You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@camel.apache.org by Richard Davis <Ri...@boots.co.uk> on 2018/12/03 16:04:06 UTC

Configuring a CFXEndPoint with multiple certificates

We are trying to make client requests to a SOAP web service using the Apache CXF component from a central Camel server. The endpoint
is always the same address, however, the owner of the endpoint wants a different SSL certificate depending on which of our high street stores
the request originates from.
We have created one CFXEndpoint per store, each with its own CxfEndpointConfigurer that sets up the conduit's TlsClientParameters with
the correct certificate store information. Then we've used a RecipientList in the route to dynamically select the correct endpoint with the
relevant certificate.
Unfortunately, because the endpoints all share the same address, the configureClient method on the CxfEndpointConfigurer is only ever
called once, even though each endpoint has a different instance containing different SSL configuration info. This results in all the endpoint
instances sharing the same certificate. As a test we changed the endpoint address for one of the CFXEndpoint instances and saw that its
related configureClient was called correctly.
So it appears that if CFXEndPoints have different addresses then their CxfEndpointConfigurer will be called, but if 2 or more endpoint instances
share the same address then the CxfEndpointConfigurer is only called once even though those configurers are different instances with different
configurations.
Does anyone have any advice on how we can dynamically allocate certificates to the same endpoint based on message content (store id effectively)?

Richard Davis | Architect | Healthcare | Boots IT
D90 East EG03| 1 Thane Road | Nottingham | NG90 1BS
* Internal: 725481 | * External: +44(0) 115 959 5481 | * Email: richard.davis@boots.co.uk<ma...@boots.co.uk>



Boots UK Limited, Registered 928555, Nottingham NG2 3AA This e-mail (including any attachments) is confidential. It may be read, copied and used only by the intended recipient. If you are not the intended recipient you should not copy it or use it for any purpose or disclose its contents to any other person. If you have received this message in error, please notify us and remove it from your system. We cannot accept liability for any damage you incur as a result of virus infection.

Re: Configuring a CFXEndPoint with multiple certificates

Posted by Richard Davis <Ri...@boots.co.uk>.
Couldn't find a clean solution for this so I've created a JIRA issue: CAMEL 12989 Allow Endpoint to set the key that ProducerCache uses

I've also created an implementation and submitted a PR.

Solution works well and I now have the ability to use a RecipientList with the CXFEndpoints that have the same URI but different SSL certificates.


________________________________
From: users-return-68000-Richard.Davis=boots.co.uk@camel.apache.org <us...@camel.apache.org>
Sent: 07 December 2018 16:28:18
To: users@camel.apache.org
Subject: [CAUTION] RE: Configuring a CFXEndPoint with multiple certificates

That solution is actually not very efficient as the Producer will continually be created if the RecipientList endpoints are constantly changing which is likely for my case. The problem is that the cache is keyed on the URI but for my use case this is not enough. I really need the ability to set the ProducerCache key programmatically much as I can when I add the Endpoint to the CamelContext.

Extending the CXFEndPoint and overriding getEndpointUri would not work as the Uri is always the same and adding extra characters to the returned result would break the actual communication.

Really I need something like:

 protected synchronized Producer doGetProducer(Endpoint endpoint, boolean pooled) {
        String key = endpoint.getProducerCacheKey(); // new method on Endpoint or Service interface
        Producer answer = producers.get(key);

I could then implement / override the getProducerCacheKey() myself.

Boots UK Limited, Registered 928555, Nottingham NG2 3AA This e-mail (including any attachments) is confidential. It may be read, copied and used only by the intended recipient. If you are not the intended recipient you should not copy it or use it for any purpose or disclose its contents to any other person. If you have received this message in error, please notify us and remove it from your system. We cannot accept liability for any damage you incur as a result of virus infection.
Boots UK Limited, Registered 928555, Nottingham NG2 3AA This e-mail (including any attachments) is confidential. It may be read, copied and used only by the intended recipient. If you are not the intended recipient you should not copy it or use it for any purpose or disclose its contents to any other person. If you have received this message in error, please notify us and remove it from your system. We cannot accept liability for any damage you incur as a result of virus infection.

RE: Configuring a CFXEndPoint with multiple certificates

Posted by Richard Davis <Ri...@boots.co.uk>.
That solution is actually not very efficient as the Producer will continually be created if the RecipientList endpoints are constantly changing which is likely for my case. The problem is that the cache is keyed on the URI but for my use case this is not enough. I really need the ability to set the ProducerCache key programmatically much as I can when I add the Endpoint to the CamelContext.

Extending the CXFEndPoint and overriding getEndpointUri would not work as the Uri is always the same and adding extra characters to the returned result would break the actual communication.

Really I need something like:

 protected synchronized Producer doGetProducer(Endpoint endpoint, boolean pooled) {
        String key = endpoint.getProducerCacheKey(); // new method on Endpoint or Service interface
        Producer answer = producers.get(key);

I could then implement / override the getProducerCacheKey() myself.

Boots UK Limited, Registered 928555, Nottingham NG2 3AA This e-mail (including any attachments) is confidential. It may be read, copied and used only by the intended recipient. If you are not the intended recipient you should not copy it or use it for any purpose or disclose its contents to any other person. If you have received this message in error, please notify us and remove it from your system. We cannot accept liability for any damage you incur as a result of virus infection.

RE: Configuring a CFXEndPoint with multiple certificates

Posted by Richard Davis <Ri...@boots.co.uk>.
I have found what I believe to be the problem:

ProducerCache.doGetProducer does not compare the Endpoint contained in the Producer returned by its producers Map with the endpoint supplied by RecipientList.resolveEndpoint. ProducerCache keys its Producers by endpoint URI but this does not allow for the creation of Endpoints that have the same URI but a different configuration e.g. a different SSL certificate. Here is the piece of code I think is erroneous:

    protected synchronized Producer doGetProducer(Endpoint endpoint, boolean pooled) {
        String key = endpoint.getEndpointUri();
        Producer answer = producers.get(key);
        if (pooled && answer == null) {
            // try acquire from connection pool
            answer = pool.acquire(endpoint);
        }

        if (answer == null) {
            // create a new producer
....

If this were changed to something like the following it would allow for endpoints with the same URI but different configs:

    protected synchronized Producer doGetProducer(Endpoint endpoint, boolean pooled) {
        String key = endpoint.getEndpointUri();
        Producer answer = producers.get(key);

        if (pooled && answer == null) {
            // try acquire from connection pool
            answer = pool.acquire(endpoint);
        }
        // CHANGE TO COMPARE ENDPOINT IN CACHE WITH PROVIDED ENDPOINT
        if (answer == null || answer.getEndpoint() != endpoint) {
            // create a new producer

I have done a simple test and it works fine for my use case i.e. using the same Endpoint URI but having a different keystore attached to its config. Not sure what side effects it may have but on the face of it I would say it's pretty harmless. I guess it needs approval and testing.


-----Original Message-----
From: users-return-67968-Richard.Davis=boots.co.uk@camel.apache.org [mailto:users-return-67968-Richard.Davis=boots.co.uk@camel.apache.org]
Sent: 03 December 2018 16:04
To: users@camel.apache.org
Subject: [CAUTION] Configuring a CFXEndPoint with multiple certificates

We are trying to make client requests to a SOAP web service using the Apache CXF component from a central Camel server. The endpoint is always the same address, however, the owner of the endpoint wants a different SSL certificate depending on which of our high street stores the request originates from.
We have created one CFXEndpoint per store, each with its own CxfEndpointConfigurer that sets up the conduit's TlsClientParameters with the correct certificate store information. Then we've used a RecipientList in the route to dynamically select the correct endpoint with the relevant certificate.
Unfortunately, because the endpoints all share the same address, the configureClient method on the CxfEndpointConfigurer is only ever called once, even though each endpoint has a different instance containing different SSL configuration info. This results in all the endpoint instances sharing the same certificate. As a test we changed the endpoint address for one of the CFXEndpoint instances and saw that its related configureClient was called correctly.
So it appears that if CFXEndPoints have different addresses then their CxfEndpointConfigurer will be called, but if 2 or more endpoint instances share the same address then the CxfEndpointConfigurer is only called once even though those configurers are different instances with different configurations.
Does anyone have any advice on how we can dynamically allocate certificates to the same endpoint based on message content (store id effectively)?

Richard Davis | Architect | Healthcare | Boots IT
D90 East EG03| 1 Thane Road | Nottingham | NG90 1BS
* Internal: 725481 | * External: +44(0) 115 959 5481 | * Email: richard.davis@boots.co.uk<ma...@boots.co.uk>



Boots UK Limited, Registered 928555, Nottingham NG2 3AA This e-mail (including any attachments) is confidential. It may be read, copied and used only by the intended recipient. If you are not the intended recipient you should not copy it or use it for any purpose or disclose its contents to any other person. If you have received this message in error, please notify us and remove it from your system. We cannot accept liability for any damage you incur as a result of virus infection.
Boots UK Limited, Registered 928555, Nottingham NG2 3AA This e-mail (including any attachments) is confidential. It may be read, copied and used only by the intended recipient. If you are not the intended recipient you should not copy it or use it for any purpose or disclose its contents to any other person. If you have received this message in error, please notify us and remove it from your system. We cannot accept liability for any damage you incur as a result of virus infection.