[
https://issues.apache.org/jira/browse/CXF-2403?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12748013#action_12748013
]
Eamonn Dwyer commented on CXF-2403:
-----------------------------------
I have a test that does mutual authentication successfully using the
http-conduit configuration you are having trouble with. That is why I think
the problem may be with your keystore/truststore so I was just going to run my
test using your client's keystore/trustore and server's keystore/truststore.
My JKS keystores/truststore were generated by
http://svn.apache.org/repos/asf/cxf/branches/2.2.x-fixes/distribution/src/main/release/samples/wsdl_first_https/bin/gencerts.sh
maybe you might just try using that script to generate the
keystore/truststores and run the test again.
> Use of client certificates via http conduit configuration broken
> ----------------------------------------------------------------
>
> Key: CXF-2403
> URL: https://issues.apache.org/jira/browse/CXF-2403
> Project: CXF
> Issue Type: Bug
> Components: Configuration
> Reporter: Wolfgang Nagele
> Attachments: client.crt, client.key, client.p12, keystore
>
>
> To use standard SSL client certificates for authentication the following
> configuration should work:
> <http:conduit name="*.http-conduit">
> <http:tlsClientParameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="JKS" password="password" file="keystore" />
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="password" file="truststore" />
> </sec:trustManagers>
> </http:tlsClientParameters>
> </http:conduit>
> In this configuration we would have the public certificate of the server we
> want to connect to in the truststore and the private key and certificate in
> the keystore.
> With the current CXF implementation this results in the following exception:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
> [na:1.6.0_13]
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
> [na:1.6.0_13]
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
> [na:1.6.0_13]
> ... 39 common frames omitted
> Once we additionally define the following properties it works:
> * javax.net.ssl.keyStore=keystore
> * javax.net.ssl.keyStorePassword=password
> * javax.net.ssl.trustStore=truststore
> * javax.net.ssl.trustStorePassword=password
> This however results in very ugly setups where we have to define the same
> data twice. Also we miss out on CXF's option of defining specific keystores
> and truststores per webservice.
> For further information also see: http://www.quendor.org/archiv/428
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
