问题
We are using HttpsUrlConnection in a WebSphere TAI in WebSphere Liberty Profile to connect to a security server. I had a lot of problems with SSL cert errors, until I discovered that it is looking for signer certs in the WLP keystore, not the WLP truststore or JVM truststore. There is nothing in the code setting this, it must be a default. But I am confused, because when we use an HTTP client in other code, it uses the JVM's truststore.
How can I make the HttpsUrlConnection use the WLP or JVM truststore, and not the keystore?
回答1:
You can load your trust store as below and set it to SSLContext which can be set into HttpsUrlConnection. As this is an example I used defaults, you should replace them with appropriate algorithms, protocol and truststore type.
try (FileInputStream truststoreFile = new FileInputStream("path/to/your/truststore.jks")) {
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore truststore = KeyStore.getInstance(KeyStore.getDefaultType());
char[] trustorePassword = "<truststorePassword".toCharArray();
truststore.load(truststoreFile, trustorePassword);
trustManagerFactory.init(truststore);
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
KeyManager[] keyManagers = {};//if you have key managers;
sslContext.init(keyManagers, trustManagerFactory.getTrustManagers(), new SecureRandom());
URL httpsUrl = new URL("<your https url>");
URLConnection urlConnection = httpsUrl.openConnection();
} catch (NoSuchAlgorithmException | KeyStoreException | CertificateException | IOException e) {
//handle exception
} catch (KeyManagementException e) {
//handle exception
}
来源:https://stackoverflow.com/questions/39578653/httpsurlconnection-using-keystore-instead-of-truststore-with-websphere-liberty-p