前端之家

  1. 首页
  2. 问答

Kerberos化的MongoDB Java连接中的证书错误

问答

我正在尝试使用Java驱动程序连接到3节点的MongoDB副本集(启用了kerberos和ssl)。我的代码如下所示:

public class MongoDBPoC {

    static {
        System.setProperty("javax.net.ssl.trustStore","mongo_test.truststore");
        System.setProperty("javax.net.ssl.trustStorePassword","changeit");
        System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
        System.setProperty("java.security.auth.login.config","jaas.conf");
    }

    public static void main(String[] args) {
        MongoClient mongoClient = MongoClients.create(
                "mongodb://username%40REALM.COM@server01.domain.com:27017/?authMechanism=GSSAPI&ssl=true");

        MongoDatabase database = mongoClient.getDatabase("MY_DB");
        MongoCollection<Document> collection = database.getcollection("MY_COLL");

        System.out.println(collection.countDocuments());
    }
}

当我尝试连接到其中一个节点(它们中的任何一个)时,我可以成功连接。但是,当我在连接字符串中提供所有节点时,连接将失败。我的意思是

mongodb://username%40REALM.COM@server01.domain.com:27017/?authMechanism=GSSAPI&ssl=true

工作正常,但是

mongodb://username%40REALM.COM@server01.domain.com:27017,server02.domain.com:27017,server03.domain.com:27017/?authMechanism=GSSAPI&ssl=true

失败,但以下情况除外:

Kas 13,2019 10:44:45 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Cluster created with settings {hosts=[server01.domain.com:27017,server03.domain.com:27017],mode=MULTIPLE,requiredClusterType=REPLICA_SET,serverSelectionTimeout='30000 ms',maxWaitQueueSize=500,requiredReplicaSetName='rs1'}
Kas 13,2019 10:44:45 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Adding discovered server server01.domain.com:27017 to client view of cluster
Kas 13,2019 10:44:45 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Adding discovered server server02.domain.com:27017 to client view of cluster
Kas 13,2019 10:44:45 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Adding discovered server server03.domain.com:27017 to client view of cluster
Kas 13,2019 10:44:45 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: No server chosen by com.mongodb.client.internal.MongoClientDelegate$1@3567135c from cluster description ClusterDescription{type=REPLICA_SET,connectionmode=MULTIPLE,serverDescriptions=[ServerDescription{address=server01.domain.com:27017,type=UNKNOWN,state=CONNECTING},ServerDescription{address=server02.domain.com:27017,ServerDescription{address=server03.domain.com:27017,state=CONNECTING}]}. Waiting for 30000 ms before timing out
Kas 13,2019 10:44:46 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Opened connection [connectionId{localValue:2,serverValue:4486}] to server02.domain.com:27017
Kas 13,2019 10:44:46 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Opened connection [connectionId{localValue:1,serverValue:36356}] to server01.domain.com:27017
Kas 13,2019 10:44:46 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Opened connection [connectionId{localValue:3,serverValue:4189}] to server03.domain.com:27017
Kas 13,2019 10:44:46 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Monitor thread successfully connected to server with description ServerDescription{address=server01.domain.com:27017,type=REPLICA_SET_SECONDARY,state=CONNECTED,ok=true,version=ServerVersion{versionList=[4,2,0]},minWireversion=0,maxWireversion=8,maxDocumentSize=16777216,logicalSessionTimeoutMinutes=30,roundTripTimeNanos=25084370,setName='rs1',canonicalAddress=server01:27017,hosts=[server03:27017,server01:27017,server02:27017],passives=[],arbiters=[],primary='server02:27017',tagSet=TagSet{[]},electionId=null,setVersion=5,lastWriteDate=Wed Nov 13 10:44:37 EET 2019,lastUpdateTimeNanos=1840350107661741}
Kas 13,2019 10:44:46 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Monitor thread successfully connected to server with description ServerDescription{address=server03.domain.com:27017,roundTripTimeNanos=24081447,canonicalAddress=server03:27017,2019 10:44:46 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Monitor thread successfully connected to server with description ServerDescription{address=server02.domain.com:27017,type=REPLICA_SET_PRIMARY,roundTripTimeNanos=25093623,canonicalAddress=server02:27017,electionId=7fffffff0000000000000195,2019 10:44:46 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Adding discovered server server03:27017 to client view of cluster
Kas 13,2019 10:44:46 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Adding discovered server server01:27017 to client view of cluster
Kas 13,2019 10:44:46 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Adding discovered server server02:27017 to client view of cluster
Kas 13,2019 10:44:46 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Canonical address server03:27017 does not match server address.  Removing server03.domain.com:27017 from client view of cluster
Kas 13,2019 10:44:46 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Server server01.domain.com:27017 is no longer a member of the replica set.  Removing from client view of cluster.
Kas 13,2019 10:44:46 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Server server02.domain.com:27017 is no longer a member of the replica set.  Removing from client view of cluster.
Kas 13,2019 10:44:46 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Canonical address server02:27017 does not match server address.  Removing server02.domain.com:27017 from client view of cluster
Kas 13,2019 10:44:46 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Exception in monitor thread while connecting to server server01:27017
com.mongodb.MongoSocketWriteException: Exception sending message
    at com.mongodb.internal.connection.InternalStreamConnection.translateWriteException(InternalStreamConnection.java:541)
    at com.mongodb.internal.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:429)
    at com.mongodb.internal.connection.InternalStreamConnection.sendCommandMessage(InternalStreamConnection.java:269)
    at com.mongodb.internal.connection.InternalStreamConnection.sendAndReceive(InternalStreamConnection.java:253)
    at com.mongodb.internal.connection.CommandHelper.sendAndReceive(CommandHelper.java:83)
    at com.mongodb.internal.connection.CommandHelper.executeCommand(CommandHelper.java:33)
    at com.mongodb.internal.connection.InternalStreamConnectionInitializer.initializeConnectionDescription(InternalStreamConnectionInitializer.java:105)
    at com.mongodb.internal.connection.InternalStreamConnectionInitializer.initialize(InternalStreamConnectionInitializer.java:62)
    at com.mongodb.internal.connection.InternalStreamConnection.open(InternalStreamConnection.java:127)
    at com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:117)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching server01 found
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
    at com.mongodb.internal.connection.SocketStream.write(SocketStream.java:99)
    at com.mongodb.internal.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:426)
    ... 9 more
Caused by: java.security.cert.CertificateException: No name matching server01 found
    at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
    ... 18 more

Kas 13,2019 10:44:46 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Exception in monitor thread while connecting to server server02:27017
com.mongodb.MongoSocketWriteException: Exception sending message
    at com.mongodb.internal.connection.InternalStreamConnection.translateWriteException(InternalStreamConnection.java:541)
    at com.mongodb.internal.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:429)
    at com.mongodb.internal.connection.InternalStreamConnection.sendCommandMessage(InternalStreamConnection.java:269)
    at com.mongodb.internal.connection.InternalStreamConnection.sendAndReceive(InternalStreamConnection.java:253)
    at com.mongodb.internal.connection.CommandHelper.sendAndReceive(CommandHelper.java:83)
    at com.mongodb.internal.connection.CommandHelper.executeCommand(CommandHelper.java:33)
    at com.mongodb.internal.connection.InternalStreamConnectionInitializer.initializeConnectionDescription(InternalStreamConnectionInitializer.java:105)
    at com.mongodb.internal.connection.InternalStreamConnectionInitializer.initialize(InternalStreamConnectionInitializer.java:62)
    at com.mongodb.internal.connection.InternalStreamConnection.open(InternalStreamConnection.java:127)
    at com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:117)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching server02 found
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
    at com.mongodb.internal.connection.SocketStream.write(SocketStream.java:99)
    at com.mongodb.internal.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:426)
    ... 9 more
Caused by: java.security.cert.CertificateException: No name matching server02 found
    at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
    ... 18 more

Kas 13,2019 10:44:46 AM com.mongodb.diagnostics.logging.JULLogger log
INFO: Exception in monitor thread while connecting to server server03:27017
com.mongodb.MongoSocketWriteException: Exception sending message
    at com.mongodb.internal.connection.InternalStreamConnection.translateWriteException(InternalStreamConnection.java:541)
    at com.mongodb.internal.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:429)
    at com.mongodb.internal.connection.InternalStreamConnection.sendCommandMessage(InternalStreamConnection.java:269)
    at com.mongodb.internal.connection.InternalStreamConnection.sendAndReceive(InternalStreamConnection.java:253)
    at com.mongodb.internal.connection.CommandHelper.sendAndReceive(CommandHelper.java:83)
    at com.mongodb.internal.connection.CommandHelper.executeCommand(CommandHelper.java:33)
    at com.mongodb.internal.connection.InternalStreamConnectionInitializer.initializeConnectionDescription(InternalStreamConnectionInitializer.java:105)
    at com.mongodb.internal.connection.InternalStreamConnectionInitializer.initialize(InternalStreamConnectionInitializer.java:62)
    at com.mongodb.internal.connection.InternalStreamConnection.open(InternalStreamConnection.java:127)
    at com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:117)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching server03 found
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
    at com.mongodb.internal.connection.SocketStream.write(SocketStream.java:99)
    at com.mongodb.internal.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:426)
    ... 9 more
Caused by: java.security.cert.CertificateException: No name matching server03 found
    at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
    ... 18 more

驱动程序似乎以某种方式找到了域名server01,server02,server03,而它当然在ssl证书中找不到这些名称。它应该使用我提供的名称进行连接:server01.domain.com,server02.domain.com,server03.domain.com。驾驶员在哪里找到这些名字?我该如何纠正?

非常感谢您

yongshu2 回答:Kerberos化的MongoDB Java连接中的证书错误
暂时没有好的解决方案,如果你有好的解决方案,请发邮件至:iooj@foxmail.com
javamongodbmongodb-java
本文链接:https://www.f2er.com/3111906.html

大家都在问