SSLHandshakeException 导致连接 JMX 时出错

【问题标题】:Error connecting JMX caused by SSLHandshakeExceptionSSLHandshakeException 导致连接 JMX 时出错
【发布时间】:2016-09-29 20:11:44
【问题描述】:

我是 JMX 的新手。我需要创建一个自定义 JMX 客户端,它可以连接到远程服务器并从 mbeans 读取数据。

这是我目前拥有的应用代码:

String url = "service:jmx:rmi:///jndi/rmi://host:port/jmxrmi";
JMXServiceURL serviceURL = new JMXServiceURL(url);
Map env = new HashMap();
String[] creds = { "role", "password" };
env.put(JMXConnector.CREDENTIALS, creds);
JMXConnector cc = JMXConnectorFactory.connect(serviceURL, env);
MBeanServerConnection mbsc = cc.getMBeanServerConnection();

当我启动我的应用程序时,我收到以下错误(已修改为添加完整的堆栈跟踪):

Exception in thread "main" java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is:
    at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:304)
    at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:308)
    at Main.main(Main.java:21)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:130)
    at java.rmi.server.RemoteObjectInvocationHandler.invoke(RemoteObjectInvocationHandler.java:179)
    at javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2430)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
 Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
    at java.io.DataOutputStream.flush(DataOutputStream.java:123)
    ... 9 more
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
    at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:229)
 Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    ... 20 more
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    ... 26 more
 Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)

任何帮助将不胜感激。

【问题讨论】:

  • 您没有受信任的证书。使用 -Djavax.net.debug=all 选项运行您的应用程序,以调试证书中的确切问题。也许如果你有一个自签名,你应该将它导入到 trustore 中。或者,如果您的 CA 无法识别,您应该在 trustore 上导入 CA 证书。
  • @MarioAlexandroSantini 我已按照您的建议添加了完整的堆栈跟踪
  • 例外只是说您的证书链有问题。我不确定是服务器还是客户端。看起来服务器没有受信任的证书。使用 jvm 选项 -Djavax.net.debug=all 运行您的客户端。这会打印很多信息,例如来自服务器的证书,并准确告诉您为什么它没有找到适合目标的东西。
  • 我已将 debug=all 选项添加到客户端启动脚本中,但我无权访问服务器。我没有在客户端完成任何证书安装工作,应该吗?我是否需要在运行客户端的机器的密钥库中安装服务器证书?我还需要为此更新我的代码吗?
  • 如果服务器需要特定的证书,由通用 CA 签名,或者用户名为 CN,您也应该生成自己的密钥库。可以使用 sdk 工具 keytool 创建 Trustore 和 Keystore 文件。

标签: java jmx client-certificates java-security


【解决方案1】:

问题在于客户端的密钥库中缺少服务器证书。

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 2012-04-16
    • 2018-03-30
    • 2023-03-03
    • 2017-10-24
    • 1970-01-01
    • 2015-06-05
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode