当前位置: 动力学知识库 > 问答 > 编程问答 >

security - What do I need to get SSL sockets (SslRMIServerSocketFactory/SslRMIClientSocketFactory)?

问题描述:

Hy, basically I want to get SslRMIServerSocketFactory/SslRMIClientSocketFactory to secure my RMI calls. What is the common way to get these when client authentication is also necessary (keystores, certificates, ..)? What do I need to generate/ship?

edit: I successfully secured the communication now with RMI with server and client authentication and self-signed certificates. This works now on my machine. I submitted the certificates, truststores and keystores to the repository, but it won't work on other machines.

It was suggested that the migration broke the keystore, but I can't figure out why? Does anyone have an idea?

edit: Here is the complete stacktrace

java.rmi.ConnectIOException: Exception creating connection to: localhost; nested exception is:

java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)

java.rmi.ConnectIOException: Exception creating connection to: localhost; nested exception is:

java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl) at

sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:614) at

sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:198) at

sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:184) at

sun.rmi.server.UnicastRef.newCall(UnicastRef.java:322) at

sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source) at

com.uc4.webui.sla.monitoring.SLAMonitoringAccessService.<init>(SLAMonitoringAccessService.java:40) at

sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at

sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at

sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at

java.lang.reflect.Constructor.newInstance(Constructor.java:513) at

java.lang.Class.newInstance0(Class.java:355) at java.lang.Class.newInstance(Class.java:308) at

org.eclipse.equinox.internal.ds.model.ServiceComponent.createInstance(ServiceComponent.java:457) at

org.eclipse.equinox.internal.ds.model.ServiceComponentProp.createInstance(ServiceComponentProp.java:264) at

org.eclipse.equinox.internal.ds.model.ServiceComponentProp.build(ServiceComponentProp.java:325) at

org.eclipse.equinox.internal.ds.InstanceProcess.buildComponent(InstanceProcess.java:588) at

org.eclipse.equinox.internal.ds.InstanceProcess.buildComponents(InstanceProcess.java:196) at

org.eclipse.equinox.internal.ds.Resolver.buildNewlySatisfied(Resolver.java:441) at

org.eclipse.equinox.internal.ds.Resolver.enableComponents(Resolver.java:213) at

org.eclipse.equinox.internal.ds.SCRManager.performWork(SCRManager.java:800) at

org.eclipse.equinox.internal.ds.SCRManager$QueuedJob.dispatch(SCRManager.java:767) at

org.eclipse.equinox.internal.ds.WorkThread.run(WorkThread.java:89) at

java.lang.Thread.run(Thread.java:662) Caused by:

java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl) at

javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:179) at

javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:192) at

javax.rmi.ssl.SslRMIClientSocketFactory.createSocket(SslRMIClientSocketFactory.java:105) at

sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:595

) ... 22 more Caused by:

java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl) at

java.security.Provider$Service.newInstance(Provider.java:1245) at

sun.security.jca.GetInstance.getInstance(GetInstance.java:220) at

sun.security.jca.GetInstance.getInstance(GetInstance.java:147) at

javax.net.ssl.SSLContext.getInstance(SSLContext.java:125) at

javax.net.ssl.SSLContext.getDefault(SSLContext.java:68) at

javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:102) at

javax.rmi.ssl.SslRMIClientSocketFactory.getDefaultClientSocketFactory(SslRMIClientSocketFactory.java:192) at

javax.rmi.ssl.SslRMIClientSocketFactory.createSocket(SslRMIClientSocketFactory.java:102) ... 23 more Caused by:

java.io.IOException: Invalid keystore format at

sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:633) at

sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38) at

java.security.KeyStore.load(KeyStore.java:1185) at

com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.getDefaultKeyManager(DefaultSSLContextImpl.java:150) at

com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.<init>(DefaultSSLContextImpl.java:40) at

sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at

sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at

sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at

java.lang.reflect.Constructor.newInstance(Constructor.java:513) at

java.lang.Class.newInstance0(Class.java:355) at java.lang.Class.newInstance(Class.java:308) at

java.security.Provider$Service.newInstance(Provider.java:1221) ... 30 more

My platform is Windows 7 and

java version "1.6.0_22"

Java(TM) SE Runtime Environment (build 1.6.0_22-b04)

Java HotSpot(TM) 64-Bit Server VM (build 17.1-b03, mixed mode)

Here are the keytool command which I used for the generation:

keytool -genkeypair -keyalg RSA -validity 3650 -keystore bundlekeystore.jks

keytool -export -keystore bundlekeystore.jks -rfc -file bundlecertificate.cer

keytool -import -file standalonecertificate.cer -keystore truststore.jks

网友答案:
  1. Your need to export your remote objects using instances of each of those classes, configured appropriately according to your special requirements about enabled protocols and cipher suites if any.
  2. Your server needs a private key and signed certificate in its keystore.
  3. If it's a self-signed certificate, it needs to be exported from there and imported into the client's truststore.
  4. Your client needs a private key and signed certificate in its keystore.
  5. If it's a self-signed certificate, it needs to be exported from there and imported into the servers's truststore.
  6. If the certificates are signed by a recognized CA you can omit the parts involving truststores.
  7. If your client has any special requirements about protocols or cipher suites it needs to set the system properties described for SslRMIClientSocketFactory.
  8. If you also want a secure Registry you have to take several additional steps which I will post here if you ask, but they are fairly obvious if you have a look at the LocateRegistry.createRegistry()/getRegistry() overloads that take socket factory parameters.
分享给朋友:
您可能感兴趣的文章:
随机阅读: