You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by David Balažic <da...@comtrade.com> on 2013/03/18 17:55:14 UTC
not using defined truststore?
Hi!
we use apache cxf 2.3.3 (was actual at that time...) with Spring to call some web services over HTTPS.
In config we have:
<jaxws:client id="problemClient" serviceClass="com.example.FooWS" address="https://localhost:8080/fake/" />
<jaxws:client id="workingClient" serviceClass="com.example.BarWs" address="https://bar.example.com:443/barws/BarWs" />
<http-conf:conduit name=".*">
<http-conf:tlsClientParameters disableCNCheck="true">
<sec:keyManagers keyPassword="keyPassOne">
<sec:keyStore type="PKCS12" password="keyPassOne" file="our.pfx"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore password="passTwo" file="/trustKeystore/file"/>
</sec:trustManagers>
</http-conf:tlsClientParameters>
<http-conf:client AutoRedirect="true" Connection="Keep-Alive" ConnectionTimeout="120000" ReceiveTimeout="600000" />
</http-conf:conduit>
The problem is that one ("workingClient") works, the other ("problemClient") does not. The only difference in calling code is that the problemClient has an extra line to set the actual server address:
@Autowired
@Qualifier("problemClient")
private FooWS m_fooClient;
...
if(m_fooClient instanceof BindingProvider) {
provider = (BindingProvider) m_fooClient;
provider.getRequestContext().put("thread.local.request.context", "true");
// extra line to set service address:
provider.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, "https://some.working.address/x/yWS");
}
m_fooClient.theCall("fooooo"); // the actuall call
The error is a certificate trust error. The certificate is added to the configured truststore, but is seems to be ignored. If it is added to the system truststore, then it works.
Is there something simple that we overlooked?
The application server running the app is WebLogic.
Regards,
David Balažic
RE: not using defined truststore?
Posted by David Balažic <da...@comtrade.com>.
Here is the error we get:
javax.net.ssl.SSLKeyException: SSLKeyException invoking https://123.1.2.3:876: [Security:090477]Certificate chain received from 192.168.88.89 - 192.168.88.89 --> 123.1.2.3 was not trusted causing SSL handshake failure.
-----Original Message-----
From: David Balažic [mailto:david.balazic@comtrade.com]
Sent: 18. March 2013 17:55
To: users@cxf.apache.org
Subject: not using defined truststore?
Importance: Low
Hi!
we use apache cxf 2.3.3 (was actual at that time...) with Spring to call some web services over HTTPS.
In config we have:
<jaxws:client id="problemClient" serviceClass="com.example.FooWS" address="https://localhost:8080/fake/" />
<jaxws:client id="workingClient" serviceClass="com.example.BarWs" address="https://bar.example.com:443/barws/BarWs" />
<http-conf:conduit name=".*">
<http-conf:tlsClientParameters disableCNCheck="true">
<sec:keyManagers keyPassword="keyPassOne">
<sec:keyStore type="PKCS12" password="keyPassOne" file="our.pfx"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore password="passTwo" file="/trustKeystore/file"/>
</sec:trustManagers>
</http-conf:tlsClientParameters>
<http-conf:client AutoRedirect="true" Connection="Keep-Alive" ConnectionTimeout="120000" ReceiveTimeout="600000" />
</http-conf:conduit>
The problem is that one ("workingClient") works, the other ("problemClient") does not. The only difference in calling code is that the problemClient has an extra line to set the actual server address:
@Autowired
@Qualifier("problemClient")
private FooWS m_fooClient;
...
if(m_fooClient instanceof BindingProvider) {
provider = (BindingProvider) m_fooClient;
provider.getRequestContext().put("thread.local.request.context", "true");
// extra line to set service address:
provider.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, "https://some.working.address/x/yWS");
}
m_fooClient.theCall("fooooo"); // the actuall call
The error is a certificate trust error. The certificate is added to the configured truststore, but is seems to be ignored. If it is added to the system truststore, then it works.
Is there something simple that we overlooked?
The application server running the app is WebLogic.
Regards,
David Balažic