Mobilefirst 8.0 Java 适配器 SSL

Posted

技术标签:

【中文标题】Mobilefirst 8.0 Java 适配器 SSL【英文标题】:Mobilefirst 8.0 Java Adapter SSL 【发布时间】:2017-01-13 04:23:41 【问题描述】:

我目前正在使用 Mobilefirst 8.0 开发我的应用程序,但是当 JAVA HTTP 适配器使用自签名证书连接外部资源 HTTPS 连接时出现一些问题。来自外部资源的公共证书已导入到我的服务器中,即 /IBM/WebSphere/Liberty/usr/servers/server name/resources/security/key.jks 但仍然出现 handshake_failure 异常。有什么想法/解决方案可以克服这个问题吗?

1)到目前为止,我尝试使用 javascript HTTP 适配器构建完全相同的逻辑,并将我的 JKS 导入到运行时设置/密钥库选项卡中,Configure Mobilefirst Keystore 在我的适配器.xml 中使用了该选项卡

2) 尝试 System.setProperty 指向我自己的密钥库并尝试在运行时将其打印出来,但打印的结果与我的 JAVA HTTP 适配器中设置的不同。

3)尝试在我的 JAVA HTTP 适配器中设置与我的 JAVASCRIPT HTTP 适配器相同的设置,构建和部署没有错误,但会返回 handshake_failure 异常。仅供参考,JAVA ADAPTER ATTRIBUTES 不提供此属性。

上传 server.xml

<!-- Enable features -->
<featureManager>
    <feature>jsp-2.2</feature>

    <!-- Begin of features added by IBM MobileFirst <installmobilefirstadmin> ant task for context root '/mfpadmin'. -->
    <!-- The following lines will be removed when the application is uninstalled -->
    <feature>jdbc-4.0</feature>
    <feature>appSecurity-2.0</feature>
    <feature>restConnector-1.0</feature>
    <feature>usr:MFPDecoderFeature-1.0</feature>
    <!-- End of features added by IBM MobileFirst <installmobilefirstadmin> ant task for context root '/mfpadmin'. -->


    <!-- Begin of features added by IBM MobileFirst <installmobilefirstruntime> ant task for context root '/mfp'. -->
    <!-- The following lines will be removed when the application is uninstalled -->
    <feature>jdbc-4.0</feature>
    <feature>servlet-3.0</feature>
    <feature>ssl-1.0</feature>
    <feature>usr:MFPDecoderFeature-1.0</feature>
    <feature>webProfile-6.0</feature>
    <!-- End of features added by IBM MobileFirst <installmobilefirstruntime> ant task for context root '/mfp'. -->


    <!-- Begin of features added by IBM MobileFirst installer. -->
    <!-- The following lines will be removed when the application is uninstalled -->
    <feature>jdbc-4.0</feature>
    <feature>servlet-3.0</feature>
    <feature>appSecurity-2.0</feature>
    <feature>usr:MFPDecoderFeature-1.0</feature>
    <!-- End of features added by IBM MobileFirst installer. -->

</featureManager>

<httpAccessLogging id="accessLogging">
    <accessLogging filepath="$server.output.dir/logs/http_defaultEndpoint_access.log" logFormat='%h %i %u %U %t "%r" %s %b' />
</httpAccessLogging>

<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint"
              httpPort="9080"
              httpsPort="9443" host="*" accessLoggingRef="accessLogging">

    <!-- Option soReuseAddr added by IBM MobileFirst <installmobilefirstadmin> ant task for context root '/mfpadmin'. -->
    <!-- Option soReuseAddr added by IBM MobileFirst <installmobilefirstruntime> ant task for context root '/mfp'. -->
    <!-- Option soReuseAddr added by IBM MobileFirst installer. -->
    <tcpOptions soReuseAddr="true"/>

</httpEndpoint>

<administrator-role>
    <!--    MobileFirst JMX User.
    [Added by IBM MobileFirst Platform Foundation <installmobilefirstadmin> Ant task for context root '/mfpadmin'] 
    -->
    <user>MfpRESTUser</user>




</administrator-role>

<application id="RestWebService" location="RestWebService.war" name="RestWebService" type="war">
</application>

<basicRegistry>
    <!--    IBM Application Center group.
    [Added by IBM MobileFirst Platform Foundation <installapplicationcenter> Ant task for context root '/applicationcenter'] 
    -->
    <group name="appcentergroup">
        <!--    IBM Application Center group member.
        [Added by IBM MobileFirst Platform Foundation <installapplicationcenter> Ant task for context root '/applicationcenter'] 
        -->
        <member name="admin"/>

    </group>

    <!--    MobileFirst user.
    [Added by IBM MobileFirst Platform Foundation <installmobilefirstadmin> Ant task for context root '/mfpadmin'] 
    -->
    <user name="configUser_mfpadmin" password="C9Vm6xAktLZh"/>

    <!--    MobileFirst user.
    [Added by IBM MobileFirst Platform Foundation <installmobilefirstadmin> Ant task for context root '/mfpadmin'] 
    -->
    <user name="MfpRESTUser" password="HSQFUiS7bxB8"/>

    <!--    MobileFirst user.
    [Added by IBM MobileFirst Platform Foundation <installmobilefirstadmin> Ant task for context root '/mfpadmin'] 
    [Added by IBM MobileFirst Platform Foundation <installapplicationcenter> Ant task for context root '/applicationcenter'] 
    -->
    <user name="admin" password="admin"/>




</basicRegistry>


<!--    IBM MobileFirst requires SSL and declared the "defaultKeyStore" default keystore. 
    [Added by IBM MobileFirst Platform Foundation <installmobilefirstadmin> Ant task for context root '/mfpadmin'] 
This configuration is the minimum one that you need to create an SSL configuration.
With this configuration, the Liberty server creates the keystore and the certificate, 
if it does not exist yet, during the SSL initialization.
The created certificate is a self-signed certificate that is valid for 365 days.
Do not use the certificates that the Liberty server created for production use.
For more information see  http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/topic/com.ibm.websphere.wlp.core.doc/ae/twlp_sec_ssl.html 
-->
<keyStore id="defaultKeyStore" password="mobilefirst"/>
<!--    MobileFirst JNDI property for JMX connection.
    [Added by IBM MobileFirst Platform Foundation <installmobilefirstadmin> Ant task for context root '/mfpadmin'] 
-->
<jndiEntry jndiName="mfp.admin.jmx.host" value='"127.0.0.1"'/>
<!--    MobileFirst JNDI property for JMX connection.
    [Added by IBM MobileFirst Platform Foundation <installmobilefirstadmin> Ant task for context root '/mfpadmin'] 
-->
<jndiEntry jndiName="mfp.admin.jmx.port" value='"9443"'/>
<!--    MobileFirst JNDI property for JMX connection.
    [Added by IBM MobileFirst Platform Foundation <installmobilefirstadmin> Ant task for context root '/mfpadmin'] 
-->
<jndiEntry jndiName="mfp.admin.jmx.user" value='"MfpRESTUser"'/>
<!--    MobileFirst JNDI property for JMX connection.
    [Added by IBM MobileFirst Platform Foundation <installmobilefirstadmin> Ant task for context root '/mfpadmin'] 
-->
<jndiEntry jndiName="mfp.admin.jmx.pwd" value='"HSQFUiS7bxB8"'/>
<!--    MobileFirst JNDI property for JMX connection.
    [Added by IBM MobileFirst Platform Foundation <installmobilefirstadmin> Ant task for context root '/mfpadmin'] 
-->
<jndiEntry jndiName="mfp.topology.platform" value='"Liberty"'/>
<!--    MobileFirst JNDI property for JMX connection.
    [Added by IBM MobileFirst Platform Foundation <installmobilefirstadmin> Ant task for context root '/mfpadmin'] 
-->
<jndiEntry jndiName="mfp.topology.clustermode" value='"Standalone"'/>

<!--    WebContainer statement.
    [Added by IBM MobileFirst Platform Foundation <installmobilefirstadmin> Ant task for context root '/mfpadmin'] 
    [Added by IBM MobileFirst Platform Foundation <installmobilefirstruntime> Ant task for context root '/mfp'] 
-->
<webContainer deferServletLoad="false"/>

<!--    Executor statement.
    [Added by IBM MobileFirst Platform Foundation <installmobilefirstadmin> Ant task for context root '/mfpadmin'] 
-->
<executor id="default" name="LargeThreadPool"
          coreThreads="200" maxThreads="400" keepAlive="60s"
          stealPolicy="STRICT" rejectedWorkPolicy="CALLER_RUNS"/>

<!--    Shared JDBC Driver.
    [Added by IBM MobileFirst Platform Foundation <installmobilefirstadmin> Ant task for context root '/mfpadmin'] 
    [Added by IBM MobileFirst Platform Foundation <installmobilefirstruntime> Ant task for context root '/mfp'] 
-->
<library id="MobileFirst/JDBC/oracle">
    <fileset dir="$shared.resource.dir/MobileFirstJDBC/oracle" includes="ojdbc7.jar"/>
</library>

<!-- Begin of configuration added by IBM MobileFirst <installmobilefirstadmin> ant task for context root '/mfpadmin'. -->

<!-- Declare the MobileFirst Administration Service application. -->
<application id="mfpadmin" name="mfpadmin" location="mfp-admin-service.war" type="war">
    <application-bnd>
        <security-role name="mfpadmin">
            <user name="admin"/>

        </security-role>

        <security-role name="mfpdeployer">
        </security-role>

        <security-role name="mfpmonitor">
        </security-role>

        <security-role name="mfpoperator">
        </security-role>

    </application-bnd>

    <classloader delegation="parentLast" commonLibraryRef="MobileFirst/JDBC/oracle">
        </classloader>
</application>

<!-- Declare the JNDI properties for the MobileFirst Administration Service. -->
<jndiEntry jndiName="mfpadmin/mfp.config.service.user" value='"configUser_mfpadmin"'/>
<jndiEntry jndiName="mfpadmin/mfp.config.service.password" value='"x"'/>


<!-- Declare the IBM MobileFirst Administration database. -->
<dataSource jndiName="mfpadmin/jdbc/mfpAdminDS" transactional="false">
    <jdbcDriver libraryRef="MobileFirst/JDBC/oracle"/>
    <properties.oracle driverType="thin" URL="jdbc:oracle:thin:@xx.xxx.xx.xx:xxxx:x" user="x" password="xxx"/>
</dataSource>

<!-- Declare the MobileFirst Administration Console application. -->
<application id="mfpconsole" name="mfpconsole" location="mfp-admin-ui.war" type="war">
    <application-bnd>
        <security-role name="mfpadmin">
            <user name="admin"/>

        </security-role>

        <security-role name="mfpdeployer">
        </security-role>

        <security-role name="mfpmonitor">
        </security-role>

        <security-role name="mfpoperator">
        </security-role>

    </application-bnd>

    <classloader delegation="parentLast">
        </classloader>
</application>

<!-- Declare the JNDI properties for the MobileFirst Administration Console. -->
<jndiEntry jndiName="mfpconsole/mfp.admin.endpoint" value='"*://*:*/mfpadmin"'/>


<!-- Declare the MobileFirst Server Artifacts application. -->
<application id="mfp-dev-artifacts" name="mfp-dev-artifacts" location="mfp-dev-artifacts.war" type="war">
    <classloader delegation="parentLast">
        </classloader>
</application>

<!-- Declare the JNDI properties for the MobileFirst Server Artifacts. -->


<!-- Declare the MobileFirst Live Update application. -->
<application id="mfpadminconfig" name="mfpadminconfig" location="mfp-live-update.war" type="war">
    <application-bnd>
        <security-role name="configadmin">
            <user name="configUser_mfpadmin"/>

        </security-role>

    </application-bnd>

    <classloader delegation="parentLast" commonLibraryRef="MobileFirst/JDBC/oracle">
        </classloader>
</application>

<!-- Declare the JNDI properties for the MobileFirst Live Update. -->


<!-- Declare the IBM MobileFirst Configuration database. -->
<dataSource jndiName="mfpadminconfig/jdbc/ConfigDS" transactional="false">
    <jdbcDriver libraryRef="MobileFirst/JDBC/oracle"/>
    <properties.oracle driverType="thin" URL="jdbc:oracle:thin:@10.163.33.54:1525:SMPS01GM" user="SVMPOMTRM07" password="xorMi8wLG5tbGs="/>
</dataSource>

<!-- End of configuration added by IBM MobileFirst <installmobilefirstadmin> ant task for context root '/mfpadmin'. -->


<!-- Begin of configuration added by IBM MobileFirst <installmobilefirstruntime> ant task for context root '/mfp'. -->

<!-- Declare the MobileFirst Runtime application. -->
<application id="mfp" name="mfp" location="mfp-server.war" type="war">
    <classloader delegation="parentLast">
        </classloader>
</application>

<!-- Declare the JNDI properties for the MobileFirst Runtime. -->
<jndiEntry jndiName="mfp/mfp.analytics.url" value='"http://xx.xxx.xx.xx:xxxx/analytics-service/rest"'/>
<jndiEntry jndiName="mfp/mfp.analytics.console.url" value='"http://xx.xxx.xx.xx:xxxx/analytics/console"'/>
<jndiEntry jndiName="mfp/mfp.analytics.username" value='"admin"'/>
<jndiEntry jndiName="mfp/mfp.analytics.password" value='"admin"'/>
<jndiEntry jndiName="mfp/mfp.authorization.server" value='"embedded"'/>


<!-- Declare the IBM MobileFirst Server Runtime database. -->
<dataSource jndiName="mfp/jdbc/mfpDS" transactional="false">
    <jdbcDriver libraryRef="MobileFirst/JDBC/oracle"/>
    <properties.oracle driverType="thin" URL="jdbc:oracle:thin:@xx.xxx.xx.xx:xxxx:x" user="x" password="xxx"/>
</dataSource>

<!-- End of configuration added by IBM MobileFirst <installmobilefirstruntime> ant task for context root '/mfp'. -->


<!-- Begin of configuration added by IBM MobileFirst installer. -->

<!-- Declare the IBM Application Center Console application. -->
<application id="appcenterconsole" name="appcenterconsole" location="appcenterconsole.war" type="war">
    <application-bnd>
        <security-role name="appcenteradmin">
            <group name="appcentergroup"/>
        </security-role>
    </application-bnd>
</application>

<!-- Declare the IBM Application Center Services application. -->
<application id="applicationcenter" name="applicationcenter" location="applicationcenter.war" type="war">
    <application-bnd>
        <security-role name="appcenteradmin">
            <group name="appcentergroup"/>
        </security-role>
    </application-bnd>
    <classloader delegation="parentLast"/>
</application>

<!-- Declare the JNDI properties for the IBM Application Center. -->

<!-- Define the AppCenter services endpoint in order for the AppCenter console to be able to invoke the REST service.
        You need to enable this property if the server is behind a reverse proxy
        or if the context root of the Application Center Services application is different from '/applicationcenter'. -->
<!-- <jndiEntry jndiName="ibm.appcenter.services.endpoint" value='"http://proxyhost:proxyport/applicationcenter"'/> -->
<!-- The directory with binaries of the 'aapt' program, from the android SDK's platform-tools package. -->
<jndiEntry jndiName="android.aapt.dir" value='"/opt/IBM/MobileFirst_Platform_Server/ApplicationCenter/tools/android-sdk"'/>
<!-- The protocol of the application resources URI. This property is optional. It is only needed if the protocol of the external and internal URI are different. -->
<!-- <jndiEntry jndiName="ibm.appcenter.proxy.protocol" value='"http"'/> -->
<!-- The hostname of the application resources URI. -->
<!-- <jndiEntry jndiName="ibm.appcenter.proxy.host" value='"proxyhost"'/> -->
<!-- The port of the application resources URI. This property is optional. -->
<!-- <jndiEntry jndiName="ibm.appcenter.proxy.port" value="proxyport"/> -->

<!-- Declare the jar files for Oracle access through JDBC. -->
<library id="OracleLib">
    <fileset dir="$shared.resource.dir/oracle" includes="*.jar"/>
</library>

<!-- Declare the IBM Application Center database. -->
<dataSource jndiName="jdbc/AppCenterDS" transactional="false">
    <jdbcDriver libraryRef="OracleLib"/>
    <properties.oracle driverType="thin" URL="jdbc:oracle:thin:@xx.xxx.xx.xx:xxxx:x" user="x" password="xxx"/>
</dataSource>

<!-- End of configuration added by IBM MobileFirst installer. -->

【问题讨论】:

上传你的 server.xml @VivinK,是的 server.xml 已上传。请帮忙出主意? 请确认 - 是否在控制台中配置了密钥库(使用来自后端的公共证书),适用于 JS 适配器而不是 Java 适配器,还是结果相同? @VivinK,是的,以前用 JS 适配器做过,可以根据 IBM 文档配置相互 SSL 配置。但它似乎不支持 Java 适配器 【参考方案1】:

您需要将后端的自签名证书的“客户端”证书导入密钥库,然后使用 MFP 控制台添加它。查看此处的详细步骤。 https://mobilefirstplatform.ibmcloud.com/blog/2017/01/17/SSL-connection-from-adapters/

【讨论】:

以上是关于Mobilefirst 8.0 Java 适配器 SSL的主要内容,如果未能解决你的问题,请参考以下文章

MobileFirst 8.0 - 从 WLResourceRequest 调用受保护的适配器

IBM Mobilefirst Java 适配器会话超时

来自应用程序的 MobileFirst 8.0 调用适配器正在连接到 localhost:6015/mfp

IBM MobileFirst 8.0 适配器中的 RESTful 方法

将 MobileFirst JavaScript 适配器从 7.1 升级到 8.0 时替换轮询事件源

IBM Worklight 8.0 Adapter 调用 Java 代码