cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wolfgang Nagele (JIRA)" <j...@apache.org>
Subject [jira] Created: (CXF-2403) Use of client certificates via http conduit configuration broken
Date Tue, 25 Aug 2009 13:39:59 GMT
Use of client certificates via http conduit configuration broken
----------------------------------------------------------------

                 Key: CXF-2403
                 URL: https://issues.apache.org/jira/browse/CXF-2403
             Project: CXF
          Issue Type: Bug
          Components: Configuration
            Reporter: Wolfgang Nagele


To use standard SSL client certificates for authentication the following configuration should
work:
<http:conduit name="*.http-conduit">
  <http:tlsClientParameters>
    <sec:keyManagers keyPassword="password">
      <sec:keyStore type="JKS" password="password" file="keystore" />
    </sec:keyManagers>
    <sec:trustManagers>
      <sec:keyStore type="JKS" password="password" file="truststore" />
    </sec:trustManagers>
  </http:tlsClientParameters>
</http:conduit>

In this configuration we would have the public certificate of the server we want to connect
to in the truststore and the private key and certificate in the keystore.

With the current CXF implementation this results in the following exception:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
[na:1.6.0_13]
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) [na:1.6.0_13]
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280) [na:1.6.0_13]
	... 39 common frames omitted

Once we additionally define the following properties it works:
* javax.net.ssl.keyStore=keystore
* javax.net.ssl.keyStorePassword=password
* javax.net.ssl.trustStore=truststore
* javax.net.ssl.trustStorePassword=password


This however results in very ugly setups where we have to define the same data twice. Also
we miss out on CXF's option of defining specific keystores and truststores per webservice.

For further information also see: http://www.quendor.org/archiv/428

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message