I am using the latest Oracle jdk (_25?) and cxf 2.3.0
I have configured a basic server to deliver a web service using CXF
using the following article:
http://aruld.info/programming-ssl-for-jetty-based-cxf-services/
I did not re-use any of the sample keys/stores...
1. I generated my own keystore and key (la.jks)
2. I exported a certificate for that entry (server.cer)
3. I imported and trusted the certificate in a new truststore(la.trust)
Here is the effective part of my code where I configure CXF
programmitically:
TLSServerParameters tlsParams = new TLSServerParameters();
KeyStore keyStore = KeyStore.getInstance("JKS");
String password = "password";
File truststore = new File("la.jks");
keyStore.load(new FileInputStream(truststore),
password.toCharArray());
KeyManagerFactory keyFactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyFactory.init(keyStore, password.toCharArray());
KeyManager[] km = keyFactory.getKeyManagers();
tlsParams.setKeyManagers(km);
truststore = new File("la.trust");
keyStore.load(new FileInputStream(truststore),
password.toCharArray());
TrustManagerFactory trustFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(keyStore);
TrustManager[] tm = trustFactory.getTrustManagers();
tlsParams.setTrustManagers(tm);
FiltersType filter = new FiltersType();
filter.getInclude().add(".*_EXPORT_.*");
filter.getInclude().add(".*_EXPORT1024_.*");
filter.getInclude().add(".*_WITH_DES_.*");
filter.getInclude().add(".*_WITH_NULL_.*");
filter.getExclude().add(".*_DH_anon_.*");
tlsParams.setCipherSuitesFilter(filter);
ClientAuthentication ca = new ClientAuthentication();
ca.setRequired(false);
ca.setWant(false);
tlsParams.setClientAuthentication(ca);
JettyHTTPServerEngineFactory factory = new
JettyHTTPServerEngineFactory();
factory.setTLSServerParametersForPort(port, tlsParams);
When I start this up I am able to access the ?WSDL for my service at
http://machinename:9999/ServiceName?WSDL
in IE 7 and I am prompted that the certificate is not trusted as
expected, then when I accept it, I get my WSDL. That is one way since:
ca.setRequired(false);
ca.setWant(false);
And is working fine.
If I change that code to:
ca.setRequired(true);
ca.setWant(true);
Then the server will expect a certificate to be profided from the
client(browser) during handshake. So I import the server.cer into my
browser's trusted publishers list and attempt to connect and this
exception is thrown on the server:
javax.net.ssl.SSLProtocolException: handshake alert: no_certificate
Note that this exception occurs whether I have imported the certificate
into my browser or not and it *seems* at least that the browser is not
understanding that it needs to or is not sending the right certificate.
Am I missing a step? Have I not accounted for some aspect of the
keystores/truststores/certs? Have I not exported the proper
cert/artifact and hence imported the wrong thing into my browser to test
2 way SSL?
At least I know that my code does seem to tell the server to require a
client cert for SSL, but cannot get it to provide one/the right one.
Thanks!
Chris
