I'm trying to get ssl to work with CXF, but continue to get
Caused by: java.io.IOException: The https URL hostname does not match the
Common
Name (CN) on the server certificate. To disable this check (NOT
recommended fo
r production) set the CXF client TLS configuration property "disableCNCheck"
to
true.
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirst
Write(HTTPConduit.java:1795)
at
org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOu
tputStream.java:42)
at
org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresho
ldOutputStream.java:69)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(H
TTPConduit.java:1852)
at
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:6
6)
at
org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:593)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndi
ngInterceptor.handleMessage(MessageSenderInterceptor.java:62)
... 72 more
If I set disableCNCheck(true), then the code works properly. But I do not
want to leave that flag set to true in a production environment. I'm using
CXF 2.1.2. The service endpoint and http conduit is configured in a spring
xml file like so:
<jaxws:endpoint id="testSoapService"
implementor="#testServiceImpl"
address="/test/soap"
name="ns:TestService"
serviceName="ns:TestService"
endpointName="ns:TestServicePort"
xmlns:ns="http://test.service.run.com"/>
<http-conf:conduit name="*.http-conduit">
<http-conf:client AllowChunking="true" />
<http-conf:tlsClientParameters secureSocketProtocol="SSL">
<sec:keyManagers keyPassword="changeit">
<sec:keyStore type="JKS" password="changeit"
file="/home/jboss-4.2.2.GA/server/default/conf/server.keystore"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="changeit"
file="/home/jboss-4.2.2.GA/server/default/conf/server.truststore"/>
</sec:trustManagers>
</http-conf:tlsClientParameters>
</http-conf:conduit>
The client is configured programmatically using JaxWsProxyFactoryBean. The
client http-conduit is also configured programmatically like so:
Client client = ClientProxy.getClient(wsSSLBean.getClient());
HTTPConduit httpConduit = (HTTPConduit) client.getConduit();
try {
TLSClientParameters tlsParams = new TLSClientParameters();
//initialize store which you'll load the client truststore into
KeyStore trustStore = KeyStore.getInstance("JKS");
String trustPassword = wsSSLBean.getTruststorePassword();
// location of the svr cert stored on client box
File truststoreFile = new File(wsSSLBean.getTruststoreLoc());
trustStore.load(new FileInputStream(truststoreFile),
trustPassword.toCharArray());
//load truststore into httpConduit's tlsClientParams
TrustManagerFactory trustFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(trustStore);
TrustManager[] tm = trustFactory.getTrustManagers();
tlsParams.setTrustManagers(tm);
// initialize store which you'll load the client keystore into
KeyStore keyStore = KeyStore.getInstance("JKS");
String keyPassword = wsSSLBean.getKeystorePassword();
// location of client.keystore which houses the clients keys and
cert
File keystoreFile = new File(wsSSLBean.getKeystoreLoc());
keyStore.load(new FileInputStream(keystoreFile),
keyPassword.toCharArray());
// load keystore into httpConduit's tlsClientParams
KeyManagerFactory keyFactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyFactory.init(keyStore, keyPassword.toCharArray());
KeyManager[] km = keyFactory.getKeyManagers();
tlsParams.setKeyManagers(km);
// set to be SSL
tlsParams.setSecureSocketProtocol("SSL");
// set Http Client Policy to allow chunking
HTTPClientPolicy clientPol = new HTTPClientPolicy();
clientPol.setAllowChunking(true);
// set tlsParams and HTTP policy into httpConduit
httpConduit.setTlsClientParameters(tlsParams);
httpConduit.setClient(clientPol);
}
catch (Exception e){
log.error("configureSSLOnClient:" + e.getMessage());
}
The common name on the cert and the hostName of the url match up so I not
sure why I continue to receive this error. Any advise would be greatly
appreciated.
Thanks,
wonderingWV
--
View this message in context:
http://www.nabble.com/Http-conduit-disableCNCheck-tp20444655p20444655.html
Sent from the cxf-user mailing list archive at Nabble.com.
