Ok thanks, that explains a lot. Unfortunately, I still don't get it to work. When I look at the javax.net.debug output and compare to http://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated%5FTLS%5Fhandshake, I don't see *CertificateVerify* coming along, only the steps from one way SSL are shown (and are succesfull). So the server responds with a 403 forbidden, client auth required message.
My config looks like this (using the wildcard because else it wouldn't match, disabled cncheck to avoid those problems): * <http:conduit name="*.http-conduit"> * * <http:tlsClientParameters disableCNCheck="true">* * <sec:keyManagers keyPassword="mysecret">* * <sec:keyStore type="JKS" password="mysecret" file="/data/tomcat/serv03/keystore/.keystore" />* * </sec:keyManagers>* * <sec:cipherSuitesFilter>* * <sec:include>.*_EXPORT_.*</sec:include>* * <sec:include>.*_EXPORT1024_.*</sec:include>* * <sec:include>.*_WITH_DES_.*</sec:include>* * <sec:include>.*_WITH_NULL_.*</sec:include>* * <sec:exclude>.*_DH_anon_.*</sec:exclude>* * </sec:cipherSuitesFilter>* * </http:tlsClientParameters>* * </http:conduit> * I don't have a trustManager configured as the server is using real certs (vs self-signed), and I can see in the javax.net.debug logging that the servers certificate is found and trusted. The .keystore contains our self-signed certificate which is also imported on the server side (IIS7). Do I need to do anything else to enable client-authentication? Can I see in the javax.net.debug output if the server even requests client auth? On Tue, Jun 18, 2013 at 1:28 PM, Aki Yoshida <elak...@gmail.com> wrote: > these are two different things (the inbound side configuration you already > have and the outbound side configuration you asked for) and depending on > what you need at each side, you can configure them independently. > > > > 2013/6/17 Nico Mommaerts <nico.mommae...@gmail.com> > > > Ok thanks! Had already read that but wasn't sure if that was needed if > ssl > > is also defined in Tomcat itself (is it harmful to also configure it > > there?) > > > > On Mon, Jun 17, 2013 at 4:35 PM, Aki Yoshida <elak...@gmail.com> wrote: > > > > > you configure the ssl setting at your http conduit configuration. > > > and this is explained in this cxf's online documentation: > > > > > > > > > http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-ConfiguringSSLSupport > > > > > > regards, aki > > > > > > > > > 2013/6/17 Nico Mommaerts <nico.mommae...@gmail.com> > > > > > > > Hey, > > > > > > > > I'm trying to setup a Camel CXF proxy with two way ssl (message gets > > sent > > > > to camel app over http, camel forwards to an external customer over > > > https, > > > > 2 way). > > > > My Camel app is running on Tomcat (without Jetty running for CXF, I'm > > > using > > > > the CXFServlet). I have experience in setting up Tomcat for 2 way ssl > > > with > > > > Spring Webservices, but for Camel/CXF I see some literature about > http > > > > conduits and keystores. > > > > So I'm not sure how to set this up for Camel/CXF, is it enough to > > > configure > > > > this on Tomcat level, like I do for normal Spring webservices, or do > I > > > need > > > > to use the http conduit element in my configuration? > > > > > > > > Thanks in advance, > > > > Nicolas Mommaerts > > > > > > > > > >
