java - IBM Websphere Application 服务器上的应用程序的 Kafka SSL 连接问题
问题描述
我正在努力将我的应用程序与 Apache Kafka 集成。虽然在连接到测试代理时一切都按预期工作。
我在 preprod 环境中遇到了 2-way SSL 的拦截器。我的应用程序部署在 Websphere 应用程序服务器中,证书/密钥保存在 Websphere 密钥环中。问题是 Kafka 生产者配置无法与密钥环交互以找到受信任的证书或密钥,因此连接失败。
我不能使用 JKS 文件,因为这会破坏密钥环的用途并且违背应用程序设计。整个问题似乎是在应用程序启动期间 Kafka 客户端代码与密钥环的交互。对此的任何建议表示赞赏。
org.apache.kafka.common.network.Selector) - [Producer clientId= xxxxxxx] Connection with disconnected due to authentication exception
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.ibm.jsse2.bb.B(bb.java:525)
at com.ibm.jsse2.oc.b(oc.java:394)
at com.ibm.jsse2.oc.c(oc.java:146)
at com.ibm.jsse2.oc.wrap(oc.java:316)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:39)
at org.apache.kafka.common.network.SslTransportLayer.handshakeWrap(SslTransportLayer.java:434)
at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:299)
at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:253)
at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:79)
at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:486)
at org.apache.kafka.common.network.Selector.poll(Selector.java:424)
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:460)
at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:239)
at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:163)
at java.lang.Thread.run(Thread.java:798)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.ibm.jsse2.k.a(k.java:5)
at com.ibm.jsse2.oc.a(oc.java:170)
at com.ibm.jsse2.bb.a(bb.java:560)
at com.ibm.jsse2.bb.a(bb.java:432)
at com.ibm.jsse2.cb.a(cb.java:30)
at com.ibm.jsse2.cb.a(cb.java:394)
at com.ibm.jsse2.bb.t(bb.java:170)
at com.ibm.jsse2.bb$1.a(bb$1.java:4)
at com.ibm.jsse2.bb$1.run(bb$1.java:2)
at java.security.AccessController.doPrivileged(AccessController.java:492)
at com.ibm.jsse2.bb$c_.run(bb$c_.java:11)
at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:388)
at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:468)
at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:326)
... 8 more
Caused by: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by xxxxxxxxxx is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.util.f.a(f.java:70)
at com.ibm.jsse2.util.f.b(f.java:95)
at com.ibm.jsse2.util.e.a(e.java:20)
at com.ibm.jsse2.zc.a(zc.java:35)
at com.ibm.jsse2.zc.a(zc.java:156)
at com.ibm.jsse2.zc.checkServerTrusted(zc.java:125)
at com.ibm.jsse2.cb.a(cb.java:302)
... 17 more
Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by xxxxxxxxxxx is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:410)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:256)
at com.ibm.jsse2.util.f.a(f.java:144)
... 23 more
Caused by: java.security.cert.CertPathValidatorException: The certificate issued by xxxxxxxxxxxxxxx is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)
at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:176)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:737)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:649)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:595)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:595)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:356)
... 25 more
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:316)
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker
解决方案
我不确定这是否可行,但你可以试试这个:
- 在启动生产者之前从 Keyring 中提取证书和密钥;
- 将它们保存在您机器某处的 *.jks 文件中;
- 将新创建的 Keystore 和 Truststore 的路径传递给 Kafka 生产者
不幸的是,Java Kafka 客户端只能与 *.jks 文件交互,因此需要在启动之前进行适当的转换。另一种选择是在预部署阶段做同样的事情(在启动应用程序之前,您准备 Keystore 和 Truststore)。
推荐阅读
- css - 如何确定我的 CSS 选择器从哪里被覆盖?时间线.js
- typescript - 打字稿:更新对象
- php - 按另一列的值按计划更新每一列
- ios - UIBezierpath setLineDash 圆弧粗细
- excel - 从字母数字字符串的左侧删除文本,不同长度的文本
- c - 并集内的并集,以及破碎的矩阵加法
- scala - Scala Slick joinLeft 和组合条件
- database - 将用户列表附加到数据库原子
- python - 如何从 QuerySet 列表中删除 MSSQL 十进制声明?
- c# - Server.Transfer、Response.Redirect 和 ApplicationInstance.CompleteRequest 在 ASP.Net 中工作