cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wolfgang Nagele (JIRA)" <j...@apache.org>
Subject [jira] Issue Comment Edited: (CXF-2403) Use of client certificates via http conduit configuration broken
Date Thu, 27 Aug 2009 16:36:59 GMT

    [ https://issues.apache.org/jira/browse/CXF-2403?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12748431#action_12748431
] 

Wolfgang Nagele edited comment on CXF-2403 at 8/27/09 9:36 AM:
---------------------------------------------------------------

Found the problem.

While looking at your implementation and the diff to mine it became clear that i am creating
my client based on a WSDL on the SSL enabled server. In your example you use a local copy
of the WSDL. With this figured out i tried mine with a local WSDL file and it worked just
fine. Thanks for the help!

CXF-2380 is already dealing with the same issue and explaining on how to work around this.

      was (Author: wnagele):
    Found the problem.

While looking at your implementation and the diff to mine it became clear that i am creating
my client based on a WSDL on the SSL enabled server. In your example you use a local copy
of the WSDL. With this figured out i tried mine with a local WSDL file and it worked just
fine. Thanks for the help!

CXF-2380 is already dealing with the same issue and explaining on how to work around this
(please mark this issue as a duplicate and close it).
  
> Use of client certificates via http conduit configuration broken
> ----------------------------------------------------------------
>
>                 Key: CXF-2403
>                 URL: https://issues.apache.org/jira/browse/CXF-2403
>             Project: CXF
>          Issue Type: Bug
>          Components: Configuration
>            Reporter: Wolfgang Nagele
>         Attachments: client-keystore, client-truststore, client.crt, client.key, client.p12,
server-keystore, server-truststore, server.crt, server.key, server.p12, soap_https.zip
>
>
> To use standard SSL client certificates for authentication the following configuration
should work:
> <http:conduit name="*.http-conduit">
>   <http:tlsClientParameters>
>     <sec:keyManagers keyPassword="password">
>       <sec:keyStore type="JKS" password="password" file="keystore" />
>     </sec:keyManagers>
>     <sec:trustManagers>
>       <sec:keyStore type="JKS" password="password" file="truststore" />
>     </sec:trustManagers>
>   </http:tlsClientParameters>
> </http:conduit>
> In this configuration we would have the public certificate of the server we want to connect
to in the truststore and the private key and certificate in the keystore.
> With the current CXF implementation this results in the following exception:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
path to requested target
> 	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
[na:1.6.0_13]
> 	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) [na:1.6.0_13]
> 	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280) [na:1.6.0_13]
> 	... 39 common frames omitted
> Once we additionally define the following properties it works:
> * javax.net.ssl.keyStore=keystore
> * javax.net.ssl.keyStorePassword=password
> * javax.net.ssl.trustStore=truststore
> * javax.net.ssl.trustStorePassword=password
> This however results in very ugly setups where we have to define the same data twice.
Also we miss out on CXF's option of defining specific keystores and truststores per webservice.
> For further information also see: http://www.quendor.org/archiv/428

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message