You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@camel.apache.org by Nico Mommaerts <ni...@gmail.com> on 2013/06/17 14:10:30 UTC
two way ssl with a camel cxf proxy use case on Tomcat
Hey,
I'm trying to setup a Camel CXF proxy with two way ssl (message gets sent
to camel app over http, camel forwards to an external customer over https,
2 way).
My Camel app is running on Tomcat (without Jetty running for CXF, I'm using
the CXFServlet). I have experience in setting up Tomcat for 2 way ssl with
Spring Webservices, but for Camel/CXF I see some literature about http
conduits and keystores.
So I'm not sure how to set this up for Camel/CXF, is it enough to configure
this on Tomcat level, like I do for normal Spring webservices, or do I need
to use the http conduit element in my configuration?
Thanks in advance,
Nicolas Mommaerts
Re: two way ssl with a camel cxf proxy use case on Tomcat
Posted by Nico Mommaerts <ni...@gmail.com>.
It's this problem:
http://cantina.co/2012/05/14/navigating-the-perils-of-sslv2-and-httpclient/comment-page-1/#comment-61403
Java is trying to answer in SSLv2 instead of TLS.
But I can't find how to disable SSlv2 using Camel/CXF/Spring config? I have
no algorithm defined on my http conduit so it should default to TLS..
On Wed, Jun 19, 2013 at 1:53 PM, Nico Mommaerts <ni...@gmail.com>wrote:
> I removed the ciperSuiteFilters, I get further now but now receive this:
> default-workqueue-1, handling exception: java.net.SocketException:
> Connection reset
> %% Invalidated: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
> default-workqueue-1, SEND TLSv1 ALERT: fatal, description =
> unexpected_message
>
> I don't think this is Camel specific anymore, but if anyone would know the
> answer... :)
>
> On Wed, Jun 19, 2013 at 1:00 PM, Nico Mommaerts <ni...@gmail.com>wrote:
>
>> Ok thanks, that explains a lot.
>>
>> Unfortunately, I still don't get it to work. When I look at the
>> javax.net.debug output and compare to
>> http://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated%5FTLS%5Fhandshake,
>> I don't see *CertificateVerify* coming along, only the steps from one
>> way SSL are shown (and are succesfull). So the server responds with a 403
>> forbidden, client auth required message.
>>
>> My config looks like this (using the wildcard because else it wouldn't
>> match, disabled cncheck to avoid those problems):
>> * <http:conduit name="*.http-conduit"> *
>> * <http:tlsClientParameters disableCNCheck="true">*
>> * <sec:keyManagers keyPassword="mysecret">*
>> * <sec:keyStore type="JKS" password="mysecret"
>> file="/data/tomcat/serv03/keystore/.keystore" />*
>> * </sec:keyManagers>*
>> * <sec:cipherSuitesFilter>*
>> * <sec:include>.*_EXPORT_.*</sec:include>*
>> * <sec:include>.*_EXPORT1024_.*</sec:include>*
>> * <sec:include>.*_WITH_DES_.*</sec:include>*
>> * <sec:include>.*_WITH_NULL_.*</sec:include>*
>> * <sec:exclude>.*_DH_anon_.*</sec:exclude>*
>> * </sec:cipherSuitesFilter>*
>> * </http:tlsClientParameters>*
>> * </http:conduit> *
>>
>> I don't have a trustManager configured as the server is using real certs
>> (vs self-signed), and I can see in the javax.net.debug logging that the
>> servers certificate is found and trusted.
>> The .keystore contains our self-signed certificate which is also imported
>> on the server side (IIS7).
>>
>> Do I need to do anything else to enable client-authentication? Can I see
>> in the javax.net.debug output if the server even requests client auth?
>>
>>
>> On Tue, Jun 18, 2013 at 1:28 PM, Aki Yoshida <el...@gmail.com> wrote:
>>
>>> these are two different things (the inbound side configuration you
>>> already
>>> have and the outbound side configuration you asked for) and depending on
>>> what you need at each side, you can configure them independently.
>>>
>>>
>>>
>>> 2013/6/17 Nico Mommaerts <ni...@gmail.com>
>>>
>>> > Ok thanks! Had already read that but wasn't sure if that was needed if
>>> ssl
>>> > is also defined in Tomcat itself (is it harmful to also configure it
>>> > there?)
>>> >
>>> > On Mon, Jun 17, 2013 at 4:35 PM, Aki Yoshida <el...@gmail.com>
>>> wrote:
>>> >
>>> > > you configure the ssl setting at your http conduit configuration.
>>> > > and this is explained in this cxf's online documentation:
>>> > >
>>> > >
>>> >
>>> http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-ConfiguringSSLSupport
>>> > >
>>> > > regards, aki
>>> > >
>>> > >
>>> > > 2013/6/17 Nico Mommaerts <ni...@gmail.com>
>>> > >
>>> > > > Hey,
>>> > > >
>>> > > > I'm trying to setup a Camel CXF proxy with two way ssl (message
>>> gets
>>> > sent
>>> > > > to camel app over http, camel forwards to an external customer over
>>> > > https,
>>> > > > 2 way).
>>> > > > My Camel app is running on Tomcat (without Jetty running for CXF,
>>> I'm
>>> > > using
>>> > > > the CXFServlet). I have experience in setting up Tomcat for 2 way
>>> ssl
>>> > > with
>>> > > > Spring Webservices, but for Camel/CXF I see some literature about
>>> http
>>> > > > conduits and keystores.
>>> > > > So I'm not sure how to set this up for Camel/CXF, is it enough to
>>> > > configure
>>> > > > this on Tomcat level, like I do for normal Spring webservices, or
>>> do I
>>> > > need
>>> > > > to use the http conduit element in my configuration?
>>> > > >
>>> > > > Thanks in advance,
>>> > > > Nicolas Mommaerts
>>> > > >
>>> > >
>>> >
>>>
>>
>>
>
Re: two way ssl with a camel cxf proxy use case on Tomcat
Posted by Nico Mommaerts <ni...@gmail.com>.
I removed the ciperSuiteFilters, I get further now but now receive this:
default-workqueue-1, handling exception: java.net.SocketException:
Connection reset
%% Invalidated: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
default-workqueue-1, SEND TLSv1 ALERT: fatal, description =
unexpected_message
I don't think this is Camel specific anymore, but if anyone would know the
answer... :)
On Wed, Jun 19, 2013 at 1:00 PM, Nico Mommaerts <ni...@gmail.com>wrote:
> Ok thanks, that explains a lot.
>
> Unfortunately, I still don't get it to work. When I look at the
> javax.net.debug output and compare to
> http://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated%5FTLS%5Fhandshake,
> I don't see *CertificateVerify* coming along, only the steps from one way
> SSL are shown (and are succesfull). So the server responds with a 403
> forbidden, client auth required message.
>
> My config looks like this (using the wildcard because else it wouldn't
> match, disabled cncheck to avoid those problems):
> * <http:conduit name="*.http-conduit"> *
> * <http:tlsClientParameters disableCNCheck="true">*
> * <sec:keyManagers keyPassword="mysecret">*
> * <sec:keyStore type="JKS" password="mysecret"
> file="/data/tomcat/serv03/keystore/.keystore" />*
> * </sec:keyManagers>*
> * <sec:cipherSuitesFilter>*
> * <sec:include>.*_EXPORT_.*</sec:include>*
> * <sec:include>.*_EXPORT1024_.*</sec:include>*
> * <sec:include>.*_WITH_DES_.*</sec:include>*
> * <sec:include>.*_WITH_NULL_.*</sec:include>*
> * <sec:exclude>.*_DH_anon_.*</sec:exclude>*
> * </sec:cipherSuitesFilter>*
> * </http:tlsClientParameters>*
> * </http:conduit> *
>
> I don't have a trustManager configured as the server is using real certs
> (vs self-signed), and I can see in the javax.net.debug logging that the
> servers certificate is found and trusted.
> The .keystore contains our self-signed certificate which is also imported
> on the server side (IIS7).
>
> Do I need to do anything else to enable client-authentication? Can I see
> in the javax.net.debug output if the server even requests client auth?
>
>
> On Tue, Jun 18, 2013 at 1:28 PM, Aki Yoshida <el...@gmail.com> wrote:
>
>> these are two different things (the inbound side configuration you already
>> have and the outbound side configuration you asked for) and depending on
>> what you need at each side, you can configure them independently.
>>
>>
>>
>> 2013/6/17 Nico Mommaerts <ni...@gmail.com>
>>
>> > Ok thanks! Had already read that but wasn't sure if that was needed if
>> ssl
>> > is also defined in Tomcat itself (is it harmful to also configure it
>> > there?)
>> >
>> > On Mon, Jun 17, 2013 at 4:35 PM, Aki Yoshida <el...@gmail.com> wrote:
>> >
>> > > you configure the ssl setting at your http conduit configuration.
>> > > and this is explained in this cxf's online documentation:
>> > >
>> > >
>> >
>> http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-ConfiguringSSLSupport
>> > >
>> > > regards, aki
>> > >
>> > >
>> > > 2013/6/17 Nico Mommaerts <ni...@gmail.com>
>> > >
>> > > > Hey,
>> > > >
>> > > > I'm trying to setup a Camel CXF proxy with two way ssl (message gets
>> > sent
>> > > > to camel app over http, camel forwards to an external customer over
>> > > https,
>> > > > 2 way).
>> > > > My Camel app is running on Tomcat (without Jetty running for CXF,
>> I'm
>> > > using
>> > > > the CXFServlet). I have experience in setting up Tomcat for 2 way
>> ssl
>> > > with
>> > > > Spring Webservices, but for Camel/CXF I see some literature about
>> http
>> > > > conduits and keystores.
>> > > > So I'm not sure how to set this up for Camel/CXF, is it enough to
>> > > configure
>> > > > this on Tomcat level, like I do for normal Spring webservices, or
>> do I
>> > > need
>> > > > to use the http conduit element in my configuration?
>> > > >
>> > > > Thanks in advance,
>> > > > Nicolas Mommaerts
>> > > >
>> > >
>> >
>>
>
>
Re: two way ssl with a camel cxf proxy use case on Tomcat
Posted by Nico Mommaerts <ni...@gmail.com>.
Ok thanks, that explains a lot.
Unfortunately, I still don't get it to work. When I look at the
javax.net.debug output and compare to
http://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated%5FTLS%5Fhandshake,
I don't see *CertificateVerify* coming along, only the steps from one way
SSL are shown (and are succesfull). So the server responds with a 403
forbidden, client auth required message.
My config looks like this (using the wildcard because else it wouldn't
match, disabled cncheck to avoid those problems):
* <http:conduit name="*.http-conduit"> *
* <http:tlsClientParameters disableCNCheck="true">*
* <sec:keyManagers keyPassword="mysecret">*
* <sec:keyStore type="JKS" password="mysecret"
file="/data/tomcat/serv03/keystore/.keystore" />*
* </sec:keyManagers>*
* <sec:cipherSuitesFilter>*
* <sec:include>.*_EXPORT_.*</sec:include>*
* <sec:include>.*_EXPORT1024_.*</sec:include>*
* <sec:include>.*_WITH_DES_.*</sec:include>*
* <sec:include>.*_WITH_NULL_.*</sec:include>*
* <sec:exclude>.*_DH_anon_.*</sec:exclude>*
* </sec:cipherSuitesFilter>*
* </http:tlsClientParameters>*
* </http:conduit> *
I don't have a trustManager configured as the server is using real certs
(vs self-signed), and I can see in the javax.net.debug logging that the
servers certificate is found and trusted.
The .keystore contains our self-signed certificate which is also imported
on the server side (IIS7).
Do I need to do anything else to enable client-authentication? Can I see in
the javax.net.debug output if the server even requests client auth?
On Tue, Jun 18, 2013 at 1:28 PM, Aki Yoshida <el...@gmail.com> wrote:
> these are two different things (the inbound side configuration you already
> have and the outbound side configuration you asked for) and depending on
> what you need at each side, you can configure them independently.
>
>
>
> 2013/6/17 Nico Mommaerts <ni...@gmail.com>
>
> > Ok thanks! Had already read that but wasn't sure if that was needed if
> ssl
> > is also defined in Tomcat itself (is it harmful to also configure it
> > there?)
> >
> > On Mon, Jun 17, 2013 at 4:35 PM, Aki Yoshida <el...@gmail.com> wrote:
> >
> > > you configure the ssl setting at your http conduit configuration.
> > > and this is explained in this cxf's online documentation:
> > >
> > >
> >
> http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-ConfiguringSSLSupport
> > >
> > > regards, aki
> > >
> > >
> > > 2013/6/17 Nico Mommaerts <ni...@gmail.com>
> > >
> > > > Hey,
> > > >
> > > > I'm trying to setup a Camel CXF proxy with two way ssl (message gets
> > sent
> > > > to camel app over http, camel forwards to an external customer over
> > > https,
> > > > 2 way).
> > > > My Camel app is running on Tomcat (without Jetty running for CXF, I'm
> > > using
> > > > the CXFServlet). I have experience in setting up Tomcat for 2 way ssl
> > > with
> > > > Spring Webservices, but for Camel/CXF I see some literature about
> http
> > > > conduits and keystores.
> > > > So I'm not sure how to set this up for Camel/CXF, is it enough to
> > > configure
> > > > this on Tomcat level, like I do for normal Spring webservices, or do
> I
> > > need
> > > > to use the http conduit element in my configuration?
> > > >
> > > > Thanks in advance,
> > > > Nicolas Mommaerts
> > > >
> > >
> >
>
Re: two way ssl with a camel cxf proxy use case on Tomcat
Posted by Aki Yoshida <el...@gmail.com>.
these are two different things (the inbound side configuration you already
have and the outbound side configuration you asked for) and depending on
what you need at each side, you can configure them independently.
2013/6/17 Nico Mommaerts <ni...@gmail.com>
> Ok thanks! Had already read that but wasn't sure if that was needed if ssl
> is also defined in Tomcat itself (is it harmful to also configure it
> there?)
>
> On Mon, Jun 17, 2013 at 4:35 PM, Aki Yoshida <el...@gmail.com> wrote:
>
> > you configure the ssl setting at your http conduit configuration.
> > and this is explained in this cxf's online documentation:
> >
> >
> http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-ConfiguringSSLSupport
> >
> > regards, aki
> >
> >
> > 2013/6/17 Nico Mommaerts <ni...@gmail.com>
> >
> > > Hey,
> > >
> > > I'm trying to setup a Camel CXF proxy with two way ssl (message gets
> sent
> > > to camel app over http, camel forwards to an external customer over
> > https,
> > > 2 way).
> > > My Camel app is running on Tomcat (without Jetty running for CXF, I'm
> > using
> > > the CXFServlet). I have experience in setting up Tomcat for 2 way ssl
> > with
> > > Spring Webservices, but for Camel/CXF I see some literature about http
> > > conduits and keystores.
> > > So I'm not sure how to set this up for Camel/CXF, is it enough to
> > configure
> > > this on Tomcat level, like I do for normal Spring webservices, or do I
> > need
> > > to use the http conduit element in my configuration?
> > >
> > > Thanks in advance,
> > > Nicolas Mommaerts
> > >
> >
>
Re: two way ssl with a camel cxf proxy use case on Tomcat
Posted by Nico Mommaerts <ni...@gmail.com>.
Ok thanks! Had already read that but wasn't sure if that was needed if ssl
is also defined in Tomcat itself (is it harmful to also configure it there?)
On Mon, Jun 17, 2013 at 4:35 PM, Aki Yoshida <el...@gmail.com> wrote:
> you configure the ssl setting at your http conduit configuration.
> and this is explained in this cxf's online documentation:
>
> http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-ConfiguringSSLSupport
>
> regards, aki
>
>
> 2013/6/17 Nico Mommaerts <ni...@gmail.com>
>
> > Hey,
> >
> > I'm trying to setup a Camel CXF proxy with two way ssl (message gets sent
> > to camel app over http, camel forwards to an external customer over
> https,
> > 2 way).
> > My Camel app is running on Tomcat (without Jetty running for CXF, I'm
> using
> > the CXFServlet). I have experience in setting up Tomcat for 2 way ssl
> with
> > Spring Webservices, but for Camel/CXF I see some literature about http
> > conduits and keystores.
> > So I'm not sure how to set this up for Camel/CXF, is it enough to
> configure
> > this on Tomcat level, like I do for normal Spring webservices, or do I
> need
> > to use the http conduit element in my configuration?
> >
> > Thanks in advance,
> > Nicolas Mommaerts
> >
>
Re: two way ssl with a camel cxf proxy use case on Tomcat
Posted by Aki Yoshida <el...@gmail.com>.
you configure the ssl setting at your http conduit configuration.
and this is explained in this cxf's online documentation:
http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-ConfiguringSSLSupport
regards, aki
2013/6/17 Nico Mommaerts <ni...@gmail.com>
> Hey,
>
> I'm trying to setup a Camel CXF proxy with two way ssl (message gets sent
> to camel app over http, camel forwards to an external customer over https,
> 2 way).
> My Camel app is running on Tomcat (without Jetty running for CXF, I'm using
> the CXFServlet). I have experience in setting up Tomcat for 2 way ssl with
> Spring Webservices, but for Camel/CXF I see some literature about http
> conduits and keystores.
> So I'm not sure how to set this up for Camel/CXF, is it enough to configure
> this on Tomcat level, like I do for normal Spring webservices, or do I need
> to use the http conduit element in my configuration?
>
> Thanks in advance,
> Nicolas Mommaerts
>