You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cxf.apache.org by Eric Chua <in...@yahoo.com> on 2013/06/05 15:10:49 UTC

CXF with Mutual Authentication in the Conduit

I am configuring the conduit for mutual authentication.  I have an apache httpd server that requires client certificate.

I get this to work using my own generated CA.pem signing my certificate.

When I use a GeoTrust certificate in a keystore for the client identification, it doesn't work.  Has anyone had this issue before?  The only think I can see as being different is that my self signed client certificate is 1024 while the Geotrust certificate is 2048.  When I used the geotrust keystore in a browser, I am able to get the wsdl. When I try to send a request through cxf with the same keystore, it doesn't work. Any ideas?

For the server , I use Apache httpd that requires a client certificate.  I downloaded the CA.PEM from Geotrust and was able to get the wsdl from the server. I am using mod proxy to connect to the backend web service connection.  Here is my error.

[write] MD5 and SHA1 hashes:  len = 16
0000: 14 00 00 0C 85 AF 82 A7   87 6B 84 30 7D B9 C8 AA  .........k.0....
Padded plaintext before ENCRYPTION:  len = 32
0000: 14 00 00 0C 85 AF 82 A7   87 6B 84 30 7D B9 C8 AA  .........k.0....
0010: 17 BC F0 30 26 D7 52 D8   13 E2 F1 F1 45 03 A3 92  ...0&.R.....E...
main, WRITE: TLSv1 Handshake, length = 32
main, waiting for close_notify or alert: state 1
main, Exception while waiting for close java.net.SocketException: Software caused connection abort: recv failed
main, handling exception: java.net.SocketException: Software caused connection abort: recv failed
main, called close()
main, called closeInternal(true)
main, called closeSocket()


Client clientProxy = ClientProxy.getClient(modPort);
HTTPConduit conduit = (HTTPConduit) clientProxy.getConduit();
TLSClientParameters tlscp = new TLSClientParameters();
//TLSClientParameters tlscp = conduit.getTlsClientParameters();
// Trust Store - One Way
KeyStore tStore = KeyStore.getInstance("JKS");  // certStoreType
File truststore = new File("./scripts/keys/ws-test.truststore.jks"); //certStore
String trustpass = "password"; // certStorePass
tStore.load( new FileInputStream(truststore),trustpass.toCharArray());
TrustManagerFactory trustFactory =TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(tStore);
TrustManager[] tm = trustFactory.getTrustManagers();
tlscp.setTrustManagers(tm);
// 2-Way SSL
tlscp.setDisableCNCheck(false);  // tlsDisalbeCNCheck
String keyStorePassword = "password";   //  tlsKeyStore
    KeyStore keyStore = KeyStore.getInstance("PKCS12"); // tlsKeyStoreType
     String keyStoreLoc = "./scripts/keys/ws-test-private-key.p12";
    keyStore.load(new FileInputStream(keyStoreLoc), keyStorePassword.toCharArray());
    String keyPEMPassPhrase = "password";
    KeyManagerFactory keyFactory =KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    keyFactory.init(keyStore, keyPEMPassPhrase.toCharArray());
    KeyManager[] km = keyFactory.getKeyManagers();
    
    tlscp.setKeyManagers(km);



Any ideas?

Re: CXF with Mutual Authentication in the Conduit

Posted by Eric Chua <in...@yahoo.com>.

On the apache webserver I get 


[Wed Jun 05 13:18:52 2013] [info] [client 10.134.67.37] SSL library error 1 in handshake (server avs.responseservice.com:443)
[Wed Jun 05 13:18:52 2013] [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned


The strange thing is that it works for my keystore that I created



________________________________
 From: Eric Chua <in...@yahoo.com>
To: "dev@cxf.apache.org" <de...@cxf.apache.org> 
Sent: Wednesday, June 5, 2013 8:10 AM
Subject: CXF with Mutual Authentication in the Conduit
 

I am configuring the conduit for mutual authentication.  I have an apache httpd server that requires client certificate.

I get this to work using my own generated CA.pem signing my certificate.

When I use a GeoTrust certificate in a keystore for the client identification, it doesn't work.  Has anyone had this issue before?  The only think I can see as being different is that my self signed client certificate is 1024 while the Geotrust certificate is 2048.  When I used the geotrust keystore in a browser, I am able to get the wsdl. When I try to send a request through cxf with the same keystore, it doesn't work. Any ideas?

For the server , I use Apache httpd that requires a client certificate.  I downloaded the CA.PEM from Geotrust and was able to get the wsdl from the server. I am using mod proxy to connect to the backend web service connection.  Here is my error.

[write] MD5 and SHA1 hashes:  len = 16
0000: 14 00 00 0C 85 AF 82 A7   87 6B 84 30 7D B9 C8 AA  .........k.0....
Padded plaintext before ENCRYPTION:  len = 32
0000: 14 00 00 0C 85 AF 82 A7   87 6B 84 30 7D B9 C8 AA  .........k.0....
0010: 17 BC F0 30 26 D7 52 D8   13 E2 F1 F1 45 03 A3 92  ...0&.R.....E...
main, WRITE: TLSv1 Handshake, length = 32
main, waiting for close_notify or alert: state 1
main, Exception while waiting for close java.net.SocketException: Software caused connection abort: recv failed
main, handling exception: java.net.SocketException: Software caused connection abort: recv failed
main, called close()
main, called closeInternal(true)
main, called closeSocket()


Client clientProxy = ClientProxy.getClient(modPort);
HTTPConduit conduit = (HTTPConduit) clientProxy.getConduit();
TLSClientParameters tlscp = new TLSClientParameters();
//TLSClientParameters tlscp = conduit.getTlsClientParameters();
// Trust Store - One Way
KeyStore tStore = KeyStore.getInstance("JKS");  // certStoreType
File truststore = new File("./scripts/keys/ws-test.truststore.jks"); //certStore
String trustpass = "password"; // certStorePass
tStore.load( new FileInputStream(truststore),trustpass.toCharArray());
TrustManagerFactory trustFactory =TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(tStore);
TrustManager[] tm = trustFactory.getTrustManagers();
tlscp.setTrustManagers(tm);
// 2-Way SSL
tlscp.setDisableCNCheck(false);  // tlsDisalbeCNCheck
String keyStorePassword = "password";   //  tlsKeyStore
    KeyStore keyStore = KeyStore.getInstance("PKCS12"); // tlsKeyStoreType
     String keyStoreLoc = "./scripts/keys/ws-test-private-key.p12";
    keyStore.load(new FileInputStream(keyStoreLoc), keyStorePassword.toCharArray());
    String keyPEMPassPhrase = "password";
    KeyManagerFactory keyFactory =KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    keyFactory.init(keyStore, keyPEMPassPhrase.toCharArray());
    KeyManager[] km = keyFactory.getKeyManagers();
    
    tlscp.setKeyManagers(km);



Any ideas?