC9ocC04MDRjNjljZDM3ZDkudXNpbS5jbWNjLmNvbV91c2ltLmNtY2MuY3J0MBcGCSsGAQQBgjcUAgQKHggAVQBzAGUAcjAxBgNVHREEKjAooCYGCisGAQQBgjcUAgOgGAwWY2hlbmdmYW5AdXNpbS5jbWNjLmNvbTBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwDQYJKoZIhvcNAQEFBQADggEBAEgykQifcC0Z9uE6ikYNLdjjQuRVjs9NJ/suH81XQ0wTO2/qemOA0YgsTDPitvYzyurr5u3tijssxRTWy4Ij+45Z9xy+RvoS5BWDZasSW10BiXzl3mP0Xz0rIWmjn3pYDuoKc3qZmEKF3MCAVLDr/yPrws8YbeSDjAE4zsKEz4oEAI67F3gNK85Vl7gosRCFwEiUsZanO9oDc02/3DhlLKUXYjhCY5V40Aa5wNXljOEACDgS05sisXM+WvSzOoLBg8XVkFgi4VEuG9wWuQC7548f2v49hPEsksz4k6F+Oxl16gGsPfoPyxq5JgyfawmjknjT7F938eXK6Wj4qOd9s/E=]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[WL-Proxy-Client-IP]=[211.137.58.245]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[Proxy-Client-IP]=[211.137.58.245]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[X-Forwarded-For]=[211.137.58.245]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[X-WebLogic-Force-JVMID]=[unset]
Thu Apr 14 08:51:05 2011 <5047130274226520> INFO: No CA was trusted, validation failed
Thu Apr 14 08:51:05 2011 <5047130274226520> ERROR: SSLWrite failed
Thu Apr 14 08:51:05 2011 <5047130274226520> SEND failed (ret=-1) at 789 of file ../nsapi/URL.cpp
Thu Apr 14 08:51:05 2011 <5047130274226520> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 790 of ../nsapi/URL.cpp
Thu Apr 14 08:51:05 2011 <5047130274226520> Marking 10.1.252.123:9002 as bad
Thu Apr 14 08:51:05 2011 <5047130274226520> got exception in sendRequest phase: WRITE_ERROR_TO_SERVER [os error=0, line 790 of ../nsapi/URL.cpp]: at line 3078
Thu Apr 14 08:51:05 2011 <5047130274226520> INFO: Closing SSL context
Thu Apr 14 08:51:05 2011 <5047130274226520> Failing over after WRITE_ERROR_TO_SERVER exception in sendRequest()
五、解决
将Weblogic自己产生的证书的CA导入到Apache既可以解决。
六、总结
遇到问题,还是需要将用到的原理先搞懂,将问题来龙去脉整理清楚,然后由浅入深分步排查。
分享到:
相关推荐
整合Weblogic与Apache可以实现负载均衡、SSL终止和优化性能等功能。以下是详细的整合步骤: 一、JDK安装与配置 1. 下载JDK的Linux版本,如`jdk-1_5_0_14-linux-i586.rpm.bin`,并赋予执行权限。 2. 运行安装命令`....
LINUX下TOMCAT及WEBLOGIC下SSL配置手册 SSL(Secure Sockets Layer)是一种安全协议,用于在Web服务器和浏览器之间进行加密通讯。今天,我们将讨论在LINUX环境下配置TOMCAT和WEBLOGIC服务器的SSL协议。 TOMCAT下的...
2. **SSL终止**:在Apache层面处理加密,减轻WebLogic Server的负担,提高性能。 3. **会话粘滞**:根据客户端会话ID或cookie,确保用户请求始终路由到同一台WebLogic Server,保持会话状态的一致性。 4. **健康检查...
- **启动WebLogic服务器**:通过`/weblogic/Oracle/Middleware/user_projects/domains/base_domain/bin/startWebLogic.sh`脚本启动WebLogic服务器。 - **WebLogic控制台访问**:启动服务器后,可以通过浏览器访问`...
在IIS7管理器中,可以设置站点的SSL设置,并绑定SSL证书,确保数据传输的安全性。 5. **禁用目录浏览**: 为了增加安全性,应禁用目录浏览功能,防止未经授权的用户浏览网站目录结构。 6. **删除不使用的应用程序...
WebLogic 反序列化漏洞 SSRF 任意文件上传 war 后门文件部署 Apache Shiro 反序列化漏洞等。 15. 内网渗透思路? 知识点:内网渗透思路包括代理穿透、权限维持、内网信息收集、口令爆破、凭据窃取、社工横行和纵向...
- **加密连接**:默认使用更安全的SSL/TLS协议进行加密,提高了数据传输的安全性。 - **Caching_sha2_password认证插件**:提供更强的密码安全性,但需要更新连接配置。 - **InnoDB存储引擎的改进**:如更好的行...
但EJB必须被布署在诸如Webspere、WebLogic这样的容器中,EJB客户从不直接访问真正的EJB组件,而是通过其容器访问。EJB容器是EJB组件的代理, EJB组件由容器所创建和管理。客户通过容器来访问真正的EJB组件。 24、...
//得到服务器地址 String user=jtfUser.getText(); //得到用户名 String pass=jtfPass.getPassword().toString(); //得到密码 ftpClient.openServer(serverAddr); //连接到服务器 ftpClient.login(user,pass); //在...
#hibernate.connection.driver_class org.apache.derby.jdbc.EmbeddedDriver #hibernate.connection.username #hibernate.connection.password #hibernate.connection.url jdbc:derby:build/db/derby/hibernate;...
4. 可在常见的J2EE服务器上运行,如Geronimo、JBoss、GlassFish和WebLogic,通过JCA 1.5资源适配器进行自动部署。 5. 提供多种传输协议,如in-VM、TCP、SSL、NIO、UDP、JGroups、JXTA等。 6. 高速的消息持久化,通过...
51.3. Configuring Management-specific SSL 51.4. Customizing the Management Server Address 51.5. Disabling HTTP Endpoints 52. Monitoring and Management over JMX 52.1. Customizing MBean Names 52.2. ...