Guillaume Nodet wrote: > Cool :) > Yes please raise a JIRA and attach your patch. Done!
So If you want we could also change the key alias handling to support multiple keys in one keystore for managed ssl endpoints. But that is not that important! But it will take a while because I don't have the time at the moment. How is the documentation handled? We could write a small howto for secure connections or something like that! Cheers, Thomas > > On 11/13/06, Thomas TERMIN <[EMAIL PROTECTED]> wrote: >> Hello Guillaume, >> >> I guess we have it know. I have a small patch for you! ;-) Should I >> raise a JIRA issue for it? >> >> Cheers, >> Thomas >> >> Guillaume Nodet wrote: >> > On 11/9/06, Thomas TERMIN <[EMAIL PROTECTED]> wrote: >> >> Hello Guillaume, >> >> >> >> I have unfortunately more issues on security. >> >> >> >> Is seems to be impossible to activate "needClientAuth" on a consumer >> >> endpoint so that the provider endpoint has to send his certificate as >> >> well. I get a javax.net.ssl.SSLHandshakeException: Received fatal >> alert: >> >> bad_certificate >> >> >> >> Is there something known with that? Is there a testcase in servicemix >> >> where all this stuff is tested? >> > >> > There is *a* test case which uses SSL. >> > It is located in the testSsl method of the following test: >> > >> http://svn.apache.org/repos/asf/incubator/servicemix/trunk/deployables/bindingcomponents/servicemix-http/src/test/java/org/apache/servicemix/http/HttpSpringTest.java >> >> > >> > >> > It uses the configuration file at: >> > >> http://svn.apache.org/repos/asf/incubator/servicemix/trunk/deployables/bindingcomponents/servicemix-http/src/test/resources/org/apache/servicemix/http/spring.xml >> >> > >> > >> >> >> >> Who did the complete ssl stuff in servicemix? >> > >> > Unfortunately me ;) >> > So i will try to help you solve the problems I wrote :) >> > If you have some unit test you can wrote, i can try to fix them. >> > >> >> >> >> If I ever solve my security stuff I provide you with documentation >> about >> >> that. ;-) >> > >> > So, I will do my best ;) >> > >> >> >> >> Cheers, >> >> Thomas >> >> >> >> Thomas TERMIN wrote: >> >> > I'm not an ssl expert either! ;-) >> >> > >> >> > No wouldn't say that the sun implementation doesn't support multiple >> >> > keys but the behaviour is strange and with one key in the >> keystore it >> >> > works always fine. I don't know why. What you get during the >> deployment >> >> > is an UnrecoverableKeyException. But I didn't mean that the consumer >> >> > endpoint can accept only a single certificate because you can have >> >> > multiple certificates in a truststore. So your endpoint can trust >> >> > multiple clients with different certificates. It is the same for the >> >> > provider endpoint IMHO. >> >> > >> >> > Cheers, >> >> > Thomas >> >> > >> >> > >> >> > >> >> > Guillaume Nodet wrote: >> >> >> What happens when you do that with multiple keys ? >> >> >> Are you saying that sun implementation does not support multiple >> >> keys ? >> >> >> This means that on a consumer endpoint, you can only accept >> >> >> a single certificate, right ? What about the provider endpoint ? >> >> >> Sorry for my ignorance, but I'm not an ssl expert and I may have >> >> >> missed something ... >> >> >> >> >> >> On 11/8/06, Thomas TERMIN <[EMAIL PROTECTED]> wrote: >> >> >>> Hello Guillaume, >> >> >>> >> >> >>> I tried your solution and it still does not work! Unfortunately! >> >> >>> >> >> >>> I did the following in conf/security.xml >> >> >>> >> >> >>> <sm:keystoreManager id="keystoreManager"> >> >> >>> <sm:keystores> >> >> >>> <sm:keystore name="default" >> >> >>> path="classpath:keystore.jks" >> >> >>> keystorePassword="servicemix" >> >> >>> keyPasswords="smx=smx" /> >> >> >>> <sm:keystore name="midas" >> >> >>> path="classpath:keystore.jks" >> >> >>> keystorePassword="servicemix" >> >> >>> keyPasswords="server-alias=password" /> >> >> >>> <sm:keystore name="midas-trust" >> >> >>> path="classpath:truststore.jks" >> >> >>> keystorePassword="trustpass"/> >> >> >>> </sm:keystores> >> >> >>> </sm:keystoreManager> >> >> >>> >> >> >>> >> >> >>> xbean.xml for the http consumer endpoint >> >> >>> >> >> >>> <http:endpoint service="bes:remote-request-start" >> >> >>> endpoint="endpoint" >> >> >>> role="consumer" >> >> >>> locationURI="https://cuba:8192/BESlocalRequest/"; >> >> >>> defaultMep="http://www.w3.org/2004/08/wsdl/in-out"; >> >> >>> soap="false" > >> >> >>> <http:ssl> >> >> >>> <http:sslParameters managed="true" >> >> >>> keyAlias="server-alias" >> >> >>> keyPassword="password" >> >> >>> keyStore="midas" >> >> >>> keyStorePassword="servicemix" >> >> >>> trustStore="midas-trust" >> >> >>> trustStorePassword="trustpass"/> >> >> >>> </http:ssl> >> >> >>> </http:endpoint> >> >> >>> >> >> >>> What happens is that you have a KeyManager (registerd on jndi with >> >> >>> multiple FileKeystoreInstance instances). The key alias and the >> >> password >> >> >>> are stored in a List. >> >> >>> >> >> >>> The problem what I see is that in the FileKeystoreInstance >> class the >> >> >>> keystore file is again loaded in the loadKeystoreData method and >> >> after >> >> >>> that you give this keystore (with again multiple keys) to the init >> >> >>> method of the KeyManagerFactory: >> >> >>> >> >> >>> keyFactory.init(keystore, (char[]) keyPasswords.get(keyAlias)); >> >> >>> >> >> >>> So the key alias is again not used except to get the password. I >> >> thought >> >> >>> you create for each key an inmemory keystore and give the right >> key >> >> >>> store to the init method. In tis way the init method would get >> >> just one >> >> >>> key with the correct password. There wouldn't be any issues with >> >> >>> multiple keys then because the sun implementation would never see >> >> >>> multiple keys. >> >> >>> >> >> >>> Sorry but I can't really explain this stuff! ;-) But I hope it is >> >> >>> understandable though. Maybe I just didn't get something >> correctly! >> >> >>> >> >> >>> >> >> >>> >> >> >>> Cheers, >> >> >>> Thomas >> >> >>> >> >> >>> >> >> >>> >> >> >>> Thomas TERMIN wrote: >> >> >>>> Thanks Guillaume! >> >> >>>> >> >> >>>> I will try that out tomorrow. Basicly that solve our problem in >> >> >>>> servicemix but we have also jetty as a webcontainer deployed in >> >> >>>> servicemix so we have still the problem here. >> >> >>>> >> >> >>>> Guillaume Nodet wrote: >> >> >>>>> If you set the managed="true" attribute on the ssl parameters >> >> >>>>> for the servicemix-http component, you will use the >> >> >>>>> org.apache.servicemix.http.jetty.ServiceMixSslSocketConnector >> >> >>>>> instead of the standard jetty ssl connector. This one handle >> >> >>>>> the keyAlias parameter. >> >> >>>>> >> >> >>>>> To use this, you will need to define a >> >> >>>>> org.apache.servicemix.jbi.security.keystore.KeystoreManager >> >> >>>>> instance (see /conf/security.xml for an example) like the >> >> following: >> >> >>>>> >> >> >>>>> <sm:keystoreManager id="keystoreManager"> >> >> >>>>> <sm:keystores> >> >> >>>>> <sm:keystore name="default" >> >> >>>>> path="classpath:keystore.jks" >> >> >>>>> keystorePassword="servicemix" >> >> >>>>> keyPasswords="smx=smx" /> >> >> >>>>> </sm:keystores> >> >> >>>>> </sm:keystoreManager> >> >> >>>>> >> >> >>>>> You will need to configure it on the component configuration, >> using >> >> >>>>> either a JNDI name or a direct reference. Unfortunately, >> there is >> >> >>>>> currently no way to set it for the endpoint itself, though it >> >> >>> should be >> >> >>>>> easy to modify. >> >> >>>> If I have some time I will look at it but I can't make it at the >> >> >>> moment. >> >> >>>> Cheers, >> >> >>>> Thomas >> >> >>>> >> >> >>>> >> >> >>>>> On 11/6/06, Thomas TERMIN <[EMAIL PROTECTED]> wrote: >> >> >>>>>> Guillaume, >> >> >>>>>> >> >> >>>>>> We have some issues with ssl here. As I said before you can set >> >> the >> >> >>>>>> key-alias parameter but it is not used at the moment from >> >> >>> servicemix to >> >> >>>>>> create a sslSocketConnector. But the bigger problem is that >> jetty >> >> >>> does >> >> >>>>>> not support that. Jetty reads the keystore from the keystore >> file >> >> >>> and if >> >> >>>>>> there is more than one key in this store it gives an exception. >> >> The >> >> >>>>>> thing is I can fix that in jetty as well as in servicemix. >> But I >> >> >>> have no >> >> >>>>>> contacts to the jetty community. So one thing is if I would fix >> >> that >> >> >>>>>> could you bring this patch faster in the jetty code as I could >> >> >>> (Assumed >> >> >>>>>> that you have better contacts). The second thing is if you are >> >> >>>>>> interested at all on improve this things. >> >> >>>>>> >> >> >>>>>> So what I would do is I would read the keystore file in >> jetty as >> >> >>> already >> >> >>>>>> done and would create inmemory keystores for every alias. So I >> >> would >> >> >>>>>> have a hash table or something where you could get the keystore >> >> for a >> >> >>>>>> specific given alias. The only thing in servicemix then is to >> >> get the >> >> >>>>>> key-alias (if it is set in the http endpoint configuration) and >> >> >>> call a >> >> >>>>>> jetty getter method for the key alias. The Ssl socket connector >> >> >>> can then >> >> >>>>>> get the specific keystore from the hast table and intialise the >> >> >>> complete >> >> >>>>>> ssl stuff with the right given key. >> >> >>>>>> >> >> >>>>>> Hope it was understandable. ;-) >> >> >>>>>> >> >> >>>>>> What do you think? >> >> >>>>>> >> >> >>>>>> Cheers, >> >> >>>>>> Thomas >> >> >>>>>> >> >> >>>>>> Thomas TERMIN wrote: >> >> >>>>>>> Thanks Guillaume it is a nice feature in servicemix but it >> seems >> >> >>> to be >> >> >>>>>>> not supported from the SslSocketConnector (jetty). There is no >> >> such >> >> >>>>>>> attribute unfortunately. >> >> >>>>>>> >> >> >>>>>>> Do you have any ideas? >> >> >>>>>>> >> >> >>>>>>> Cheers, >> >> >>>>>>> Thomas >> >> >>>>>>> >> >> >>>>>>> Guillaume Nodet wrote: >> >> >>>>>>>> The SslParameters class has a keyAlias attribute that you >> >> >>>>>>>> can use for that. >> >> >>>>>>>> >> >> >>>>>>>> On 11/3/06, Thomas TERMIN <[EMAIL PROTECTED]> >> wrote: >> >> >>>>>>>>> Hello, >> >> >>>>>>>>> >> >> >>>>>>>>> Who can I specify the alias for a key in the keystore for >> >> >>> secure ssl >> >> >>>>>>>>> consumer endpoints? Or is that basicly impossible to have >> more >> >> >>>>>> than one >> >> >>>>>>>>> key in the keystore? >> >> >>>>>>>>> >> >> >>>>>>>>> Cheers, >> >> >>>>>>>>> Thomas Termin >> >> >>>>>>>>> >> >> >>>> >> >> >>> >> >> >> >> >> > >> >> > >> >> >> >> >> > >> > >> >> > >
