You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Giriraj Bhojak <gi...@gmail.com> on 2014/07/11 22:15:39 UTC
Supplying passwords for key manager and trust manager to http:conduit
Hello all,
I am using http-conduit for SSL support in CXF 2.7.11.
Is there a way I can specify a password callback for <sec:keyManagers> and
<sec:trustManagers>?
Thanks,
Giriraj.
RE: Supplying passwords for key manager and trust manager to
http:conduit
Posted by Andrei Shakirin <as...@talend.com>.
Hi,
Callback handlers are supported for key passwords in CXF 3.1.0-SNAPSHOT.
Details in https://issues.apache.org/jira/browse/CXF-5926 .
Regards,
Andrei.
> -----Original Message-----
> From: Giriraj Bhojak [mailto:giriraj2k@gmail.com]
> Sent: Freitag, 11. Juli 2014 22:16
> To: users@cxf.apache.org
> Subject: Supplying passwords for key manager and trust manager to
> http:conduit
>
> Hello all,
>
> I am using http-conduit for SSL support in CXF 2.7.11.
> Is there a way I can specify a password callback for <sec:keyManagers> and
> <sec:trustManagers>?
>
> Thanks,
> Giriraj.
Re: Supplying passwords for key manager and trust manager to http:conduit
Posted by Giriraj Bhojak <gi...@gmail.com>.
I just found out that if I introduce another key in the keystore with some
password, I get following:
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at com.ibm.crypto.provider.s.recover(s.java:90)
at
com.ibm.crypto.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:256)
at java.security.KeyStore.getKey(KeyStore.java:803)
at com.ibm.jsse2.uc.<init>(uc.java:113)
at com.ibm.jsse2.cc$a_.engineInit(cc$a_.java:15)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:16)
at
org.apache.cxf.configuration.jsse.TLSParameterJaxBUtils.getKeyManagers(TLSParameterJaxBUtils.java:279)
If I delete the new entry from the keystore, my test works fine, so the
moment I have another protected key in keystore, I get
UnrecoverableKeyException.
Do I need to setup something in order to avoid it?
Thanks,
Giriraj.
On Thu, Jul 17, 2014 at 5:24 PM, Giriraj Bhojak <gi...@gmail.com> wrote:
> I did try that. I must have goofed up with the passwords. But it's working
> now.
> But I need to understand something. The entry looks something like this:
>
> <sec:keyManagers keyPassword="keyPassword" >
> <sec:keyStore file=".keystore"
> password="keyStorepassword" type="jks" />
> </sec:keyManagers>
>
> If there are more than one keys in the keystore with the same password,
> which entry is the correct entry as per CXF?
> How does it identify the correct one if we do not specify an alias?
> Perhaps I am missing something very elementary.
>
> Thanks,
> Giriraj.
>
>
>
> On Tue, Jul 15, 2014 at 11:58 AM, Andrei Shakirin <as...@talend.com>
> wrote:
>
>> Hi,
>>
>> "Unrecoverable key" usually means that your keystore password is
>> incorrect.
>> Have you tried to access keystore/truststore using JDK keytool?
>>
>> Regards,
>> Andrei.
>>
>> > -----Original Message-----
>> > From: Giriraj Bhojak [mailto:giriraj2k@gmail.com]
>> > Sent: Dienstag, 15. Juli 2014 00:05
>> > To: users@cxf.apache.org
>> > Subject: Re: Supplying passwords for key manager and trust manager to
>> > http:conduit
>> >
>> > Thank you Andrei.
>> > I ended up using Spring EL to supply the password.
>> > But I have noticed that if the keystore and key passwords are
>> different, I get
>> > "Unrecoverable key" exception.
>> > Is this some sort of bug with Merlin or am I missing something?
>> >
>> > Thanks,
>> > Giriraj.
>> >
>> >
>> > On Sat, Jul 12, 2014 at 11:15 AM, Andrei Shakirin <ashakirin@talend.com
>> >
>> > wrote:
>> >
>> > > Hi,
>> > >
>> > > In spring configuration you can only specify password directly:
>> > > <httpj:engine-factory id="port-9001-tls-config">
>> > > <httpj:engine port="9001">
>> > > <httpj:tlsServerParameters>
>> > > <sec:keyManagers keyPassword="password">
>> > > <sec:keyStore type="JKS" password="password"
>> > >
>> file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
>> > > </sec:keyManagers>
>> > > <sec:trustManagers>
>> > > <sec:keyStore type="JKS" password="password"
>> > >
>> file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
>> > > </sec:trustManagers>
>> > > </httpj:tlsServerParameters>
>> > > </httpj:engine>
>> > > </httpj:engine-factory>
>> > >
>> > > But you can get password from the callback or other store using
>> > > programmatic initialization of tlsClientParameters:
>> > > TLSClientParameters tlsClientParameters = new
>> TLSClientParameters();
>> > > ...
>> > > String alg = KeyManagerFactory.getDefaultAlgorithm();
>> > > char[] keyPass = keyPassword != null
>> > > ? keyPassword.toCharArray()
>> > > : null;
>> > > KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
>> > > fac.init(keyStore, keyPass);
>> > > tlsClientParameters.setKeyManagers(fac.getKeyManagers());
>> > > HTTPConduit http =
>> > > (HTTPConduit) client.getConduit();
>> > > http.setTlsClientParameters(tlsClientParameters);
>> > > ...
>> > >
>> > > Regards,
>> > > Andrei.
>> > >
>> > >
>> > > > -----Original Message-----
>> > > > From: Giriraj Bhojak [mailto:giriraj2k@gmail.com]
>> > > > Sent: Freitag, 11. Juli 2014 22:16
>> > > > To: users@cxf.apache.org
>> > > > Subject: Supplying passwords for key manager and trust manager to
>> > > > http:conduit
>> > > >
>> > > > Hello all,
>> > > >
>> > > > I am using http-conduit for SSL support in CXF 2.7.11.
>> > > > Is there a way I can specify a password callback for
>> > > > <sec:keyManagers>
>> > > and
>> > > > <sec:trustManagers>?
>> > > >
>> > > > Thanks,
>> > > > Giriraj.
>> > >
>>
>
>
RE: Supplying passwords for key manager and trust manager to
http:conduit
Posted by Andrei Shakirin <as...@talend.com>.
Hi Sergei,
Yes, supporting callback password provider will make life easier for users configuring SSL in spring/blueprint, but having access to passwords only on runtime time.
Regards,
Andrei.
> -----Original Message-----
> From: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
> Sent: Dienstag, 22. Juli 2014 11:01
> To: users@cxf.apache.org
> Subject: Re: Supplying passwords for key manager and trust manager to
> http:conduit
>
> Hi
>
> Will it make sense to introduce a callback password provider ? I guess it may
> also be useful in cases where HttpConduit falls back to using system properties
> ?
>
> Cheers, Sergey
>
> On 18/07/14 12:03, Andrei Shakirin wrote:
> > Hi,
> >
> >> I did try that. I must have goofed up with the passwords. But it's working
> now.
> >> But I need to understand something. The entry looks something like this:
> >>
> >> <sec:keyManagers keyPassword="keyPassword" >
> >> <sec:keyStore file=".keystore"
> >> password="keyStorepassword" type="jks" />
> >> </sec:keyManagers>
> >>
> >> If there are more than one keys in the keystore with the same
> >> password, which entry is the correct entry as per CXF?
> >> How does it identify the correct one if we do not specify an alias?
> >> Perhaps I am missing something very elementary.
> >
> > By default KeyManager assume that there is only one key in keystore. If you
> have more than one key, it is necessary to add certAlias element to
> tlsClientParameters:
> >
> > <http:tlsClientParameters>
> > <sec:keyManagers keyPassword="password">
> > <sec:keyStore type="JKS" password="password"
> > file="my/file/dir/Morpit.jks"/>
> > </sec:keyManagers>
> > <sec:trustManagers>
> > <sec:keyStore type="JKS" password="password"
> > file="my/file/dir/Truststore.jks"/>
> > </sec:trustManagers>
> > <sec:certAlias>myKey</sec:certAlias>
> > </http:tlsClientParameters>
> >
> > https://cwiki.apache.org/confluence/display/CXF20DOC/TLS+Configuration
> >
> >
> > Regards,
> > Andrei.
> >>
> >> Thanks,
> >> Giriraj.
> >>
> >>
> >> On Tue, Jul 15, 2014 at 11:58 AM, Andrei Shakirin
> >> <as...@talend.com>
> >> wrote:
> >>
> >>> Hi,
> >>>
> >>> "Unrecoverable key" usually means that your keystore password is
> incorrect.
> >>> Have you tried to access keystore/truststore using JDK keytool?
> >>>
> >>> Regards,
> >>> Andrei.
> >>>
> >>>> -----Original Message-----
> >>>> From: Giriraj Bhojak [mailto:giriraj2k@gmail.com]
> >>>> Sent: Dienstag, 15. Juli 2014 00:05
> >>>> To: users@cxf.apache.org
> >>>> Subject: Re: Supplying passwords for key manager and trust manager
> >>>> to http:conduit
> >>>>
> >>>> Thank you Andrei.
> >>>> I ended up using Spring EL to supply the password.
> >>>> But I have noticed that if the keystore and key passwords are
> >>>> different,
> >>> I get
> >>>> "Unrecoverable key" exception.
> >>>> Is this some sort of bug with Merlin or am I missing something?
> >>>>
> >>>> Thanks,
> >>>> Giriraj.
> >>>>
> >>>>
> >>>> On Sat, Jul 12, 2014 at 11:15 AM, Andrei Shakirin
> >>>> <as...@talend.com>
> >>>> wrote:
> >>>>
> >>>>> Hi,
> >>>>>
> >>>>> In spring configuration you can only specify password directly:
> >>>>> <httpj:engine-factory id="port-9001-tls-config">
> >>>>> <httpj:engine port="9001">
> >>>>> <httpj:tlsServerParameters>
> >>>>> <sec:keyManagers keyPassword="password">
> >>>>> <sec:keyStore type="JKS" password="password"
> >>>>> file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
> >>>>> </sec:keyManagers>
> >>>>> <sec:trustManagers>
> >>>>> <sec:keyStore type="JKS" password="password"
> >>>>>
> >>> file="src/test/java/org/apache/cxf/systest/http/resources/Truststore
> >>> .j
> >>> ks"/>
> >>>>> </sec:trustManagers>
> >>>>> </httpj:tlsServerParameters>
> >>>>> </httpj:engine>
> >>>>> </httpj:engine-factory>
> >>>>>
> >>>>> But you can get password from the callback or other store using
> >>>>> programmatic initialization of tlsClientParameters:
> >>>>> TLSClientParameters tlsClientParameters = new
> >>> TLSClientParameters();
> >>>>> ...
> >>>>> String alg = KeyManagerFactory.getDefaultAlgorithm();
> >>>>> char[] keyPass = keyPassword != null
> >>>>> ? keyPassword.toCharArray()
> >>>>> : null;
> >>>>> KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
> >>>>> fac.init(keyStore, keyPass);
> >>>>> tlsClientParameters.setKeyManagers(fac.getKeyManagers());
> >>>>> HTTPConduit http =
> >>>>> (HTTPConduit) client.getConduit();
> >>>>> http.setTlsClientParameters(tlsClientParameters);
> >>>>> ...
> >>>>>
> >>>>> Regards,
> >>>>> Andrei.
> >>>>>
> >>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Giriraj Bhojak [mailto:giriraj2k@gmail.com]
> >>>>>> Sent: Freitag, 11. Juli 2014 22:16
> >>>>>> To: users@cxf.apache.org
> >>>>>> Subject: Supplying passwords for key manager and trust manager to
> >>>>>> http:conduit
> >>>>>>
> >>>>>> Hello all,
> >>>>>>
> >>>>>> I am using http-conduit for SSL support in CXF 2.7.11.
> >>>>>> Is there a way I can specify a password callback for
> >>>>>> <sec:keyManagers>
> >>>>> and
> >>>>>> <sec:trustManagers>?
> >>>>>>
> >>>>>> Thanks,
> >>>>>> Giriraj.
> >>>>>
> >>>
Re: Supplying passwords for key manager and trust manager to http:conduit
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
Will it make sense to introduce a callback password provider ? I guess
it may also be useful in cases where HttpConduit falls back to using
system properties ?
Cheers, Sergey
On 18/07/14 12:03, Andrei Shakirin wrote:
> Hi,
>
>> I did try that. I must have goofed up with the passwords. But it's working now.
>> But I need to understand something. The entry looks something like this:
>>
>> <sec:keyManagers keyPassword="keyPassword" >
>> <sec:keyStore file=".keystore"
>> password="keyStorepassword" type="jks" />
>> </sec:keyManagers>
>>
>> If there are more than one keys in the keystore with the same password, which
>> entry is the correct entry as per CXF?
>> How does it identify the correct one if we do not specify an alias?
>> Perhaps I am missing something very elementary.
>
> By default KeyManager assume that there is only one key in keystore. If you have more than one key, it is necessary to add certAlias element to tlsClientParameters:
>
> <http:tlsClientParameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="JKS" password="password"
> file="my/file/dir/Morpit.jks"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="password"
> file="my/file/dir/Truststore.jks"/>
> </sec:trustManagers>
> <sec:certAlias>myKey</sec:certAlias>
> </http:tlsClientParameters>
>
> https://cwiki.apache.org/confluence/display/CXF20DOC/TLS+Configuration
>
>
> Regards,
> Andrei.
>>
>> Thanks,
>> Giriraj.
>>
>>
>> On Tue, Jul 15, 2014 at 11:58 AM, Andrei Shakirin <as...@talend.com>
>> wrote:
>>
>>> Hi,
>>>
>>> "Unrecoverable key" usually means that your keystore password is incorrect.
>>> Have you tried to access keystore/truststore using JDK keytool?
>>>
>>> Regards,
>>> Andrei.
>>>
>>>> -----Original Message-----
>>>> From: Giriraj Bhojak [mailto:giriraj2k@gmail.com]
>>>> Sent: Dienstag, 15. Juli 2014 00:05
>>>> To: users@cxf.apache.org
>>>> Subject: Re: Supplying passwords for key manager and trust manager
>>>> to http:conduit
>>>>
>>>> Thank you Andrei.
>>>> I ended up using Spring EL to supply the password.
>>>> But I have noticed that if the keystore and key passwords are
>>>> different,
>>> I get
>>>> "Unrecoverable key" exception.
>>>> Is this some sort of bug with Merlin or am I missing something?
>>>>
>>>> Thanks,
>>>> Giriraj.
>>>>
>>>>
>>>> On Sat, Jul 12, 2014 at 11:15 AM, Andrei Shakirin
>>>> <as...@talend.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> In spring configuration you can only specify password directly:
>>>>> <httpj:engine-factory id="port-9001-tls-config">
>>>>> <httpj:engine port="9001">
>>>>> <httpj:tlsServerParameters>
>>>>> <sec:keyManagers keyPassword="password">
>>>>> <sec:keyStore type="JKS" password="password"
>>>>> file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
>>>>> </sec:keyManagers>
>>>>> <sec:trustManagers>
>>>>> <sec:keyStore type="JKS" password="password"
>>>>>
>>> file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.j
>>> ks"/>
>>>>> </sec:trustManagers>
>>>>> </httpj:tlsServerParameters>
>>>>> </httpj:engine>
>>>>> </httpj:engine-factory>
>>>>>
>>>>> But you can get password from the callback or other store using
>>>>> programmatic initialization of tlsClientParameters:
>>>>> TLSClientParameters tlsClientParameters = new
>>> TLSClientParameters();
>>>>> ...
>>>>> String alg = KeyManagerFactory.getDefaultAlgorithm();
>>>>> char[] keyPass = keyPassword != null
>>>>> ? keyPassword.toCharArray()
>>>>> : null;
>>>>> KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
>>>>> fac.init(keyStore, keyPass);
>>>>> tlsClientParameters.setKeyManagers(fac.getKeyManagers());
>>>>> HTTPConduit http =
>>>>> (HTTPConduit) client.getConduit();
>>>>> http.setTlsClientParameters(tlsClientParameters);
>>>>> ...
>>>>>
>>>>> Regards,
>>>>> Andrei.
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Giriraj Bhojak [mailto:giriraj2k@gmail.com]
>>>>>> Sent: Freitag, 11. Juli 2014 22:16
>>>>>> To: users@cxf.apache.org
>>>>>> Subject: Supplying passwords for key manager and trust manager
>>>>>> to http:conduit
>>>>>>
>>>>>> Hello all,
>>>>>>
>>>>>> I am using http-conduit for SSL support in CXF 2.7.11.
>>>>>> Is there a way I can specify a password callback for
>>>>>> <sec:keyManagers>
>>>>> and
>>>>>> <sec:trustManagers>?
>>>>>>
>>>>>> Thanks,
>>>>>> Giriraj.
>>>>>
>>>
RE: Supplying passwords for key manager and trust manager to
http:conduit
Posted by Andrei Shakirin <as...@talend.com>.
Hi,
> I did try that. I must have goofed up with the passwords. But it's working now.
> But I need to understand something. The entry looks something like this:
>
> <sec:keyManagers keyPassword="keyPassword" >
> <sec:keyStore file=".keystore"
> password="keyStorepassword" type="jks" />
> </sec:keyManagers>
>
> If there are more than one keys in the keystore with the same password, which
> entry is the correct entry as per CXF?
> How does it identify the correct one if we do not specify an alias?
> Perhaps I am missing something very elementary.
By default KeyManager assume that there is only one key in keystore. If you have more than one key, it is necessary to add certAlias element to tlsClientParameters:
<http:tlsClientParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password"
file="my/file/dir/Morpit.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password"
file="my/file/dir/Truststore.jks"/>
</sec:trustManagers>
<sec:certAlias>myKey</sec:certAlias>
</http:tlsClientParameters>
https://cwiki.apache.org/confluence/display/CXF20DOC/TLS+Configuration
Regards,
Andrei.
>
> Thanks,
> Giriraj.
>
>
> On Tue, Jul 15, 2014 at 11:58 AM, Andrei Shakirin <as...@talend.com>
> wrote:
>
> > Hi,
> >
> > "Unrecoverable key" usually means that your keystore password is incorrect.
> > Have you tried to access keystore/truststore using JDK keytool?
> >
> > Regards,
> > Andrei.
> >
> > > -----Original Message-----
> > > From: Giriraj Bhojak [mailto:giriraj2k@gmail.com]
> > > Sent: Dienstag, 15. Juli 2014 00:05
> > > To: users@cxf.apache.org
> > > Subject: Re: Supplying passwords for key manager and trust manager
> > > to http:conduit
> > >
> > > Thank you Andrei.
> > > I ended up using Spring EL to supply the password.
> > > But I have noticed that if the keystore and key passwords are
> > > different,
> > I get
> > > "Unrecoverable key" exception.
> > > Is this some sort of bug with Merlin or am I missing something?
> > >
> > > Thanks,
> > > Giriraj.
> > >
> > >
> > > On Sat, Jul 12, 2014 at 11:15 AM, Andrei Shakirin
> > > <as...@talend.com>
> > > wrote:
> > >
> > > > Hi,
> > > >
> > > > In spring configuration you can only specify password directly:
> > > > <httpj:engine-factory id="port-9001-tls-config">
> > > > <httpj:engine port="9001">
> > > > <httpj:tlsServerParameters>
> > > > <sec:keyManagers keyPassword="password">
> > > > <sec:keyStore type="JKS" password="password"
> > > > file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
> > > > </sec:keyManagers>
> > > > <sec:trustManagers>
> > > > <sec:keyStore type="JKS" password="password"
> > > >
> > file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.j
> > ks"/>
> > > > </sec:trustManagers>
> > > > </httpj:tlsServerParameters>
> > > > </httpj:engine>
> > > > </httpj:engine-factory>
> > > >
> > > > But you can get password from the callback or other store using
> > > > programmatic initialization of tlsClientParameters:
> > > > TLSClientParameters tlsClientParameters = new
> > TLSClientParameters();
> > > > ...
> > > > String alg = KeyManagerFactory.getDefaultAlgorithm();
> > > > char[] keyPass = keyPassword != null
> > > > ? keyPassword.toCharArray()
> > > > : null;
> > > > KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
> > > > fac.init(keyStore, keyPass);
> > > > tlsClientParameters.setKeyManagers(fac.getKeyManagers());
> > > > HTTPConduit http =
> > > > (HTTPConduit) client.getConduit();
> > > > http.setTlsClientParameters(tlsClientParameters);
> > > > ...
> > > >
> > > > Regards,
> > > > Andrei.
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Giriraj Bhojak [mailto:giriraj2k@gmail.com]
> > > > > Sent: Freitag, 11. Juli 2014 22:16
> > > > > To: users@cxf.apache.org
> > > > > Subject: Supplying passwords for key manager and trust manager
> > > > > to http:conduit
> > > > >
> > > > > Hello all,
> > > > >
> > > > > I am using http-conduit for SSL support in CXF 2.7.11.
> > > > > Is there a way I can specify a password callback for
> > > > > <sec:keyManagers>
> > > > and
> > > > > <sec:trustManagers>?
> > > > >
> > > > > Thanks,
> > > > > Giriraj.
> > > >
> >
Re: Supplying passwords for key manager and trust manager to http:conduit
Posted by Giriraj Bhojak <gi...@gmail.com>.
I did try that. I must have goofed up with the passwords. But it's working
now.
But I need to understand something. The entry looks something like this:
<sec:keyManagers keyPassword="keyPassword" >
<sec:keyStore file=".keystore"
password="keyStorepassword" type="jks" />
</sec:keyManagers>
If there are more than one keys in the keystore with the same password,
which entry is the correct entry as per CXF?
How does it identify the correct one if we do not specify an alias?
Perhaps I am missing something very elementary.
Thanks,
Giriraj.
On Tue, Jul 15, 2014 at 11:58 AM, Andrei Shakirin <as...@talend.com>
wrote:
> Hi,
>
> "Unrecoverable key" usually means that your keystore password is incorrect.
> Have you tried to access keystore/truststore using JDK keytool?
>
> Regards,
> Andrei.
>
> > -----Original Message-----
> > From: Giriraj Bhojak [mailto:giriraj2k@gmail.com]
> > Sent: Dienstag, 15. Juli 2014 00:05
> > To: users@cxf.apache.org
> > Subject: Re: Supplying passwords for key manager and trust manager to
> > http:conduit
> >
> > Thank you Andrei.
> > I ended up using Spring EL to supply the password.
> > But I have noticed that if the keystore and key passwords are different,
> I get
> > "Unrecoverable key" exception.
> > Is this some sort of bug with Merlin or am I missing something?
> >
> > Thanks,
> > Giriraj.
> >
> >
> > On Sat, Jul 12, 2014 at 11:15 AM, Andrei Shakirin <as...@talend.com>
> > wrote:
> >
> > > Hi,
> > >
> > > In spring configuration you can only specify password directly:
> > > <httpj:engine-factory id="port-9001-tls-config">
> > > <httpj:engine port="9001">
> > > <httpj:tlsServerParameters>
> > > <sec:keyManagers keyPassword="password">
> > > <sec:keyStore type="JKS" password="password"
> > > file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
> > > </sec:keyManagers>
> > > <sec:trustManagers>
> > > <sec:keyStore type="JKS" password="password"
> > >
> file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
> > > </sec:trustManagers>
> > > </httpj:tlsServerParameters>
> > > </httpj:engine>
> > > </httpj:engine-factory>
> > >
> > > But you can get password from the callback or other store using
> > > programmatic initialization of tlsClientParameters:
> > > TLSClientParameters tlsClientParameters = new
> TLSClientParameters();
> > > ...
> > > String alg = KeyManagerFactory.getDefaultAlgorithm();
> > > char[] keyPass = keyPassword != null
> > > ? keyPassword.toCharArray()
> > > : null;
> > > KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
> > > fac.init(keyStore, keyPass);
> > > tlsClientParameters.setKeyManagers(fac.getKeyManagers());
> > > HTTPConduit http =
> > > (HTTPConduit) client.getConduit();
> > > http.setTlsClientParameters(tlsClientParameters);
> > > ...
> > >
> > > Regards,
> > > Andrei.
> > >
> > >
> > > > -----Original Message-----
> > > > From: Giriraj Bhojak [mailto:giriraj2k@gmail.com]
> > > > Sent: Freitag, 11. Juli 2014 22:16
> > > > To: users@cxf.apache.org
> > > > Subject: Supplying passwords for key manager and trust manager to
> > > > http:conduit
> > > >
> > > > Hello all,
> > > >
> > > > I am using http-conduit for SSL support in CXF 2.7.11.
> > > > Is there a way I can specify a password callback for
> > > > <sec:keyManagers>
> > > and
> > > > <sec:trustManagers>?
> > > >
> > > > Thanks,
> > > > Giriraj.
> > >
>
RE: Supplying passwords for key manager and trust manager to
http:conduit
Posted by Andrei Shakirin <as...@talend.com>.
Hi,
"Unrecoverable key" usually means that your keystore password is incorrect.
Have you tried to access keystore/truststore using JDK keytool?
Regards,
Andrei.
> -----Original Message-----
> From: Giriraj Bhojak [mailto:giriraj2k@gmail.com]
> Sent: Dienstag, 15. Juli 2014 00:05
> To: users@cxf.apache.org
> Subject: Re: Supplying passwords for key manager and trust manager to
> http:conduit
>
> Thank you Andrei.
> I ended up using Spring EL to supply the password.
> But I have noticed that if the keystore and key passwords are different, I get
> "Unrecoverable key" exception.
> Is this some sort of bug with Merlin or am I missing something?
>
> Thanks,
> Giriraj.
>
>
> On Sat, Jul 12, 2014 at 11:15 AM, Andrei Shakirin <as...@talend.com>
> wrote:
>
> > Hi,
> >
> > In spring configuration you can only specify password directly:
> > <httpj:engine-factory id="port-9001-tls-config">
> > <httpj:engine port="9001">
> > <httpj:tlsServerParameters>
> > <sec:keyManagers keyPassword="password">
> > <sec:keyStore type="JKS" password="password"
> > file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
> > </sec:keyManagers>
> > <sec:trustManagers>
> > <sec:keyStore type="JKS" password="password"
> > file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
> > </sec:trustManagers>
> > </httpj:tlsServerParameters>
> > </httpj:engine>
> > </httpj:engine-factory>
> >
> > But you can get password from the callback or other store using
> > programmatic initialization of tlsClientParameters:
> > TLSClientParameters tlsClientParameters = new TLSClientParameters();
> > ...
> > String alg = KeyManagerFactory.getDefaultAlgorithm();
> > char[] keyPass = keyPassword != null
> > ? keyPassword.toCharArray()
> > : null;
> > KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
> > fac.init(keyStore, keyPass);
> > tlsClientParameters.setKeyManagers(fac.getKeyManagers());
> > HTTPConduit http =
> > (HTTPConduit) client.getConduit();
> > http.setTlsClientParameters(tlsClientParameters);
> > ...
> >
> > Regards,
> > Andrei.
> >
> >
> > > -----Original Message-----
> > > From: Giriraj Bhojak [mailto:giriraj2k@gmail.com]
> > > Sent: Freitag, 11. Juli 2014 22:16
> > > To: users@cxf.apache.org
> > > Subject: Supplying passwords for key manager and trust manager to
> > > http:conduit
> > >
> > > Hello all,
> > >
> > > I am using http-conduit for SSL support in CXF 2.7.11.
> > > Is there a way I can specify a password callback for
> > > <sec:keyManagers>
> > and
> > > <sec:trustManagers>?
> > >
> > > Thanks,
> > > Giriraj.
> >
Re: Supplying passwords for key manager and trust manager to http:conduit
Posted by Giriraj Bhojak <gi...@gmail.com>.
Thank you Andrei.
I ended up using Spring EL to supply the password.
But I have noticed that if the keystore and key passwords are different, I
get "Unrecoverable key" exception.
Is this some sort of bug with Merlin or am I missing something?
Thanks,
Giriraj.
On Sat, Jul 12, 2014 at 11:15 AM, Andrei Shakirin <as...@talend.com>
wrote:
> Hi,
>
> In spring configuration you can only specify password directly:
> <httpj:engine-factory id="port-9001-tls-config">
> <httpj:engine port="9001">
> <httpj:tlsServerParameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="JKS" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="password"
> file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
> </sec:trustManagers>
> </httpj:tlsServerParameters>
> </httpj:engine>
> </httpj:engine-factory>
>
> But you can get password from the callback or other store using
> programmatic initialization of tlsClientParameters:
> TLSClientParameters tlsClientParameters = new TLSClientParameters();
> ...
> String alg = KeyManagerFactory.getDefaultAlgorithm();
> char[] keyPass = keyPassword != null
> ? keyPassword.toCharArray()
> : null;
> KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
> fac.init(keyStore, keyPass);
> tlsClientParameters.setKeyManagers(fac.getKeyManagers());
> HTTPConduit http =
> (HTTPConduit) client.getConduit();
> http.setTlsClientParameters(tlsClientParameters);
> ...
>
> Regards,
> Andrei.
>
>
> > -----Original Message-----
> > From: Giriraj Bhojak [mailto:giriraj2k@gmail.com]
> > Sent: Freitag, 11. Juli 2014 22:16
> > To: users@cxf.apache.org
> > Subject: Supplying passwords for key manager and trust manager to
> > http:conduit
> >
> > Hello all,
> >
> > I am using http-conduit for SSL support in CXF 2.7.11.
> > Is there a way I can specify a password callback for <sec:keyManagers>
> and
> > <sec:trustManagers>?
> >
> > Thanks,
> > Giriraj.
>
RE: Supplying passwords for key manager and trust manager to
http:conduit
Posted by Andrei Shakirin <as...@talend.com>.
Hi,
In spring configuration you can only specify password directly:
<httpj:engine-factory id="port-9001-tls-config">
<httpj:engine port="9001">
<httpj:tlsServerParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password" file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password" file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
</sec:trustManagers>
</httpj:tlsServerParameters>
</httpj:engine>
</httpj:engine-factory>
But you can get password from the callback or other store using programmatic initialization of tlsClientParameters:
TLSClientParameters tlsClientParameters = new TLSClientParameters();
...
String alg = KeyManagerFactory.getDefaultAlgorithm();
char[] keyPass = keyPassword != null
? keyPassword.toCharArray()
: null;
KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
fac.init(keyStore, keyPass);
tlsClientParameters.setKeyManagers(fac.getKeyManagers());
HTTPConduit http =
(HTTPConduit) client.getConduit();
http.setTlsClientParameters(tlsClientParameters);
...
Regards,
Andrei.
> -----Original Message-----
> From: Giriraj Bhojak [mailto:giriraj2k@gmail.com]
> Sent: Freitag, 11. Juli 2014 22:16
> To: users@cxf.apache.org
> Subject: Supplying passwords for key manager and trust manager to
> http:conduit
>
> Hello all,
>
> I am using http-conduit for SSL support in CXF 2.7.11.
> Is there a way I can specify a password callback for <sec:keyManagers> and
> <sec:trustManagers>?
>
> Thanks,
> Giriraj.