You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Eamonn Dwyer (JIRA)" <ji...@apache.org> on 2009/08/25 18:47:59 UTC

[jira] Commented: (CXF-2403) Use of client certificates via http conduit configuration broken

    [ https://issues.apache.org/jira/browse/CXF-2403?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12747480#action_12747480 ] 

Eamonn Dwyer commented on CXF-2403:
-----------------------------------

Hi Wolfgang
the use of http:conduit / http:tlsClientParameters is quite widespread and has worked for me (at least). Maybe it is something to do with the particular keystore/trustsore you have set up. Can you upload your truststore and keystore so it can be tested?

Thanks
Eamonn

> Use of client certificates via http conduit configuration broken
> ----------------------------------------------------------------
>
>                 Key: CXF-2403
>                 URL: https://issues.apache.org/jira/browse/CXF-2403
>             Project: CXF
>          Issue Type: Bug
>          Components: Configuration
>            Reporter: Wolfgang Nagele
>
> To use standard SSL client certificates for authentication the following configuration should work:
> <http:conduit name="*.http-conduit">
>   <http:tlsClientParameters>
>     <sec:keyManagers keyPassword="password">
>       <sec:keyStore type="JKS" password="password" file="keystore" />
>     </sec:keyManagers>
>     <sec:trustManagers>
>       <sec:keyStore type="JKS" password="password" file="truststore" />
>     </sec:trustManagers>
>   </http:tlsClientParameters>
> </http:conduit>
> In this configuration we would have the public certificate of the server we want to connect to in the truststore and the private key and certificate in the keystore.
> With the current CXF implementation this results in the following exception:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> 	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174) [na:1.6.0_13]
> 	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) [na:1.6.0_13]
> 	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280) [na:1.6.0_13]
> 	... 39 common frames omitted
> Once we additionally define the following properties it works:
> * javax.net.ssl.keyStore=keystore
> * javax.net.ssl.keyStorePassword=password
> * javax.net.ssl.trustStore=truststore
> * javax.net.ssl.trustStorePassword=password
> This however results in very ugly setups where we have to define the same data twice. Also we miss out on CXF's option of defining specific keystores and truststores per webservice.
> For further information also see: http://www.quendor.org/archiv/428

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.