Hello Guillaume,
I tried your solution and it still does not work! Unfortunately!
I did the following in conf/security.xml
<sm:keystoreManager id="keystoreManager">
<sm:keystores>
<sm:keystore name="default"
path="classpath:keystore.jks"
keystorePassword="servicemix"
keyPasswords="smx=smx" />
<sm:keystore name="midas"
path="classpath:keystore.jks"
keystorePassword="servicemix"
keyPasswords="server-alias=password" />
<sm:keystore name="midas-trust"
path="classpath:truststore.jks"
keystorePassword="trustpass"/>
</sm:keystores>
</sm:keystoreManager>
xbean.xml for the http consumer endpoint
<http:endpoint service="bes:remote-request-start"
endpoint="endpoint"
role="consumer"
locationURI="https://cuba:8192/BESlocalRequest/";
defaultMep="http://www.w3.org/2004/08/wsdl/in-out";
soap="false" >
<http:ssl>
<http:sslParameters managed="true"
keyAlias="server-alias"
keyPassword="password"
keyStore="midas"
keyStorePassword="servicemix"
trustStore="midas-trust"
trustStorePassword="trustpass"/>
</http:ssl>
</http:endpoint>
What happens is that you have a KeyManager (registerd on jndi with
multiple FileKeystoreInstance instances). The key alias and the password
are stored in a List.
The problem what I see is that in the FileKeystoreInstance class the
keystore file is again loaded in the loadKeystoreData method and after
that you give this keystore (with again multiple keys) to the init
method of the KeyManagerFactory:
keyFactory.init(keystore, (char[]) keyPasswords.get(keyAlias));
So the key alias is again not used except to get the password. I thought
you create for each key an inmemory keystore and give the right key
store to the init method. In tis way the init method would get just one
key with the correct password. There wouldn't be any issues with
multiple keys then because the sun implementation would never see
multiple keys.
Sorry but I can't really explain this stuff! ;-) But I hope it is
understandable though. Maybe I just didn't get something correctly!
Cheers,
Thomas
Thomas TERMIN wrote:
> Thanks Guillaume!
>
> I will try that out tomorrow. Basicly that solve our problem in
> servicemix but we have also jetty as a webcontainer deployed in
> servicemix so we have still the problem here.
>
> Guillaume Nodet wrote:
>> If you set the managed="true" attribute on the ssl parameters
>> for the servicemix-http component, you will use the
>> org.apache.servicemix.http.jetty.ServiceMixSslSocketConnector
>> instead of the standard jetty ssl connector. This one handle
>> the keyAlias parameter.
>>
>> To use this, you will need to define a
>> org.apache.servicemix.jbi.security.keystore.KeystoreManager
>> instance (see /conf/security.xml for an example) like the following:
>>
>> <sm:keystoreManager id="keystoreManager">
>> <sm:keystores>
>> <sm:keystore name="default"
>> path="classpath:keystore.jks"
>> keystorePassword="servicemix"
>> keyPasswords="smx=smx" />
>> </sm:keystores>
>> </sm:keystoreManager>
>>
>> You will need to configure it on the component configuration, using
>> either a JNDI name or a direct reference. Unfortunately, there is
>> currently no way to set it for the endpoint itself, though it should be
>> easy to modify.
> If I have some time I will look at it but I can't make it at the moment.
>
> Cheers,
> Thomas
>
>
>>
>> On 11/6/06, Thomas TERMIN <[EMAIL PROTECTED]> wrote:
>>> Guillaume,
>>>
>>> We have some issues with ssl here. As I said before you can set the
>>> key-alias parameter but it is not used at the moment from servicemix to
>>> create a sslSocketConnector. But the bigger problem is that jetty does
>>> not support that. Jetty reads the keystore from the keystore file and if
>>> there is more than one key in this store it gives an exception. The
>>> thing is I can fix that in jetty as well as in servicemix. But I have no
>>> contacts to the jetty community. So one thing is if I would fix that
>>> could you bring this patch faster in the jetty code as I could (Assumed
>>> that you have better contacts). The second thing is if you are
>>> interested at all on improve this things.
>>>
>>> So what I would do is I would read the keystore file in jetty as already
>>> done and would create inmemory keystores for every alias. So I would
>>> have a hash table or something where you could get the keystore for a
>>> specific given alias. The only thing in servicemix then is to get the
>>> key-alias (if it is set in the http endpoint configuration) and call a
>>> jetty getter method for the key alias. The Ssl socket connector can then
>>> get the specific keystore from the hast table and intialise the complete
>>> ssl stuff with the right given key.
>>>
>>> Hope it was understandable. ;-)
>>>
>>> What do you think?
>>>
>>> Cheers,
>>> Thomas
>>>
>>> Thomas TERMIN wrote:
>>>> Thanks Guillaume it is a nice feature in servicemix but it seems to be
>>>> not supported from the SslSocketConnector (jetty). There is no such
>>>> attribute unfortunately.
>>>>
>>>> Do you have any ideas?
>>>>
>>>> Cheers,
>>>> Thomas
>>>>
>>>> Guillaume Nodet wrote:
>>>>> The SslParameters class has a keyAlias attribute that you
>>>>> can use for that.
>>>>>
>>>>> On 11/3/06, Thomas TERMIN <[EMAIL PROTECTED]> wrote:
>>>>>> Hello,
>>>>>>
>>>>>> Who can I specify the alias for a key in the keystore for secure ssl
>>>>>> consumer endpoints? Or is that basicly impossible to have more
>>> than one
>>>>>> key in the keystore?
>>>>>>
>>>>>> Cheers,
>>>>>> Thomas Termin
>>>>>>
>>>>
>>>
>>
>
>
