cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <dk...@apache.org>
Subject Re: [JSSESupport] SSL Error getting client Certs
Date Wed, 08 Oct 2008 20:37:08 GMT

The only thing I can think of is to run your client with:
-Djavax.net.debug=all 

and see what it's trying to do with the handshakes and stuff.   That MAY help 
diagnose things.   In theory, what you are doing is correct.


Dan


On Wednesday 08 October 2008 3:08:24 pm Sagi Mann wrote:
> I have an update:
>
> I also tried setting up a "conduit" as described in the CXF
> http://cwiki.apache.org/CXF20DOC/client-http-transport-including-ssl-suppor
>t.html website
>
> and I got the same results:
>
> <beans xmlns="http://www.springframework.org/schema/beans"
>   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>   xmlns:sec="http://cxf.apache.org/configuration/security"
>   xmlns:http="http://cxf.apache.org/transports/http/configuration"
>   xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"
>   xsi:schemaLocation="
>            http://cxf.apache.org/configuration/security
>            http://cxf.apache.org/schemas/configuration/security.xsd
>            http://cxf.apache.org/transports/http/configuration
>            http://cxf.apache.org/schemas/configuration/http-conf.xsd
>            http://www.springframework.org/schema/beans
>            http://www.springframework.org/schema/beans/spring-beans.xsd">
>
>   <http:conduit name="{https://cxf}HelloImplPort.http-conduit">
>     <http:tlsClientParameters disableCNCheck="true"
> secureSocketProtocol="SSL">
>       <sec:trustManagers>
>           <sec:keyStore type="JKS" password="changeit"
>                file="v:/tmp/clienttrust.jks"/>
>       </sec:trustManagers>
>       <sec:keyManagers keyPassword="changeit">
>            <sec:keyStore type="JKS" password="changeit"
>                 file="v:/tmp/clientkey.jks"/>
>       </sec:keyManagers>
>       <sec:cipherSuitesFilter>
>         <sec:include>.*_EXPORT_.*</sec:include>
>         <sec:include>.*_EXPORT1024_.*</sec:include>
>         <sec:include>.*_WITH_DES_.*</sec:include>
>         <sec:include>.*_WITH_NULL_.*</sec:include>
>         <sec:exclude>.*_DH_anon_.*</sec:exclude>
>       </sec:cipherSuitesFilter>
>     </http:tlsClientParameters>
>    </http:conduit>
> </beans>
>
>
> This is a copy of the WibbleClient.xml file from the wsdl_first_https with
> the obvious needed changes to the namespace and port. Note that the
> wsdl_first_https sample in the CXF distribution package works fine. But in
> that project, the webservice is not running in side an app server, but as a
> standalone app. And for those cases, CXF provides the option to configure
> the server key/truststore within the cxf configuration. This is not
> possible AFAIK for JAXWS endpoints which run as a servlet in an app server.
>
> In my webservice, this is the cxf.xml (you can see there is no mentioning
> of key or trust stores):
>
> <?xml version="1.0" encoding="UTF-8"?>
> <beans xmlns="http://www.springframework.org/schema/beans"
>        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>        xmlns:jaxws="http://cxf.apache.org/jaxws"
>        xsi:schemaLocation="http://www.springframework.org/schema/beans
>        http://www.springframework.org/schema/beans/spring-beans.xsd
>        http://cxf.apache.org/jaxws
> http://cxf.apache.org/schemas/jaxws.xsd">
>
>     <import resource="classpath:META-INF/cxf/cxf.xml" />
>     <import resource="classpath:META-INF/cxf/cxf-extension-soap.xml"/>
>     <import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
>     <jaxws:endpoint id="hello"
>                     implementor="cxf.HelloImpl"
>                     address="/hello"/>
> </beans>
>
> any ideas on how to get client-cert authentication working for a web
> service running in an app server??
> thanks.



-- 
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog

Mime
View raw message