You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by blitzer <br...@gmail.com> on 2009/12/18 19:23:10 UTC
CXF SSL and Configuration
So, in short I have a small configuration issue. With one line of code in an
axis client I can use a url against a web service that is https. All i have
to do is set System.setProperty("javax.net.ssl.truststore",storeLocation)
and my client works.
With CXF it seems there is much more to it. I have tried many many things
from lots of searches.
I have tried a conduit that looks like this
Configuration A:
<http-conf:conduit name="*.http-conduit">
<http-conf:client ProxyServer="aProxy" ProxyServerPort="80"
AllowChunking="false" />
<http-conf:tlsClientParameters disableCNCheck="true"
secureSocketProtocol="SSL">
<conf-sec:trustManagers>
<conf-sec:certStore
file="E://PLAYGROUND//blitz//cert//store"/>
</conf-sec:trustManagers>
</http-conf:tlsClientParameters>
<http-conf:authorization>
<conf-sec:UserName>User</conf-sec:UserName>
<conf-sec:Password>pass</conf-sec:Password>
</http-conf:authorization>
</http-conf:conduit>
And one that looks like this:
Configuration B:
<http-conf:conduit name="*.http-conduit">
<http-conf:client ProxyServer="aProxy" ProxyServerPort="80"
AllowChunking="false" />
<http-conf:tlsClientParameters disableCNCheck="true"
secureSocketProtocol="SSL">
<conf-sec:trustManagers>
<conf-sec:keyStore type="JKS" password="password"
file="E:/PLAYGROUND/blitz/cert/store"/>
</conf-sec:trustManagers>
</http-conf:tlsClientParameters>
<http-conf:authorization>
<conf-sec:UserName>User</conf-sec:UserName>
<conf-sec:Password>pass</conf-sec:Password>
</http-conf:authorization>
</http-conf:conduit>
I am not a cert, keystore expert by any means and I am confused on which
configuration I should be using. My use case is using cxf to call a third
party https service. I pulled the cert from their site and performed a
keytool import on it to get the store. All the proxy and basic auth stuff
works like a charm. When I try to use ssl however I cannot get a single
configuration to work. I am sure that this works but online everyone that
has solved this issue has a different way of doing so.
With Configuration A I get an error about my DerInputStream being too large.
With Configuration B I get an error that there is no trusted certification
found. Also with this configuration I debugged the HttpConduit object and in
the tlsClientParameters I can see the store in all its glory with all the
correct configurations that are in the configuration xml file.
I want cxf to make this project a success. Any ideas on what I am doing
wrong?
Thanks
--
View this message in context: http://old.nabble.com/CXF-SSL-and-Configuration-tp26847600p26847600.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF SSL and Configuration
Posted by Daniel Kulp <dk...@apache.org>.
On Mon December 21 2009 1:13:28 pm blitzer wrote:
> I removed everything but <http-conf:tlsClientParameters
> secureSocketProtocol="SSL"/>
> And it now works. What causes this to work?
Basically, at one point a few versions ago, for any https stuff, we REQUIRED
the tlsClientParameters to be configured. If you used an https URL without
it, we'd throw an exception. As you discovered, configuring the TLS stuff
can be a bit complex so we added the ability for https URL's to work if the
tlsClientParameters setting isn't configured by fully delegating to the JRE
for security/https stuff. However, if tlsClientParameters is configured, we
can no longer delegate to the JRE and use the configured information. Thus,
once you deleted the configuration, the JRE is used and it should work for
you.
Dan
>
> blitzer wrote:
> > So, in short I have a small configuration issue. With one line of code in
> > an axis client I can use a url against a web service that is https. All
> > i have to do is set
> > System.setProperty("javax.net.ssl.truststore",storeLocation) and my
> > client works.
> >
> > With CXF it seems there is much more to it. I have tried many many things
> > from lots of searches.
> >
> > I have tried a conduit that looks like this
> > Configuration A:
> > <http-conf:conduit name="*.http-conduit">
> >
> > <http-conf:client ProxyServer="aProxy"
> > ProxyServerPort="80" AllowChunking="false" />
> >
> > <http-conf:tlsClientParameters disableCNCheck="true"
> > secureSocketProtocol="SSL">
> > <conf-sec:trustManagers>
> > <conf-sec:certStore
> > file="E://PLAYGROUND//blitz//cert//store"/>
> > </conf-sec:trustManagers>
> > </http-conf:tlsClientParameters>
> >
> > <http-conf:authorization>
> > <conf-sec:UserName>User</conf-sec:UserName>
> > <conf-sec:Password>pass</conf-sec:Password>
> > </http-conf:authorization>
> >
> > </http-conf:conduit>
> >
> > And one that looks like this:
> > Configuration B:
> > <http-conf:conduit name="*.http-conduit">
> >
> > <http-conf:client ProxyServer="aProxy"
> > ProxyServerPort="80" AllowChunking="false" />
> >
> > <http-conf:tlsClientParameters disableCNCheck="true"
> > secureSocketProtocol="SSL">
> > <conf-sec:trustManagers>
> > <conf-sec:keyStore type="JKS" password="password"
> > file="E:/PLAYGROUND/blitz/cert/store"/>
> > </conf-sec:trustManagers>
> > </http-conf:tlsClientParameters>
> >
> > <http-conf:authorization>
> > <conf-sec:UserName>User</conf-sec:UserName>
> > <conf-sec:Password>pass</conf-sec:Password>
> > </http-conf:authorization>
> >
> > </http-conf:conduit>
> >
> > I am not a cert, keystore expert by any means and I am confused on which
> > configuration I should be using. My use case is using cxf to call a
> > third party https service. I pulled the cert from their site and
> > performed a keytool import on it to get the store. All the proxy and
> > basic auth stuff works like a charm. When I try to use ssl however I
> > cannot get a single configuration to work. I am sure that this works but
> > online everyone that has solved this issue has a different way of doing
> > so.
> >
> > With Configuration A I get an error about my DerInputStream being too
> > large.
> > With Configuration B I get an error that there is no trusted
> > certification found. Also with this configuration I debugged the
> > HttpConduit object and in the tlsClientParameters I can see the store in
> > all its glory with all the correct configurations that are in the
> > configuration xml file.
> >
> > I want cxf to make this project a success. Any ideas on what I am doing
> > wrong?
> > Thanks
>
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Re: CXF SSL and Configuration
Posted by blitzer <br...@gmail.com>.
I removed everything but <http-conf:tlsClientParameters
secureSocketProtocol="SSL"/>
And it now works. What causes this to work?
blitzer wrote:
>
> So, in short I have a small configuration issue. With one line of code in
> an axis client I can use a url against a web service that is https. All i
> have to do is set
> System.setProperty("javax.net.ssl.truststore",storeLocation) and my client
> works.
>
> With CXF it seems there is much more to it. I have tried many many things
> from lots of searches.
>
> I have tried a conduit that looks like this
> Configuration A:
> <http-conf:conduit name="*.http-conduit">
>
> <http-conf:client ProxyServer="aProxy"
> ProxyServerPort="80" AllowChunking="false" />
>
> <http-conf:tlsClientParameters disableCNCheck="true"
> secureSocketProtocol="SSL">
> <conf-sec:trustManagers>
> <conf-sec:certStore
> file="E://PLAYGROUND//blitz//cert//store"/>
> </conf-sec:trustManagers>
> </http-conf:tlsClientParameters>
>
> <http-conf:authorization>
> <conf-sec:UserName>User</conf-sec:UserName>
> <conf-sec:Password>pass</conf-sec:Password>
> </http-conf:authorization>
>
> </http-conf:conduit>
>
> And one that looks like this:
> Configuration B:
> <http-conf:conduit name="*.http-conduit">
>
> <http-conf:client ProxyServer="aProxy"
> ProxyServerPort="80" AllowChunking="false" />
>
> <http-conf:tlsClientParameters disableCNCheck="true"
> secureSocketProtocol="SSL">
> <conf-sec:trustManagers>
> <conf-sec:keyStore type="JKS" password="password"
> file="E:/PLAYGROUND/blitz/cert/store"/>
> </conf-sec:trustManagers>
> </http-conf:tlsClientParameters>
>
> <http-conf:authorization>
> <conf-sec:UserName>User</conf-sec:UserName>
> <conf-sec:Password>pass</conf-sec:Password>
> </http-conf:authorization>
>
> </http-conf:conduit>
>
> I am not a cert, keystore expert by any means and I am confused on which
> configuration I should be using. My use case is using cxf to call a third
> party https service. I pulled the cert from their site and performed a
> keytool import on it to get the store. All the proxy and basic auth stuff
> works like a charm. When I try to use ssl however I cannot get a single
> configuration to work. I am sure that this works but online everyone that
> has solved this issue has a different way of doing so.
>
> With Configuration A I get an error about my DerInputStream being too
> large.
> With Configuration B I get an error that there is no trusted certification
> found. Also with this configuration I debugged the HttpConduit object and
> in the tlsClientParameters I can see the store in all its glory with all
> the correct configurations that are in the configuration xml file.
>
> I want cxf to make this project a success. Any ideas on what I am doing
> wrong?
> Thanks
>
--
View this message in context: http://old.nabble.com/CXF-SSL-and-Configuration-tp26847600p26877571.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF SSL and Configuration
Posted by Daniel Kulp <dk...@apache.org>.
Curiosity question: what version of CXF? With the very recent versions, I
THOUGHT the javax.net.ssl.truststore stuff should work.
Dan
On Fri December 18 2009 1:23:10 pm blitzer wrote:
> So, in short I have a small configuration issue. With one line of code in
> an axis client I can use a url against a web service that is https. All i
> have to do is set
> System.setProperty("javax.net.ssl.truststore",storeLocation) and my client
> works.
>
> With CXF it seems there is much more to it. I have tried many many things
> from lots of searches.
>
> I have tried a conduit that looks like this
> Configuration A:
> <http-conf:conduit name="*.http-conduit">
>
> <http-conf:client ProxyServer="aProxy" ProxyServerPort="80"
> AllowChunking="false" />
>
> <http-conf:tlsClientParameters disableCNCheck="true"
> secureSocketProtocol="SSL">
> <conf-sec:trustManagers>
> <conf-sec:certStore
> file="E://PLAYGROUND//blitz//cert//store"/>
> </conf-sec:trustManagers>
> </http-conf:tlsClientParameters>
>
> <http-conf:authorization>
> <conf-sec:UserName>User</conf-sec:UserName>
> <conf-sec:Password>pass</conf-sec:Password>
> </http-conf:authorization>
>
> </http-conf:conduit>
>
> And one that looks like this:
> Configuration B:
> <http-conf:conduit name="*.http-conduit">
>
> <http-conf:client ProxyServer="aProxy" ProxyServerPort="80"
> AllowChunking="false" />
>
> <http-conf:tlsClientParameters disableCNCheck="true"
> secureSocketProtocol="SSL">
> <conf-sec:trustManagers>
> <conf-sec:keyStore type="JKS" password="password"
> file="E:/PLAYGROUND/blitz/cert/store"/>
> </conf-sec:trustManagers>
> </http-conf:tlsClientParameters>
>
> <http-conf:authorization>
> <conf-sec:UserName>User</conf-sec:UserName>
> <conf-sec:Password>pass</conf-sec:Password>
> </http-conf:authorization>
>
> </http-conf:conduit>
>
> I am not a cert, keystore expert by any means and I am confused on which
> configuration I should be using. My use case is using cxf to call a third
> party https service. I pulled the cert from their site and performed a
> keytool import on it to get the store. All the proxy and basic auth stuff
> works like a charm. When I try to use ssl however I cannot get a single
> configuration to work. I am sure that this works but online everyone that
> has solved this issue has a different way of doing so.
>
> With Configuration A I get an error about my DerInputStream being too
> large. With Configuration B I get an error that there is no trusted
> certification found. Also with this configuration I debugged the
> HttpConduit object and in the tlsClientParameters I can see the store in
> all its glory with all the correct configurations that are in the
> configuration xml file.
>
> I want cxf to make this project a success. Any ideas on what I am doing
> wrong?
> Thanks
>
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
RE: CXF SSL and Configuration
Posted by Eamonn Dwyer <ea...@hotmail.com>.
Sorry, my previous reply needs a bit of clarification...
"using option A on a JKS store gives me the "DerInputStream too long error" too, that is I see the error too when I use the certStore configuration style to try and load my .jks file"
Regards
Eamonn
> From: eamdwyercxf@hotmail.com
> To: users@cxf.apache.org
> Subject: RE: CXF SSL and Configuration
> Date: Mon, 21 Dec 2009 14:14:10 +0000
>
>
> Hi
> using option A on a JKS store gives me the DerInputStream too long error too.
> You should be able to use configuration B, for example we use the following in out wsdl first https demo
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="password"
> file="C:/fuse-services-framework-2.2.2.0/samples/wsdl_first_https/certs/truststore.jks"/>
> </sec:trustManagers>
>
> When you do a keytool list do you get an output something like
>
> C:\fuse-services-framework-2.2.2.0\samples\wsdl_first_https>keytool -list -keystore C:\fuse-services-framework-2.2.2.0\samples\wsdl_first_https\certs\truststore.jks
> Enter keystore password: password
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> theca, 22-Jun-2009, trustedCertEntry,
> Certificate fingerprint (MD5): 6A:81:50:51:1E:0D:3F:62:C6:36:FD:A2:81:95:14:39
>
> Regards
> Eamonn
>
>
> > Date: Fri, 18 Dec 2009 10:23:10 -0800
> > From: brian.blitzer@gmail.com
> > To: users@cxf.apache.org
> > Subject: CXF SSL and Configuration
> >
> >
> > So, in short I have a small configuration issue. With one line of code in an
> > axis client I can use a url against a web service that is https. All i have
> > to do is set System.setProperty("javax.net.ssl.truststore",storeLocation)
> > and my client works.
> >
> > With CXF it seems there is much more to it. I have tried many many things
> > from lots of searches.
> >
> > I have tried a conduit that looks like this
> > Configuration A:
> > <http-conf:conduit name="*.http-conduit">
> >
> > <http-conf:client ProxyServer="aProxy" ProxyServerPort="80"
> > AllowChunking="false" />
> >
> > <http-conf:tlsClientParameters disableCNCheck="true"
> > secureSocketProtocol="SSL">
> > <conf-sec:trustManagers>
> > <conf-sec:certStore
> > file="E://PLAYGROUND//blitz//cert//store"/>
> > </conf-sec:trustManagers>
> > </http-conf:tlsClientParameters>
> >
> > <http-conf:authorization>
> > <conf-sec:UserName>User</conf-sec:UserName>
> > <conf-sec:Password>pass</conf-sec:Password>
> > </http-conf:authorization>
> >
> > </http-conf:conduit>
> >
> > And one that looks like this:
> > Configuration B:
> > <http-conf:conduit name="*.http-conduit">
> >
> > <http-conf:client ProxyServer="aProxy" ProxyServerPort="80"
> > AllowChunking="false" />
> >
> > <http-conf:tlsClientParameters disableCNCheck="true"
> > secureSocketProtocol="SSL">
> > <conf-sec:trustManagers>
> > <conf-sec:keyStore type="JKS" password="password"
> > file="E:/PLAYGROUND/blitz/cert/store"/>
> > </conf-sec:trustManagers>
> > </http-conf:tlsClientParameters>
> >
> > <http-conf:authorization>
> > <conf-sec:UserName>User</conf-sec:UserName>
> > <conf-sec:Password>pass</conf-sec:Password>
> > </http-conf:authorization>
> >
> > </http-conf:conduit>
> >
> > I am not a cert, keystore expert by any means and I am confused on which
> > configuration I should be using. My use case is using cxf to call a third
> > party https service. I pulled the cert from their site and performed a
> > keytool import on it to get the store. All the proxy and basic auth stuff
> > works like a charm. When I try to use ssl however I cannot get a single
> > configuration to work. I am sure that this works but online everyone that
> > has solved this issue has a different way of doing so.
> >
> > With Configuration A I get an error about my DerInputStream being too large.
> > With Configuration B I get an error that there is no trusted certification
> > found. Also with this configuration I debugged the HttpConduit object and in
> > the tlsClientParameters I can see the store in all its glory with all the
> > correct configurations that are in the configuration xml file.
> >
> > I want cxf to make this project a success. Any ideas on what I am doing
> > wrong?
> > Thanks
> > --
> > View this message in context: http://old.nabble.com/CXF-SSL-and-Configuration-tp26847600p26847600.html
> > Sent from the cxf-user mailing list archive at Nabble.com.
> >
>
> _________________________________________________________________
> New Windows 7: Find the right PC for you. Learn more.
> http://windows.microsoft.com/shop
_________________________________________________________________
New Windows 7: Simplify what you do everyday. Find the right PC for you.
http://windows.microsoft.com/shop
RE: CXF SSL and Configuration
Posted by Eamonn Dwyer <ea...@hotmail.com>.
Hi
using option A on a JKS store gives me the DerInputStream too long error too.
You should be able to use configuration B, for example we use the following in out wsdl first https demo
<sec:trustManagers>
<sec:keyStore type="JKS" password="password"
file="C:/fuse-services-framework-2.2.2.0/samples/wsdl_first_https/certs/truststore.jks"/>
</sec:trustManagers>
When you do a keytool list do you get an output something like
C:\fuse-services-framework-2.2.2.0\samples\wsdl_first_https>keytool -list -keystore C:\fuse-services-framework-2.2.2.0\samples\wsdl_first_https\certs\truststore.jks
Enter keystore password: password
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
theca, 22-Jun-2009, trustedCertEntry,
Certificate fingerprint (MD5): 6A:81:50:51:1E:0D:3F:62:C6:36:FD:A2:81:95:14:39
Regards
Eamonn
> Date: Fri, 18 Dec 2009 10:23:10 -0800
> From: brian.blitzer@gmail.com
> To: users@cxf.apache.org
> Subject: CXF SSL and Configuration
>
>
> So, in short I have a small configuration issue. With one line of code in an
> axis client I can use a url against a web service that is https. All i have
> to do is set System.setProperty("javax.net.ssl.truststore",storeLocation)
> and my client works.
>
> With CXF it seems there is much more to it. I have tried many many things
> from lots of searches.
>
> I have tried a conduit that looks like this
> Configuration A:
> <http-conf:conduit name="*.http-conduit">
>
> <http-conf:client ProxyServer="aProxy" ProxyServerPort="80"
> AllowChunking="false" />
>
> <http-conf:tlsClientParameters disableCNCheck="true"
> secureSocketProtocol="SSL">
> <conf-sec:trustManagers>
> <conf-sec:certStore
> file="E://PLAYGROUND//blitz//cert//store"/>
> </conf-sec:trustManagers>
> </http-conf:tlsClientParameters>
>
> <http-conf:authorization>
> <conf-sec:UserName>User</conf-sec:UserName>
> <conf-sec:Password>pass</conf-sec:Password>
> </http-conf:authorization>
>
> </http-conf:conduit>
>
> And one that looks like this:
> Configuration B:
> <http-conf:conduit name="*.http-conduit">
>
> <http-conf:client ProxyServer="aProxy" ProxyServerPort="80"
> AllowChunking="false" />
>
> <http-conf:tlsClientParameters disableCNCheck="true"
> secureSocketProtocol="SSL">
> <conf-sec:trustManagers>
> <conf-sec:keyStore type="JKS" password="password"
> file="E:/PLAYGROUND/blitz/cert/store"/>
> </conf-sec:trustManagers>
> </http-conf:tlsClientParameters>
>
> <http-conf:authorization>
> <conf-sec:UserName>User</conf-sec:UserName>
> <conf-sec:Password>pass</conf-sec:Password>
> </http-conf:authorization>
>
> </http-conf:conduit>
>
> I am not a cert, keystore expert by any means and I am confused on which
> configuration I should be using. My use case is using cxf to call a third
> party https service. I pulled the cert from their site and performed a
> keytool import on it to get the store. All the proxy and basic auth stuff
> works like a charm. When I try to use ssl however I cannot get a single
> configuration to work. I am sure that this works but online everyone that
> has solved this issue has a different way of doing so.
>
> With Configuration A I get an error about my DerInputStream being too large.
> With Configuration B I get an error that there is no trusted certification
> found. Also with this configuration I debugged the HttpConduit object and in
> the tlsClientParameters I can see the store in all its glory with all the
> correct configurations that are in the configuration xml file.
>
> I want cxf to make this project a success. Any ideas on what I am doing
> wrong?
> Thanks
> --
> View this message in context: http://old.nabble.com/CXF-SSL-and-Configuration-tp26847600p26847600.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
_________________________________________________________________
New Windows 7: Find the right PC for you. Learn more.
http://windows.microsoft.com/shop