[
https://issues.apache.org/jira/browse/CXF-2403?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215533#comment-13215533
]
Brijpal commented on CXF-2403:
------------------------------
This is in reference to sample demo soap_https.zip
Thank you very much for such wonderful explanation. It's really good demo and
tried it, it's working when if I use both server and client part of it. I am
impressed and decided to use it's client part to access web service running on
my local machine. The web service is provided by some third party to generate
random string. I can put my public certificate in it's trust store and I know
it's public certificates too. I followed these steps
1. I put server's certificate in client-truststore
2. I extracted client certificate from "client-keystore" and put it in server's
trust store
3. Put my WSDL ("GenerateRandom.wsdl") parallel to "HelloWorld.wsdl"
4. Wrote RandomClient.java in parallel to Client.java (which uses
cxfContext.xml placed parallel to hello_world_client.xml)
5. Modified build.xml to generate code and run the client.
When I tried to run using ant I am getting following exception.
[java] org.apache.cxf.interceptor.Fault: Could not send Message.
[java] at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
[java] at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
[java] at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:487)
[java] at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
[java] at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:265)
[java] at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
[java] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
[java] at $Proxy38.oprRandomRequest(Unknown Source)
[java] at demo.soaphttps.client.RandomClient.main(UTNClient.java:37)
[java] Caused by:
org.apache.cxf.transport.http.UntrustedURLConnectionIOException:
UntrustedURLConnectionIOException invoking
https://localhost:9091/XYZ.Common/WcfService_XYZ_Common_Orchestrations.svc:
RequireClientCertificate is set, but no local certificates were negotiated. Is
the server set to ask for client authorization?
[java] at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
[java] at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown
Source)
[java] at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
[java] at java.lang.reflect.Constructor.newInstance(Unknown Source)
[java] at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:2058)
[java] at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:2043)
[java] at
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
[java] at
org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:639)
[java] at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
I tried to google but cound not find any help. Please help me how to get rid of
this. I am using apache cxf 2.2.9
Service WSDL is
<?xml version="1.0" encoding="utf-8"?>
<wsdl:definitions name="ServiceInstance"
targetNamespace="http://tempuri.org/";
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex";
xmlns:wsa10="http://www.w3.org/2005/08/addressing";
xmlns:tns="http://tempuri.org/";
xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy";
xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract";
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing";
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata";
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl";
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/";>
<wsdl:documentation>
<CreationInfo Created="2012-01-24 12:35:14Z" />
</wsdl:documentation>
<wsp:Policy wsu:Id="WSHttpBinding_ITwoWayAsync_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="true" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:TransportBinding>
<wsaw:UsingAddressing />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsdl:types>
<xsd:schema targetNamespace="http://tempuri.org/Imports";>
<xsd:import
schemaLocation="XYZ.Common.Interfaces.CreateRandom+RandomRequest.xsd"
namespace="http://XYZ.Common.Interfaces.CreateRandom"; />
</xsd:schema>
</wsdl:types>
<wsdl:message
name="WcfService_XYZ_Common_Orchestrations_OprRandomRequest_InputMessage">
<wsdl:part name="part" element="q1:RandomRequest"
xmlns:q1="http://XYZ.Common.Interfaces.CreateRandom"; />
</wsdl:message>
<wsdl:message
name="WcfService_XYZ_Common_Orchestrations_OprRandomRequest_OutputMessage">
<wsdl:part name="part" element="q2:RandomResponse"
xmlns:q2="http://XYZ.Common.Interfaces.CreateRandom"; />
</wsdl:message>
<wsdl:portType name="WcfService_XYZ_Common_Orchestrations">
<wsdl:documentation>service "*" port "*"</wsdl:documentation>
<wsdl:operation name="OprRandomRequest">
<wsdl:documentation>operation "OprRandomRequest"
</wsdl:documentation>
<wsdl:input
message="tns:WcfService_XYZ_Common_Orchestrations_OprRandomRequest_InputMessage"
/>
<wsdl:output
message="tns:WcfService_XYZ_Common_Orchestrations_OprRandomRequest_OutputMessage"
/>
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="WSHttpBinding_ITwoWayAsync"
type="tns:WcfService_XYZ_Common_Orchestrations">
<wsp:PolicyReference URI="#WSHttpBinding_ITwoWayAsync_policy" />
<soap12:binding transport="http://schemas.xmlsoap.org/soap/http"; />
<wsdl:operation name="OprRandomRequest">
<wsdl:documentation>operation "OprRandomRequest"
</wsdl:documentation>
<soap12:operation soapAction="OprRandomRequest" style="document" />
<wsdl:input>
<soap12:body use="literal"
encodingStyle="http://www.w3.org/2003/05/soap-encoding"; />
</wsdl:input>
<wsdl:output>
<soap12:body use="literal"
encodingStyle="http://www.w3.org/2003/05/soap-encoding"; />
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="ServiceInstance">
<wsdl:port name="WSHttpBinding_ITwoWayAsync"
binding="tns:WSHttpBinding_ITwoWayAsync">
<soap12:address
location="https://localhost.com:9091/XYZ.Common/WcfService_XYZ_Common_Orchestrations.svc";
/>
<wsa10:EndpointReference>
<wsa10:Address>
https://localhost:9091/XYZ.Common/WcfService_XYZ_Common_Orchestrations.svc
</wsa10:Address>
</wsa10:EndpointReference>
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
Spring configuration is
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:sec="http://cxf.apache.org/configuration/security";
xmlns:http="http://cxf.apache.org/transports/http/configuration";
xmlns:jaxws="http://cxf.apache.org/jaxws";
xsi:schemaLocation="
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd";>
<http:conduit name="*.http-conduit">
<http:tlsClientParameters disableCNCheck="true">
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password"
file="certs/client-keystore"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password"
file="certs/client-truststore"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<sec:include>.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
</http:conduit>
</beans>
> Use of client certificates via http conduit configuration broken
> ----------------------------------------------------------------
>
> Key: CXF-2403
> URL: https://issues.apache.org/jira/browse/CXF-2403
> Project: CXF
> Issue Type: Bug
> Components: Configuration
> Reporter: Wolfgang Nagele
> Attachments: client-keystore, client-truststore, client.crt,
> client.key, client.p12, server-keystore, server-truststore, server.crt,
> server.key, server.p12, soap_https.zip
>
>
> To use standard SSL client certificates for authentication the following
> configuration should work:
> <http:conduit name="*.http-conduit">
> <http:tlsClientParameters>
> <sec:keyManagers keyPassword="password">
> <sec:keyStore type="JKS" password="password" file="keystore" />
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="password" file="truststore" />
> </sec:trustManagers>
> </http:tlsClientParameters>
> </http:conduit>
> In this configuration we would have the public certificate of the server we
> want to connect to in the truststore and the private key and certificate in
> the keystore.
> With the current CXF implementation this results in the following exception:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
> [na:1.6.0_13]
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
> [na:1.6.0_13]
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
> [na:1.6.0_13]
> ... 39 common frames omitted
> Once we additionally define the following properties it works:
> * javax.net.ssl.keyStore=keystore
> * javax.net.ssl.keyStorePassword=password
> * javax.net.ssl.trustStore=truststore
> * javax.net.ssl.trustStorePassword=password
> This however results in very ugly setups where we have to define the same
> data twice. Also we miss out on CXF's option of defining specific keystores
> and truststores per webservice.
> For further information also see: http://www.quendor.org/archiv/428
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
