AD域 证书登录 no subject alternative names matching IP address XXX found
JDK 加入证书
将service.cer 证书加入jdk内,将证书放入 C:/Program Files/Java/jdk1.8.0_181\bin 的bin目录下,在当前目录打开cmd,执行
keytool -import -alias gdth-test -file gdth-test.cer -keystore "C:/Program Files/Java/jdk1.8.0_181/jre/lib/security/cacerts" -storepass changeit -trustcacerts
JAVA AD域登录代码
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import java.io.IOException;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.util.Hashtable;
public class Main {
public static void main(String[] args) throws NoSuchAlgorithmException, KeyManagementException, IOException {
loginSSL();
}
public static LdapContext loginSSL() throws KeyManagementException, NoSuchAlgorithmException, IOException {
// 变量分割线*************************************
String jdkPath = "C:\\Program Files\\Java\\jdk1.8.0_181";
String defaultDomain = "@XXXX.com";
String userCode = "admin";
String passwd = "123456";
String LDAP_URL = "ldap://192.168.1.1:636";
// 变量分割线*************************************
String keystore = jdkPath + "/jre/lib/security/cacerts";
System.setProperty("javax.net.ssl.trustStore", keystore);
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.PROVIDER_URL, LDAP_URL);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, userCode+defaultDomain );
env.put(Context.SECURITY_CREDENTIALS, passwd);
try {
LdapContext dc = new InitialLdapContext(env, null);
System.out.println("身份验证成功!");
return dc;
} catch (javax.naming.AuthenticationException e) {
// 处理异常 **********************************
System.out.println("身份验证失败!");
e.printStackTrace();
}catch (javax.naming.CommunicationException e){
System.out.println("AD域连接失败:{}");
e.printStackTrace();
}
catch (Exception e) {
// 处理异常 **********************************
System.out.println("身份验证未知异常!");
e.printStackTrace();
}
return null;
}
}
报错内容
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.1.1 found
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:168)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:459)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
从内容上看是证书中找不到对于的ip的地址,经过我多次测试调整修改并不是证书的问题,而是jdk新特性问题
解决方案
一、将运行环境换成jdk7
从国外的一个帖子上看到,是jdk8新增一些针对ladp的协议的更新,会导致上面的问题,将运行环境的jdk切换成jdk7,则不会出现上面的问题
具体内容
二、修改jvm配置
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
对jvm进行配置,把针对ladp的新特性进行关闭。
idea环境
tomcat环境
找到tomcat /bin 目录下的 catalina.bat 添加jvm 配置
set “JAVA_OPTS=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true”