我看到很多关于此的话题,但我找不到适合我的环境的解决方案。我在 z/OS UNIX shell 上运行一个 jar,我正在使用 HttpClient 的 Fluent API 发布到 REST 服务。该代码适用于 HTTP,但是,对于 SSL,它给了我一个证书错误。
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=MASTER_CERTAUTH_CERTIFICATE, T=MASTER_CERT_for_RACF, OU=MyOrg, O=MSTR, L=MyLocation, ST=MyState, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.o.a(o.java:8)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:549)
at com.ibm.jsse2.kb.a(kb.java:355)
at com.ibm.jsse2.kb.a(kb.java:130)
at com.ibm.jsse2.lb.a(lb.java:135)
at com.ibm.jsse2.lb.a(lb.java:368)
at com.ibm.jsse2.kb.s(kb.java:442)
at com.ibm.jsse2.kb.a(kb.java:136)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:495)
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:223)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:724)
at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:81)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:261)
at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:118)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:314)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:357)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:218)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:194)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:85)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:186)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
at org.apache.http.client.fluent.Request.execute(Request.java:143)
at com.myproject.utils.helpers.HTTP.send(HTTP.java:114)
at com.myproject.utils.helpers.HTTP.send(HTTP.java:49)
at com.myproject.utils.operations.ActionManager.loadMedguides(ActionManager.java:66)
at com.myproject.utils.main.PatientSafetyUtils.main(PatientSafetyUtils.java:33)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:611)
at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:58)
如何在服务器上安装证书(我只有 URL,而服务器没有 openssl)。或者有什么办法可以完全绕过这个错误吗?我不太关心 SSL,因为 REST 网络服务也托管在同一台大型机上。
最佳答案
要获取服务器证书,您可以使用开放式 SSL 来这样做:
openssl s_client -showcerts -connect host.host:9999 </dev/null
服务器证书是第一个返回的证书,会被PEM格式。 CA证书是最终返回的证书,也是PEM格式。
然后您可以将它们的 PEM 导入 JKS 并配置 httpclient 以使用该 JKS。有关 PEM 到 JKS 的更多信息 http://www.agentbob.info/agentbob/79-AB.html
关于java - Apache HttpClient : java. security.cert.CertPathValidatorException,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/20912282/