You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@camel.apache.org by santhosh <ra...@gmail.com> on 2013/01/17 00:35:27 UTC
Camel Http4 SSL mutual authentication info
Hey i want to congratulate you guys on such wonderful documentation available
for camel http for customising the http client configurer.i have also found
other docs sufficiently enough.That defenitely makes dev easy.
I had few minor hickkups during configuring camel http4 config.i followed
the doc which says
if you just want to specify the keystore and truststore you can do this
with Apache HTTP HttpClientConfigurer, for example:
KeyStore keystore = ...;
KeyStore truststore = ...;
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("https", 443, new SSLSocketFactory(keystore,
"mypassword", truststore)));
but if this was done ,though i could see from SSL logs the cert in trust
store was recognised with message like "Adding cert X to trust store",when i
hit the server, the ssl did not go through and server cert failed validation
with message "peer not authenticated".I knew the server cert was in trust
store as i could see in ssl log.I just changed these lines and got it
working
Replaced
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("https", 443, new SSLSocketFactory(keystore,
"yourpassword", truststore)));
with
httpClient.getConnectionManager().getSchemeRegistry().register(new
Scheme("https", socketFactory, 443));
I just added the scheme to existing registry in httpClient.I dont know if
you guys left the setting part in doc as you thought it is too simple to be
figured out but i just thought it might help someone.
crux of the code
public void configureHttpClient(org.apache.http.client.HttpClient
httpClient) {
try {
final BasicHttpParams httpParams = new BasicHttpParams();
//if you want all host be rcognised irrespective of
ones in cert
HostnameVerifier hostnameVerifier =
org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;
// load the keystore containing the client certificate - keystore
// type is probably jks or pkcs12
final KeyStore keystore = KeyStore.getInstance("jks");
InputStream keystoreInput = new FileInputStream(new File(
"sslcerts/keystore.jks"));
keystore.load(keystoreInput, "yourpassword".toCharArray());
// load the trustore, leave it null to rely on cacerts distributed
// with the JVM - truststore type is probably jks or pkcs12
KeyStore truststore = KeyStore.getInstance("jks");
InputStream truststoreInput = new FileInputStream(new File(
"sslcerts/truststore.jks"));
truststore.load(truststoreInput, "password".toCharArray());
SSLSocketFactory socketFactory = new SSLSocketFactory(keystore,
"store password", truststore);
socketFactory
.setHostnameVerifier((X509HostnameVerifier) hostnameVerifier);
httpClient.getConnectionManager().getSchemeRegistry().register(new
Scheme("https", socketFactory, 443));
} catch (Exception e) {
// TODO remove and add log into DB
e.printStackTrace();
}
}
}
useful debugging info if you are using karaf/smx
For turning on the ssl log in karaf which is mighty helpful i did add this
in java options section in karaf.bat
-Djavax.net.debug=all .This might not be correct way but it works and this
is the only way i could figure from internet :)
--
View this message in context: http://camel.465427.n5.nabble.com/Camel-Http4-SSL-mutual-authentication-info-tp5725666.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: Camel Http4 SSL mutual authentication info
Posted by Claus Ibsen <cl...@gmail.com>.
Hi
Thanks for sharing your findings and suggestions for improving/fixing the docs.
As we love contributions you can help with the docs. We got som
details how to do that at
http://camel.apache.org/contributing.html
Read especially this
http://camel.apache.org/how-do-i-edit-the-website.html
On Thu, Jan 17, 2013 at 12:35 AM, santhosh <ra...@gmail.com> wrote:
> Hey i want to congratulate you guys on such wonderful documentation available
> for camel http for customising the http client configurer.i have also found
> other docs sufficiently enough.That defenitely makes dev easy.
>
> I had few minor hickkups during configuring camel http4 config.i followed
> the doc which says
>
> if you just want to specify the keystore and truststore you can do this
> with Apache HTTP HttpClientConfigurer, for example:
>
> KeyStore keystore = ...;
> KeyStore truststore = ...;
>
> SchemeRegistry registry = new SchemeRegistry();
> registry.register(new Scheme("https", 443, new SSLSocketFactory(keystore,
> "mypassword", truststore)));
>
> but if this was done ,though i could see from SSL logs the cert in trust
> store was recognised with message like "Adding cert X to trust store",when i
> hit the server, the ssl did not go through and server cert failed validation
> with message "peer not authenticated".I knew the server cert was in trust
> store as i could see in ssl log.I just changed these lines and got it
> working
>
> Replaced
>
> SchemeRegistry registry = new SchemeRegistry();
> registry.register(new Scheme("https", 443, new SSLSocketFactory(keystore,
> "yourpassword", truststore)));
>
> with
> httpClient.getConnectionManager().getSchemeRegistry().register(new
> Scheme("https", socketFactory, 443));
>
> I just added the scheme to existing registry in httpClient.I dont know if
> you guys left the setting part in doc as you thought it is too simple to be
> figured out but i just thought it might help someone.
>
> crux of the code
>
> public void configureHttpClient(org.apache.http.client.HttpClient
> httpClient) {
>
> try {
>
> final BasicHttpParams httpParams = new BasicHttpParams();
>
> //if you want all host be rcognised irrespective of
> ones in cert
> HostnameVerifier hostnameVerifier =
> org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;
>
> // load the keystore containing the client certificate - keystore
> // type is probably jks or pkcs12
> final KeyStore keystore = KeyStore.getInstance("jks");
> InputStream keystoreInput = new FileInputStream(new File(
> "sslcerts/keystore.jks"));
>
> keystore.load(keystoreInput, "yourpassword".toCharArray());
>
> // load the trustore, leave it null to rely on cacerts distributed
> // with the JVM - truststore type is probably jks or pkcs12
> KeyStore truststore = KeyStore.getInstance("jks");
> InputStream truststoreInput = new FileInputStream(new File(
> "sslcerts/truststore.jks"));
>
> truststore.load(truststoreInput, "password".toCharArray());
>
>
> SSLSocketFactory socketFactory = new SSLSocketFactory(keystore,
> "store password", truststore);
> socketFactory
> .setHostnameVerifier((X509HostnameVerifier) hostnameVerifier);
>
> httpClient.getConnectionManager().getSchemeRegistry().register(new
> Scheme("https", socketFactory, 443));
>
> } catch (Exception e) {
> // TODO remove and add log into DB
> e.printStackTrace();
> }
>
> }
> }
>
> useful debugging info if you are using karaf/smx
> For turning on the ssl log in karaf which is mighty helpful i did add this
> in java options section in karaf.bat
> -Djavax.net.debug=all .This might not be correct way but it works and this
> is the only way i could figure from internet :)
>
>
>
> --
> View this message in context: http://camel.465427.n5.nabble.com/Camel-Http4-SSL-mutual-authentication-info-tp5725666.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
--
Claus Ibsen
-----------------
Red Hat, Inc.
FuseSource is now part of Red Hat
Email: cibsen@redhat.com
Web: http://fusesource.com
Twitter: davsclaus
Blog: http://davsclaus.com
Author of Camel in Action: http://www.manning.com/ibsen