Trusting server certificates in COMSOL Multiphysics

问题描述

I want to connect to a server in COMSOL Multiphysics using a secure connection, for example connecting to a Model Manager server database or sending requests to a web server using HTTPS from method code, but I get an error message "unable to find valid certification path to requested target".

解决方法

The error message means that the Java runtime of COMSOL Multiphysics does not trust the server certificate. Follow the instructions below, based on the operating system that COMSOL Multiphysics is installed for, to ensure that the server certificate is trusted.

Alternatively, contact the server administrator to request that the server certificate includes a trust chain to a public certificate authority (CA). Then the Java runtime will most likely trust it already.

Trusting server certificates

You will first need to determine the root of the certificate chain of the server, which will typically be a local CA certificate of your organization. If you don't already have it available as a file, seeRetrieving the certificate chain of the serverbelow.

The certificate to trust can be put in any temporary location on the computer that runs the Model Manager server. After the certificate has been imported into the trust store, as described below, the certificate file is no longer used and can be removed from the temporary location.

On Windows (with COMSOL version 6.2 and above)

Starting with version 6.2, COMSOL Multiphysics uses the built-in trust store of the Windows operating system so all you have to do is to install the root certificate into the Windows trust store.

1. Launch the built-incertlm.msctool in Windows and navigate to theTrusted Root Certification Authorities>Certificatesfolder.
2. From theActionmenu, chooseInstalland clickNextto specify the file to import.
3. ClickBrowseor type the path to the certificate to import as a trusted root.
4. ClickNext,NextandFinish, and verify that the certificate appears in the list.

On Linux® and macOS, or Windows (with COMSOL version 6.1 and below)

On Linux and macOS systems (and prior to COMSOL version 6.1 also on Windows systems), COMSOL Multiphysics uses the trust store that comes with the Java runtime in the installation.

1. Find the path to the Javakeytoolthat is included in the COMSOL Multiphysics installation.
   • On Linux systems, the default path is/usr/local/comsol62/multiphysics/java/glnxa64/jre/bin/keytool.
   • On macOS systems, the default path is/Applications/COMSOL62/Multiphysics/java/maci64/jre/bin/keytool
   • On Windows systems, the default path isC:\Program Files\COMSOL\COMSOL62\Multiphysics\java\win64\jre\bin\keytool.exe
   • Replaceglnxa64andmaci64withglnxarm64andmacarm64, respectively, on ARM64 based platforms.
2. Runkeytoolwith arguments-importcert -cacerts -file myrootcert.pem -alias myrootcert, where the-fileargument should point to the root certificate to install and-aliasis the alias of the imported root certificate entry in the trust store.
   • You need to run the command with permissions to write to the installation directory.
   • The alias used must be unique within the keystore and does not have to match the filename. If you want to import multiple root certificates, pick a different alias for each one.
3. Enter the password of the Javacacertsfile which is by defaultchangeit.
4. Review the certificate information and answeryesif asked to install it.
   • If you get the error "Certificate not imported, alias already exists" the alias was already in use. Pick another alias, or use -delete -cacerts -alias myrootcertto delete the existing root certificate before importing the new one.

Note:There might be other COMSOL software installed on the system. Take care to locate the COMSOL Multiphysics installation of the version that you use, and run thekeytoolfrom the Java runtime of that installation. Even in the case of connecting to a Model Manager server, it is still the COMSOL Multiphysics side that must trust the server's certificate, so there's no need to perform this operation for the Model Manager server installation.

Retrieving the certificate chain of the server

The Javakeytoolis included in the COMSOL Multiphysics installation, at the default paths given above underTrusting server certificates.

1. Runkeytoolwith arguments-printcert -rfc -sslserver hostname:port, wherehostname:portis the hostname and the secure port of the server.
   • If you get the error "No certificate from the SSL server", check that the hostname is correct and withouthttps://prefix and that the port is the secure port and not for example the non-secure HTTP port of the server.
2. The output should be blocks start start with-----BEGIN CERTIFICATE-----and end with-----END CERTIFICATE-----. Copy the last such block printed to the clipboard, which should typically correspond to the root of the certificate chain.
3. Paste the block in a text editor and save the file asmyrootcert.pemto any temporary location.

Note:You should ensure that your connection to the server is on a trusted network, as you could otherwise in theory retrieve the certificate chain from a malicious party in a man-in-the-middle attack. To reduce this risk of such an attack you should communicate with the server administrator over a trusted channel, after retrieving the certificate chain, to verify the root certificate fingerprint before trusting it.

按类别浏览

错误消息 (65)
导入 (10)
几何 (14)
物理场 (10)
求解器 (35)
安装 (40)
网格 (14)
通用 (34)
结构力学 (2)
流体动力学 (1)
后处理 (4)
导出 (1)
绘图 (1)
产品信息 (6)
多物理场 (1)
用户模型 (1)
电磁学 (1)