问题描述
我正在尝试将 TLS 1.2 从 Websphere Application Server v9.0.5.6 实施到 Oracle 19c 数据库。 WAS 和 Oracle 都在 Centos 7 上运行的不同虚拟机上。使用 Websphere 提供的 IBM Java 8 和 Oracle 提供的 ojdbc8.jar(来自 Oracle 19c 客户端)。非 ssl 连接在 WAS 控制台中工作正常。
为了实现 TLS 1.2,我做了以下工作。
- 使用了 this link 并完成了 Oracle 数据库端 SSL 配置。为了进行测试,我什至在 WAS vm 上进行了客户端配置,并使用 sqlplus(使用 oracle 用户和 oracle 19c 客户端)进行了测试,并且我能够按照 this query 中的规定进行连接并获取 Tcps。
- 然后我将 Oracle DB 自签名证书添加到“WAS_HOME/AppServer/profiles/AppSrv01/etc/trust.p12”。我使用 iKeyman 将数据库证书添加到 WAS。然后在数据源中添加自定义属性 ‘connectionProperties’ 值 javax.net.ssl.trustStore=WAS_HOME/AppServer/profiles/AppSrv01/etc/trust.p12; javax.net.ssl.trustStoreType=PKCS12; oracle.net.ssl_version=1.2; javax.net.ssl.trustStorePassword=***
- 我还尝试了 JKS,而不是第 2 点。将 Oracle DB 自签名证书添加到“WAS_HOME/AppServer/java/8.0/jre/lib/security/cacerts”。我使用 iKeyman 将数据库证书添加到 WAS。然后在数据源‘connectionProperties’中添加自定义属性,值为 javax.net.ssl.keyStore= WAS_HOME/AppServer/java/8.0/jre/lib/security/cacerts; javax.net.ssl.keyStoreType=JKS; oracle.net.ssl_version=1.2; javax.net.ssl.keyStorePassword=***
我启用了调试日志,在这两种情况下,我都收到错误“java.security.SignatureException:签名长度不正确:得到 128 但期待 256”
谁能就错误或如何成功实现从 WAS 到 Oracle DB 的 TLS 1.2 提出建议?
系统输出日志
[29/03/21 10:37:15:975 BST] 0000008c FileRepositor A ADMR0010I: Document cells/appserver01Node01Cell/security.xml is modified.
[29/03/21 10:37:15:978 BST] 0000008c FileRepositor A ADMR0010I: Document cells/appserver01Node01Cell/nodes/appserver01Node01/trust.p12 is modified.
[29/03/21 10:37:26:165 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.164 BST|Thread.java:1164|adding as trusted certificates (
"certificate" : {
"version" : "v3","serial number" : "30 F6 93 B4","signature algorithm": "SHA256withRSA","issuer" : "CN=dbserver01.miracle.com","not before" : "2021-03-28 04:43:25.000 BST","not after" : "2031-02-04 03:43:25.000 GMT","subject" : "CN=dbserver01.miracle.com","subject public key" : "RSA","extensions" : [
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 57 d7 09 3f d2 5e db c3 43 93 6f af 82 4a fc 7d W.......C.o..J..
0010: 16 74 be 60 .t..
]
]
}
]},"certificate" : {
"version" : "v3","serial number" : "38 5D 50 BF 82","issuer" : "CN=appserver01.miracle.com,OU=Root Certificate,OU=appserver01Node01Cell,OU=appserver01Node01,O=IBM,C=US","not before" : "2021-03-25 21:09:10.000 GMT","not after" : "2036-03-21 21:09:10.000 GMT","subject" : "CN=appserver01.miracle.com,"extensions" : [
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4c 3e 62 ab 29 d9 6c 08 L.b...l.
]
]
},{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:AppSrv01-BASE-5d9b3381-f22f-4812-a07b-c1e59b63d0a5]]
}
]}
)
[29/03/21 10:37:26:171 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.166 BST|Thread.java:1164|keyStore is: /home/sunny/IBM/WebSphere/AppServer/java/8.0/jre/lib/security/cacerts
[29/03/21 10:37:26:172 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.171 BST|Thread.java:1164|keyStore type is: jks
[29/03/21 10:37:26:178 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.173 BST|Thread.java:1164|keyStore provider is:
…..
[29/03/21 10:37:26:218 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.217 BST|Thread.java:1164|Ignore unsupported cipher suite: TLS_AES_256_GCM_SHA384
[29/03/21 10:37:26:220 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.218 BST|Thread.java:1164|Ignore unsupported cipher suite: TLS_CHACHA20_poly1305_SHA256
……
[29/03/21 10:37:26:261 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.256 BST|Thread.java:1164|Ignore unsupported cipher suite: TLS_CHACHA20_poly1305_SHA256
[29/03/21 10:37:26:264 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.262 BST|Thread.java:1164|Ignore unsupported cipher suite: TLS_AES_128_GCM_SHA256
[29/03/21 10:37:26:287 BST] 0000008c SystemOut O javax.net.ssl|WARNING|8C|WebContainer : 1|2021-03-29 10:37:26.284 BST|Thread.java:1164|Unable to indicate server name
…
[29/03/21 10:37:26:303 BST] 0000008c SystemOut O javax.net.ssl|INFO|8C|WebContainer : 1|2021-03-29 10:37:26.300 BST|Thread.java:1164|No available application protocols
[29/03/21 10:37:26:304 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.303 BST|Thread.java:1164|Ignore,context unavailable extension: application_layer_protocol_negotiation
[29/03/21 10:37:26:306 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.304 BST|Thread.java:1164|Ignore,context unavailable extension: status_request_v2
[29/03/21 10:37:26:307 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.306 BST|Thread.java:1164|Ignore,context unavailable extension: renegotiation_info
[29/03/21 10:37:26:310 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.309 BST|Thread.java:1164|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2","random" : "88 57 8E A5 C0 F4 72 B7 2C F9 EA 52 C1 8B D8 D4 3E 09 5D 3A BB 50 9C 5D 78 54 DD 19 AA 81 A9 63","session id" : "","cipher suites" : "[SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C),SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B),SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030),SSL_RSA_WITH_AES_256_GCM_SHA384(0x009D),SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E),SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032),SSL_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F),SSL_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3),SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F),SSL_RSA_WITH_AES_128_GCM_SHA256(0x009C),SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D),SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031),………..
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E),SSL_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033),SSL_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032),SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA(0xC008),SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA(0x0016),SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA(0x0013),TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]","compression methods" : "00","extensions" : [
"supported_groups (10)": {
"versions": [secp256r1,secp384r1,secp521r1]
},"ec_point_formats (11)": {
"formats": [uncompressed]
},"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256,ecdsa_secp384r1_sha384,ecdsa_secp521r1_sha512,rsa_pss_rSAE_sha256,rsa_pss_rSAE_sha384,rsa_pss_rSAE_sha512,rsa_pss_pss_sha256,rsa_pss_pss_sha384,rsa_pss_pss_sha512,rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pkcs1_sha512,dsa_sha256,ecdsa_sha224,rsa_sha224,dsa_sha224,ecdsa_sha1,rsa_pkcs1_sha1,dsa_sha1]
},"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256,"extended_master_secret (23)": {
<empty>
},"supported_versions (43)": {
"versions": [TLSv1.2]
}
]
}
)
[29/03/21 10:37:26:312 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.311 BST|Thread.java:1164|WRITE: TLS12 handshake,length = 262
[29/03/21 10:37:26:314 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.313 BST|Thread.java:1164|Raw write (
0000: 16 03 03 01 06 01 00 01 02 03 03 88 57 8e a5 c0 ............W...
0010: f4 72 b7 2c f9 ea 52 c1 8b d8 d4 3e 09 5d 3a bb .r....R.........
.
00e0: 08 04 08 05 08 06 08 09 08 0a 08 0b 04 01 05 01 ................
00f0: 06 01 04 02 03 03 03 01 03 02 02 03 02 01 02 02 ................
0100: 00 17 00 00 00 2b 00 03 02 03 03 ...........
)
[29/03/21 10:37:26:321 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.320 BST|Thread.java:1164|Raw read (
0000: 16 03 03 00 51 02 00 00 4d 03 03 60 61 9f d6 32 ....Q...M...a..2
0010: 63 9b cf 09 dc a2 95 64 8d c0 cb 0f e5 ed 1b 1b c......d........
0040: b5 10 28 2a 9d e0 ed 5e a8 f9 a5 13 c0 30 00 00 .............0..
.
02d0: 2b f9 e5 e8 c0 60 be 3b 11 68 2a 0d 1f 60 18 b3 .........h......
02e0: e6 d5 0b 7e 12 03 9e 72 2f 88 f3 54 26 18 18 ca .......r...T....
02f0: e5 ae 0a 2f db b9 0f 18 ae c5 2f 8d 16 03 03 00 ................
0300: 04 0e 00 00 00 .....
)
[29/03/21 10:37:26:323 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.322 BST|Thread.java:1164|READ: TLSv1.2 handshake,length = 81
[29/03/21 10:37:26:328 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.327 BST|Thread.java:1164|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2","random" : "60 61 9F D6 32 63 9B CF 09 DC A2 95 64 8D C0 CB 0F E5 ED 1B 1B E3 C9 2B 7F 06 6D 03 58 6D DF 4F","session id" : "3A EC 80 A8 76 B9 C2 33 CD 59 71 86 01 77 6F 4B 64 3A 0A A6 B5 10 28 2A 9D E0 ED 5E A8 F9 A5 13","cipher suite" : "SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)","extensions" : [
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
[29/03/21 10:37:26:335 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.334 BST|Thread.java:1164|Ignore unavailable extension: supported_versions
[29/03/21 10:37:26:336 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.335 BST|Thread.java:1164|Negotiated protocol version: TLSv1.2
…
[29/03/21 10:37:26:367 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.365 BST|Thread.java:1164|Ignore unavailable extension: status_request_v2
[29/03/21 10:37:26:369 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.367 BST|Thread.java:1164|Consumed extension: renegotiation_info
[29/03/21 10:37:26:370 BST] 0000008c SystemOut O javax.net.ssl|ALL|8C|WebContainer : 1|2021-03-29 10:37:26.369 BST|Thread.java:1164|Session initialized: Session(1617010646369|SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
[29/03/21 10:37:26:372 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.371 BST|Thread.java:1164|Ignore unavailable extension: server_name
…
[29/03/21 10:37:26:380 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.380 BST|Thread.java:1164|Ignore unavailable extension: status_request_v2
[29/03/21 10:37:26:381 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.380 BST|Thread.java:1164|Ignore unavailable extension: extended_master_secret
[29/03/21 10:37:26:387 BST] 0000008c SystemOut O javax.net.ssl|WARNING|8C|WebContainer : 1|2021-03-29 10:37:26.382 BST|Thread.java:1164|Ignore impact of unsupported extension: renegotiation_info
[29/03/21 10:37:26:390 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.388 BST|Thread.java:1164|Raw read (
0000: 16 03 03 01 cf 0b 00 01 cb 00 01 c8 00 01 c5 30 ...............0
0010: 82 01 c1 30 82 01 2a 02 11 00 a2 75 59 bc 83 45 ...0.......uY..E
.
0260: e8 c6 b2 6c ac 7d 76 15 a0 94 72 cd 50 e8 37 75 ...l..v...r.P.7u
02a0: 0f 18 ae c5 2f 8d 16 03 03 00 04 0e 00 00 00 ...............
)
[29/03/21 10:37:26:392 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.390 BST|Thread.java:1164|READ: TLSv1.2 handshake,length = 463
[29/03/21 10:37:26:394 BST] 0000008c SystemOut O javax.net.ssl|FINE|8C|WebContainer : 1|2021-03-29 10:37:26.393 BST|Thread.java:1164|Consuming server Certificate handshake message (
"Certificates": [
"certificate" : {
"version" : "v1","serial number" : "00 A2 75 59 BC 83 45 CD 7D 9E B0 D9 8B E3 FD 9B 92","not before" : "2021-03-21 02:10:55.000 GMT","not after" : "2031-03-19 02:10:55.000 GMT","subject public key" : "RSA"}
]
)
[29/03/21 10:37:26:404 BST] 0000008c SystemOut O javax.net.ssl|SEVERE|8C|WebContainer : 1|2021-03-29 10:37:26.403 BST|Thread.java:1164|Fatal (BAD_CERTIFICATE): PKIX path validation Failed: java.security.cert.CertPathValidatorException: signature check Failed (
"throwable" : {
com.ibm.jsse2.util.j: PKIX path validation Failed: java.security.cert.CertPathValidatorException: signature check Failed
at com.ibm.jsse2.util.h.a(h.java:174)
at com.ibm.jsse2.util.h.b(h.java:185)
at com.ibm.jsse2.util.g.a(g.java:10)
at com.ibm.jsse2.bq.a(bq.java:32)
at com.ibm.jsse2.bq.a(bq.java:70)
at com.ibm.jsse2.bq.checkServerTrusted(bq.java:10)
at com.ibm.jsse2.y$c.a(y$c.java:99)
at com.ibm.jsse2.y$c.a(y$c.java:10)
at com.ibm.jsse2.y$c.consume(y$c.java:6)
at com.ibm.jsse2.p.consume(p.java:43)
at com.ibm.jsse2.Z.a(Z.java:73)
at com.ibm.jsse2.bf$a$b.a(bf$a$b.java:2)
at com.ibm.jsse2.bf$a$b.run(bf$a$b.java:3)
at java.security.AccessController.doPrivileged(AccessController.java:774)
at com.ibm.jsse2.bf$a.run(bf$a.java:26)
at oracle.net.nt.SSLSocketChannel.runTasks(SSLSocketChannel.java:602)
at oracle.net.nt.SSLSocketChannel.doSSLHandshake(SSLSocketChannel.java:434)
at oracle.net.nt.SSLSocketChannel.write(SSLSocketChannel.java:128)
at oracle.net.ns.NIOPacket.writetoSocketChannel(NIOPacket.java:350)
at oracle.net.ns.NIOConnectPacket.writetoSocketChannel(NIOConnectPacket.java:247)
at oracle.net.ns.nsprotocolNIO.negotiateConnection(nsprotocolNIO.java:117)
at oracle.net.ns.nsprotocol.connect(nsprotocol.java:340)
at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1596)
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:588)
at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:793)
at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:57)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:747)
at oracle.jdbc.pool.OracleDataSource.getPhysicalConnection(OracleDataSource.java:406)
at oracle.jdbc.pool.OracleDataSource.getConnection(OracleDataSource.java:291)
at oracle.jdbc.pool.OracleDataSource.getConnection(OracleDataSource.java:206)
at oracle.jdbc.pool.OracleConnectionPoolDataSource.getPhysicalConnection(OracleConnectionPoolDataSource.java:148)
at oracle.jdbc.pool.OracleConnectionPoolDataSource.getPooledConnection(OracleConnectionPoolDataSource.java:91)
at com.ibm.ws.rsadapter.DSConfigHelper$1.run(DSConfigHelper.java:1273)
at com.ibm.ws.security.auth.ContextManagerImpl.runAs(ContextManagerImpl.java:5446)
at com.ibm.ws.security.auth.ContextManagerImpl.runAsSystem(ContextManagerImpl.java:5662)
at com.ibm.ws.security.core.SecurityContext.runAsSystem(SecurityContext.java:255)
at com.ibm.ws.rsadapter.spi.ServerFunction$6.run(ServerFunction.java:571)
at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
at com.ibm.ws.rsadapter.DSConfigHelper.getPooledConnection(DSConfigHelper.java:1288)
at com.ibm.ws.rsadapter.DSConfigHelper.getPooledConnection(DSConfigHelper.java:1196)
at com.ibm.ws.rsadapter.DSConfigurationHelper.getConnectionFromdsOrPooledDS(DSConfigurationHelper.java:2076)
at com.ibm.ws.rsadapter.DSConfigurationHelper.getConnectionFromdsOrPooledDS(DSConfigurationHelper.java:1952)
at com.ibm.ws.rsadapter.DSConfigurationHelper.testConnectionForGUI(DSConfigurationHelper.java:2820)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at com.ibm.ws.management.DataSourceConfigHelperMBean.testConnectionToDataSource2(DataSourceConfigHelperMBean.java:556)
at com.ibm.ws.management.DataSourceConfigHelperMBean.testConnection(DataSourceConfigHelperMBean.java:484)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at sun.reflect.misc.Trampoline.invoke(MethodUtil.java:83)
at sun.reflect.GeneratedMethodAccessor43.invoke(UnkNown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at sun.reflect.misc.MethodUtil.invoke(MethodUtil.java:287)
at javax.management.modelmbean.requiredModelMBean$4.run(requiredModelMBean.java:1263)
at java.security.AccessController.doPrivileged(AccessController.java:708)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at javax.management.modelmbean.requiredModelMBean.invokeMethod(requiredModelMBean.java:1257)
at javax.management.modelmbean.requiredModelMBean.invoke(requiredModelMBean.java:1096)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:831)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:813)
at com.ibm.ws.management.AdminServiceImpl$1.run(AdminServiceImpl.java:1353)
at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
at com.ibm.ws.management.AdminServiceImpl.invoke(AdminServiceImpl.java:1246)
at com.ibm.ws.management.commands.AdminServiceCommands$InvokeCmd.execute(AdminServiceCommands.java:251)
at com.ibm.ws.console.core.mbean.MBeanHelper.invoke(MBeanHelper.java:246)
at com.ibm.ws.console.core.mbean.ResourceMBeanHelper.testNode(ResourceMBeanHelper.java:860)
at com.ibm.ws.console.core.mbean.ResourceMBeanHelper.testConnection(ResourceMBeanHelper.java:292)
at com.ibm.ws.console.resources.database.jdbc.DataSourceDetailAction.testConnection(DataSourceDetailAction.java:713)
at com.ibm.ws.console.resources.database.jdbc.DataSourceCollectionAction.execute(DataSourceCollectionAction.java:339)
at org.apache.struts.action.RequestProcessor.processActionPerform(UnkNown Source)
at org.apache.struts.action.RequestProcessor.process(UnkNown Source)
at org.apache.struts.action.ActionServlet.process(UnkNown Source)
at org.apache.struts.action.ActionServlet.doPost(UnkNown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1235)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:779)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:478)
at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:179)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:143)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:78)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:979)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1119)
at com.ibm.ws.webcontainer.webapp.WebAppRequestdispatcher.dispatch(WebAppRequestdispatcher.java:1408)
at com.ibm.ws.webcontainer.webapp.WebAppRequestdispatcher.forward(WebAppRequestdispatcher.java:198)
at org.apache.struts.action.RequestProcessor.doForward(UnkNown Source)
at org.apache.struts.tiles.TilesRequestProcessor.doForward(UnkNown Source)
at org.apache.struts.action.RequestProcessor.processForwardConfig(UnkNown Source)
at org.apache.struts.tiles.TilesRequestProcessor.processForwardConfig(UnkNown Source)
at org.apache.struts.action.RequestProcessor.process(UnkNown Source)
at org.apache.struts.action.ActionServlet.process(UnkNown Source)
at org.apache.struts.action.ActionServlet.doPost(UnkNown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1235)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:779)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:478)
at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:179)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:143)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:96)
at com.ibm.ws.console.core.servlet.WSCUrlFilter.setUpCommandAssistance(WSCUrlFilter.java:984)
at com.ibm.ws.console.core.servlet.WSCUrlFilter.continueStoringTaskState(WSCUrlFilter.java:531)
at com.ibm.ws.console.core.servlet.WSCUrlFilter.doFilter(WSCUrlFilter.java:352)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:197)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:979)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1119)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:82)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:963)
at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:382)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handlediscrimination(HttpInboundLink.java:465)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:532)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:318)
at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:88)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1909)
Caused by: java.security.cert.CertPathValidatorException: signature check Failed
at com.ibm.security.cert.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:130)
at com.ibm.security.cert.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:232)
at com.ibm.security.cert.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:136)
at com.ibm.security.cert.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:75)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:304)
at com.ibm.jsse2.util.h.a(h.java:74)
... 127 more
Caused by: java.security.SignatureException: Signature length not correct: got 128 but was expecting 256
at com.ibm.crypto.provider.RSASignature.engineVerify(UnkNown Source)
at java.security.Signature$Delegate.engineVerify(Signature.java:1403)
at java.security.Signature.verify(Signature.java:777)
at com.ibm.security.x509.X509CertImpl.verify(X509CertImpl.java:739)
at com.ibm.security.cert.BasicChecker.verifySignature(BasicChecker.java:182)
at com.ibm.security.cert.BasicChecker.check(BasicChecker.java:163)
at com.ibm.security.cert.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:120)
解决方法
步骤
-
以下是我的设置,但设置对实现 TLS 1.2 没有影响。
WAS v9.0.5.6 在 Centos VM1 上。与“user1”一起安装。使用 Websphere 提供的 IBM Java 8。
Oracle Client 19c 在同一 Centos VM1 上。使用“oracle”用户安装的 Oracle 客户端。
Centos VM2 上的 Oracle Database 19c。使用“oracle”用户安装的数据库。 -
使用this link完成服务器端和客户端证书配置。按照说明在服务器和客户端上/之间生成和交换自签名证书。 为了测试,请保持密码不含特殊字符。我遇到过密码包含特殊字符的问题。
-
在 Oracle 客户端主机(我的 Centos VM1)上将 Oracle PKCS12 转换为 Java Key Store。我对“oracle”用户使用了以下命令。
orapki wallet pkcs12_to_jks -wallet "/home/oracle/wallet" -pwd abcd123 -jksKeyStoreLoc "/home/oracle/jkswallet/ewallet.jks" -jksKeyStorepwd abcd123
-
将“home/oracle/jkswallet”和“home/oracle/jkswallet/ewallet.jks”的权限改为755,以便“user1”在同一台服务器上运行WAS。
-
在 WAS 上,使用 ojdbc8.jar 创建一个普通的“JDBC 提供者”。不需要其他罐子。使用之前创建的 JDBC 提供程序创建“数据源”。与数据源一起,还为用户名和密码创建“JAAS - J2C 身份验证数据”。
-
我在“数据源”中使用了以下网址格式
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=172.16.77.11)(PORT=2484)))(CONNECT_DATA=(SERVICE_NAME=PROD01PDB)))
-
在“数据源”下的“自定义属性”中添加属性
姓名:connectionProperties
值:javax.net.ssl.keyStore=/home/oracle/jkswallet/ewallet.jks; javax.net.ssl.keyStoreType=JKS; javax.net.ssl.keyStorePassword=abcd123; javax.net.ssl.trustStore=/home/oracle/jkswallet/ewallet.jks; javax.net.ssl.trustStoreType=JKS; javax.net.ssl.trustStorePassword=abcd123; oracle.net.ssl_version=1.2; oracle.net.ssl_server_dn_match=false
最后是修剪后的调试日志
[06/04/21 16:14:30:947 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:30.946 BST|Thread.java:1164|found key for : orakey (
"certificate" : {
"version" : "v1","serial number" : "00 E5 74 A4 14 70 21 C0 6D 42 78 B1 AF 86 B3 7F 09","signature algorithm": "SHA256withRSA","issuer" : "CN=appserver01","not before" : "2021-04-06 01:35:51.000 BST","not after" : "2031-04-04 01:35:51.000 BST","subject" : "CN=appserver01","subject public key" : "RSA"}
)
[06/04/21 16:14:30:956 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:30.955 BST|Thread.java:1164|adding as trusted certificates (
"certificate" : {
"version" : "v1","subject public key" : "RSA"},"certificate" : {
"version" : "v1","serial number" : "00 AB 2C F7 0B 59 C2 76 AE CC F0 21 EF DA 8B D7 D1","issuer" : "CN=dbserver01.miracle.com","not before" : "2021-04-06 01:50:52.000 BST","not after" : "2031-04-04 01:50:52.000 BST","subject" : "CN=dbserver01.miracle.com","subject public key" : "RSA"}
)
application_layer_protocol_negotiation
[06/04/21 16:14:32:709 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.708 BST|Thread.java:1164|Ignore,context unavailable extension: status_request_v2
[06/04/21 16:14:32:714 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.712 BST|Thread.java:1164|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2","random" : "7B 73 62 0A 5B C3 CC 62 19 FC C1 78 03 30 F4 39 7C F8 A3 81 F9 02 4C BB 7A 35 8D F7 55 8A 8A 83","session id" : "","cipher suites" : "[SSL_RSA_WITH_AES_256_GCM_SHA384(0x009D)]","compression methods" : "00","extensions" : [
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256,ecdsa_secp384r1_sha384,ecdsa_secp521r1_sha512,rsa_pss_rsae_sha256,rsa_pss_rsae_sha384,rsa_pss_rsae_sha512,rsa_pss_pss_sha256,rsa_pss_pss_sha384,rsa_pss_pss_sha512,rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pkcs1_sha512,dsa_sha256,ecdsa_sha224,rsa_sha224,dsa_sha224,ecdsa_sha1,rsa_pkcs1_sha1,dsa_sha1]
},"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256,"extended_master_secret (23)": {
<empty>
},"supported_versions (43)": {
"versions": [TLSv1.2]
},"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
[06/04/21 16:14:32:736 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.735 BST|Thread.java:1164|READ: TLSv1.2 handshake,length = 81
[06/04/21 16:14:32:741 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.740 BST|Thread.java:1164|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2","random" : "60 6C 7A D8 CC A6 0C B4 A4 5E 49 53 44 B4 68 77 7D 18 01 D6 04 10 DD E8 A6 E5 8D 6C EE DC 54 2A","session id" : "11 E9 ED 05 27 69 4E B8 A4 FA 28 0F 4C 19 AD 2F D6 55 47 ED A1 EB 0E 91 E6 E6 7B 53 D9 E0 0C DA","cipher suite" : "SSL_RSA_WITH_AES_256_GCM_SHA384(0x009D)","extensions" : [
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
[06/04/21 16:14:32:804 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.803 BST|Thread.java:1164|READ: TLSv1.2 handshake,length = 463
[06/04/21 16:14:32:820 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.817 BST|Thread.java:1164|Consuming server Certificate handshake message (
"Certificates": [
"certificate" : {
"version" : "v1","subject public key" : "RSA"}
]
)
[06/04/21 16:14:32:831 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.830 BST|Thread.java:1164|Found trusted certificate (
"certificate" : {
"version" : "v1","subject public key" : "RSA"}
)
[06/04/21 16:14:32:916 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.915 BST|Thread.java:1164|JsseJCE: Using cipher RSA/SSL/PKCS1Padding from provider IBMJCE version 1.8
[06/04/21 16:14:32:922 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.920 BST|Thread.java:1164|RSAClientKeyExchange: Using cipher for wrap RSA/SSL/PKCS1Paddingfrom provider from init IBMJCE version 1.8
[06/04/21 16:14:32:928 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:32.926 BST|Thread.java:1164|Produced RSA ClientKeyExchange handshake message (
"RSA ClientKeyExchange": {
"client_version": TLSv1.2
"encrypted": {
0000: 24 64 33 4f 9f 90 85 77 fe 9d c2 f4 ac 75 78 56 .d3O...w.....uxV
......
0060: 21 21 f9 68 c9 2e 79 60 cc fe d1 78 1d 5a 69 c1 ...h..y....x.Zi.
0070: 4e 73 47 eb b6 39 3f 07 0a 89 62 fb 29 78 c5 f9 NsG..9....b..x..
}
}
)
[06/04/21 16:14:33:052 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.050 BST|Thread.java:1164|Produced ChangeCipherSpec message
[06/04/21 16:14:33:054 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.052 BST|Thread.java:1164|Produced client Finished handshake message (
"Finished": {
"verify data": {
0000: 56 66 52 df 64 68 37 a0 de 28 28 18
}'}
)
[06/04/21 16:14:33:055 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.054 BST|Thread.java:1164|WRITE: TLS12 handshake,length = 134
[06/04/21 16:14:33:291 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.290 BST|Thread.java:1164|found key for : orakey (
"certificate" : {
"version" : "v1","subject public key" : "RSA"}
)
[06/04/21 16:14:33:294 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.293 BST|Thread.java:1164|adding as trusted certificates (
"certificate" : {
"version" : "v1","subject public key" : "RSA"}
)
[06/04/21 16:14:33:389 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.387 BST|Thread.java:1164|Ignore,context unavailable extension: status_request_v2
[06/04/21 16:14:33:405 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.391 BST|Thread.java:1164|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2","random" : "59 4F CB D5 24 6A E7 DC D4 75 4C 1D EC F9 84 2F BC D5 EC 24 EB BC 69 4F 35 29 88 0F 42 46 B7 0E",281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
[06/04/21 16:14:33:424 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.422 BST|Thread.java:1164|READ: TLSv1.2 handshake,length = 81
[06/04/21 16:14:33:427 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.426 BST|Thread.java:1164|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2","random" : "60 6C 7A D9 FB 0C 6F 09 5C 10 3A 03 F4 01 E2 4A 58 60 72 D1 9D 7B 3A D7 2F 91 12 32 7C CF 85 0D","session id" : "2A 9D 32 23 12 52 AC 29 B8 69 D5 50 60 FE 15 4E C8 68 1C 8A AA C1 71 0E 42 55 EF BD CE 88 95 53",281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
[06/04/21 16:14:33:521 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.519 BST|Thread.java:1164|READ: TLSv1.2 handshake,length = 463
[06/04/21 16:14:33:522 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.521 BST|Thread.java:1164|Consuming server Certificate handshake message (
"Certificates": [
"certificate" : {
"version" : "v1","subject public key" : "RSA"}
]
)
[06/04/21 16:14:33:524 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.523 BST|Thread.java:1164|Found trusted certificate (
"certificate" : {
"version" : "v1","subject public key" : "RSA"}
)
[06/04/21 16:14:33:555 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.554 BST|Thread.java:1164|Produced RSA ClientKeyExchange handshake message (
"RSA ClientKeyExchange": {
"client_version": TLSv1.2
"encrypted": {
0000: 3f b0 62 d5 f6 31 b9 b5 02 37 29 3e 63 e0 38 f8 ..b..1...7..c.8.
0010: 0e f5 03 a3 d3 ad 00 a1 06 92 c7 ff 65 a4 44 5b ............e.D.
…
0060: 2e 52 49 75 fb 9d b3 00 96 77 53 29 46 f5 60 ae .RIu.....wS.F...
0070: b2 84 59 db f1 fc 66 6e 5f 41 51 75 da 52 c5 4a ..Y...fn.AQu.R.J
}
}
)
[06/04/21 16:14:33:579 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.575 BST|Thread.java:1164|Produced client Finished handshake message (
"Finished": {
"verify data": {
0000: 69 8c 88 f6 6a 03 b6 81 ad d6 58 c1
}'}
)
IBMJCE version 1.8
[06/04/21 16:14:33:716 BST] 00000078 SystemOut O javax.net.ssl|FINE|78|WebContainer : 0|2021-04-06 16:14:33.714 BST|Thread.java:1164|Consuming server Finished handshake message (
"Finished": {
"verify data": {
0000: 84 65 d5 89 28 fc 35 0c 47 a0 e3 42
}'}
)
[06/04/21 16:14:34:642 BST] 00000078 DSConfigurati I DSRA8025I: Successfully connected to DataSource.
,
您使用的 JDBC 驱动程序是什么版本?如果您使用的是最新的 18.3,则可以在 URL 中传递连接属性。 12.2 及更低版本请查看此 blog。