You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by jaybytez <ja...@yahoo.com> on 2012/03/09 22:48:20 UTC

2way SSL errors - http conduit

One last question with regards to http:conduit:

I can only get the following to work with 2way SSL
<http:conduit name="*.http-conduit">

The documentation says to use the WSDL port with QName to make it specific
instead of "*":

<http:conduit name="{https://foo.com}FooPort.http-conduit">

That doesn't seem to work for me...

&lt;service name="Foo">
    &lt;port *name="FooPort"* binding="tns:FooPortBinding">
      &lt;soap:address location="REPLACE_WITH_ACTUAL_URL"/>
    &lt;/port>
&lt;/service>

Is the FooPort above the port name from the WSDL that is supposed to used in
http:conduit and just apply the targetNamespace?

--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-4-Migration-removal-of-cxf-xml-2way-SSL-errors-tp5551465p5551804.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: 2way SSL errors - http conduit

Posted by jaybytez <ja...@yahoo.com>.

Woohoo, the regular expression worked!!!

I obviously didn't right my url regex correctly.

Thanks a ton for the help!

--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-4-Migration-removal-of-cxf-xml-2way-SSL-errors-tp5551465p5558867.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: 2way SSL errors - http conduit

Posted by Daniel Kulp <dk...@apache.org>.

On Friday, March 09, 2012 08:16:21 PM jaybytez wrote:
> Thanks, I will take a look at the blog entry.
> 
> And unfortunately, yes...the namespace contains a https (it's a goverment
> web service).  I tried putting the portName in multiple variations and
> none work for me.
> 
> So we have been using the *.http-conduit, but the funny thing that
> happened when we went into production awhile ago is that we have two
> service callouts in a war and one requires the 2 way SSL while the other
> doesn't.  So the *.http-conduit was wildcarding and applying to all
> callouts, so the service that didn't require it was failing because it
> was expecting this certificate exchange (and the whole time we thought it
> was a VIP problem).  Anyways, that is why I am trying to constrain the
> http-conduit to a specific service.
> 
> I will read the blog entry and then give a few more tries.  I tried the
> URL regular expression except the problem is that part of the urls are
> different for prod and test, like:
> 
> https://prod.gov/service
> https://test.gov/service
> 
> And I would need to regular expression a part in the URL (not sure if that
> is possible).

Yes.  That is possible.   name="https://.*\.gov/service"  could do it.  
However, you can also even use separate conduit settings.   One for 
"test.gov" and another for "prod.gov".   That can allow for separate 
settings for production and testings.



-- 
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com

Re: 2way SSL errors - http conduit

Posted by jaybytez <ja...@yahoo.com>.

Thanks, I will take a look at the blog entry.

And unfortunately, yes...the namespace contains a https (it's a goverment
web service).  I tried putting the portName in multiple variations and none
work for me.

So we have been using the *.http-conduit, but the funny thing that happened
when we went into production awhile ago is that we have two service callouts
in a war and one requires the 2 way SSL while the other doesn't.  So the
*.http-conduit was wildcarding and applying to all callouts, so the service
that didn't require it was failing because it was expecting this certificate
exchange (and the whole time we thought it was a VIP problem).  Anyways,
that is why I am trying to constrain the http-conduit to a specific service.

I will read the blog entry and then give a few more tries.  I tried the URL
regular expression except the problem is that part of the urls are different
for prod and test, like:

https://prod.gov/service
https://test.gov/service

And I would need to regular expression a part in the URL (not sure if that
is possible).

Thanks for the help!

--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-4-Migration-removal-of-cxf-xml-2way-SSL-errors-tp5551465p5552214.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: 2way SSL errors - http conduit

Posted by Glen Mazza <gm...@talend.com>.

This blog entry might help: 
http://www.jroller.com/gmazza/entry/cxf_x509_profile_secpol

Glen

On 03/09/2012 06:47 PM, Glen Mazza wrote:
> What you have should work--does your namespace really start with 
> "https://" and not just "http://"?
>
> Glen
>
> On 03/09/2012 04:48 PM, jaybytez wrote:
>> One last question with regards to http:conduit:
>>
>> I can only get the following to work with 2way SSL
>> <http:conduit name="*.http-conduit">
>>
>> The documentation says to use the WSDL port with QName to make it 
>> specific
>> instead of "*":
>>
>> <http:conduit name="{https://foo.com}FooPort.http-conduit">
>>
>> That doesn't seem to work for me...
>>
>> &lt;service name="Foo">
>> &lt;port *name="FooPort"* binding="tns:FooPortBinding">
>> &lt;soap:address location="REPLACE_WITH_ACTUAL_URL"/>
>> &lt;/port>
>> &lt;/service>
>>
>> Is the FooPort above the port name from the WSDL that is supposed to 
>> used in
>> http:conduit and just apply the targetNamespace?
>>
>> -- 
>> View this message in context: 
>> http://cxf.547215.n5.nabble.com/CXF-2-4-Migration-removal-of-cxf-xml-2way-SSL-errors-tp5551465p5551804.html
>> Sent from the cxf-user mailing list archive at Nabble.com.
>
>


-- 
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza

Re: 2way SSL errors - http conduit

Posted by Glen Mazza <gm...@talend.com>.

What you have should work--does your namespace really start with 
"https://" and not just "http://"?

Glen

On 03/09/2012 04:48 PM, jaybytez wrote:
> One last question with regards to http:conduit:
>
> I can only get the following to work with 2way SSL
> <http:conduit name="*.http-conduit">
>
> The documentation says to use the WSDL port with QName to make it specific
> instead of "*":
>
> <http:conduit name="{https://foo.com}FooPort.http-conduit">
>
> That doesn't seem to work for me...
>
> &lt;service name="Foo">
>      &lt;port *name="FooPort"* binding="tns:FooPortBinding">
>        &lt;soap:address location="REPLACE_WITH_ACTUAL_URL"/>
>      &lt;/port>
> &lt;/service>
>
> Is the FooPort above the port name from the WSDL that is supposed to used in
> http:conduit and just apply the targetNamespace?
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-2-4-Migration-removal-of-cxf-xml-2way-SSL-errors-tp5551465p5551804.html
> Sent from the cxf-user mailing list archive at Nabble.com.


-- 
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza