我正在尝试通过我的 Eclipse java 代码在 Windows 上本地访问 kafka 主题。 kafka 主题受 SSL 保护。 我还有一个 keystore 和证书 (.cer) 文件,这是我从其他下游团队那里获得的。
SSl params being used are below
prop.put("security.protocol", "SSL");
prop.put("ssl.keystore.location",${unix or Windows path});
prop.put("ssl.keystore.password", password);
当我构建 jar 并将其部署到 unix 盒子并通过 java -cp 等 cmd 运行它时,我能够访问 kafka 主题。 我输入 keystore 位置,例如 -
/tmp/keystore.jks
这里的问题是,我也想在我的 Windows 上本地访问相同的 SSL kafka 主题,所以我尝试输入下面的 keystore 位置,例如(我在 Windows 路径下面有本地可用的 keystore )-
C:\\userID\\Desktop\\keystore.jks
但是我得到了错误
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
kafka 调试日志显示它选择了正确的 keystore 文件,但仍然失败
ssl.keystore.location = C:\userID\Desktop\keystore.jks
ssl.keystore.password = [hidden]
ssl.keystore.type = JKS
这里的问题是,我什至尝试通过 keytool import 命令将 cer 文件添加到我的 Java 本地,但我没有管理员访问权限来更改 Program Files Java cacerts 文件。结果,我收到访问被拒绝错误。
我什至在我的主类方法中尝试过,但它不起作用。即使我尝试将它作为参数传递到 -D 参数中,但失败了。
System.setProperty("javax.net.ssl.keyStore","C:\\userID\\Desktop\\keystore.jks");
System.setProperty("javax.net.ssl.keyStorePassword",password);
有没有办法解决这个问题,因为最终我想构建一个 Java 可执行 Windows 应用程序,它可以连接到 SSL kafka 主题并将可执行 Java 应用程序分发给我的整个团队。
Updated debug logs from
-Djavax.net.debug=ssl
javax.net.ssl|FINE|01|main|2022-07-31 11:10:33.097 EDT|SSLCipher.java:438|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|SEVERE|01|main|2022-07-31 11:10:33.945 EDT|TransportContext.java:361|Fatal (CERTIFICATE_UNKNOWN): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
"throwable" : {
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:275)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:140)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:630)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:479)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:990)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:977)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:924)
at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:336)
at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:417)
at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:270)
at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:69)
at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:360)
at org.apache.kafka.common.network.Selector.poll(Selector.java:313)
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:349)
at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:226)
at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:188)
at org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:210)
at org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:196)
at org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.poll(ConsumerCoordinator.java:281)
at org.apache.kafka.clients.consumer.KafkaConsumer.pollOnce(KafkaConsumer.java:1030)
at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:996)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 30 more}
)
javax.net.ssl|WARNING|01|main|2022-07-31 11:10:33.946 EDT|SSLEngineOutputRecord.java:173|outbound has closed, ignore outbound application data
任何帮助表示赞赏! 谢谢
最佳答案
显然,通过以下命令设置信任库属性对我在 Windows 上有效! 当我通过 Kafka 属性设置相同的命令时,它们不起作用。
仅供引用,获取信任库和 keystore 或生成它们以供新服务器访问。我从下游团队获得了信任库和 keystore 。
System.setProperty("javax.net.ssl.trustStore", "C:\\Users\\userID\\cacerts.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "xxxxxxx");
对于 Kafka SSL 属性,我指定了以下行:
props.put("security.protocol", "SSL");
props.put("ssl.keystore.location","C:\\Users\\UserID\\keystore.jks");
props.put("ssl.keystore.password", "xxxxxxxx");
希望对你有帮助!
关于java - Windows 上的 Apache SSL Kafka | PKIX 路径构建失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/73183678/