Hi, I'm kind of stuck here. It seems HttpsURLConnectionInfo.getLocalCertificates() is null. Any idea how I can get the certificates in there? I was thinking the <sec:keyManagers> configuration within <http:tlsClientParameters> in <http:conduit> should be used. But there's no effect of this configuration.
-Vinay -----Original Message----- From: Penmatsa, Vinay Sent: Monday, August 08, 2011 1:21 PM To: [email protected] Subject: RE: TLSClientParameters Hi Dan, Thanks for adding the feature. Meanwhile, I started to use spring configuration. The server is configured for X.509 Client certificate authentication to STS, and the client cert is added to server truststore. I followed the STSClient sample in http://cxf.apache.org/docs/ws-trust.html But I get the following exception: -- Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: RequireClientCertificate is set, but no local certificates were negotiated. Is the server set to ask for client authorization? at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:118) at org.apache.cxf.transport.http.TrustDecisionUtil.makeTrustDecision(TrustDecisionUtil.java:80) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1299) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1264) at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42) at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1342) --- My conf: --- <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:sec="http://cxf.apache.org/configuration/security"; xmlns:http="http://cxf.apache.org/transports/http/configuration"; xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"; xsi:schemaLocation=" http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";> <http:conduit name="{http://docs.oasis-open.org/ws-sx/ws-trust/200512}X5092.http-conduit";> <http:tlsClientParameters disableCNCheck="true"> <sec:keyManagers keyPassword="password1"> <sec:keyStore type="JKS" password="password" file="client.jks" /> </sec:keyManagers> <sec:trustManagers> <sec:keyStore type="JKS" password="password" file="client_trust.jks" /> </sec:trustManagers> </http:tlsClientParameters> <http:client AutoRedirect="true" Connection="Keep-Alive"/> </http:conduit> <bean id="stsclient" class="org.apache.cxf.ws.security.trust.STSClient" > <constructor-arg ref="cxf" /> <property name="requiresEntropy" value="false" /> <property name="wsdlLocation" value="<wsdl>" /> <property name="serviceName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512}STS"; /> <property name="endpointName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512}X5092"; /> <property name="properties"> <map> <entry key="ws-security.username" value="wsclient"/> <entry key="ws-security.signature.properties" value="wss40_client.properties" /> <entry key="ws-security.encryption.properties" value="wss40_idp.properties" /> <entry key="ws-security.encryption.username" value="idp" /> </map> </property> </bean> </beans> --- SpringBusFactory bf = new SpringBusFactory(); URL busFile = Client.class.getResource("cxf-client.xml"); Bus bus = bf.createBus(busFile.toString()); BusFactory.setDefaultBus(bus); STSClient stsClient = (STSClient)bus.getExtension(BusApplicationContext.class).getBean("stsclient"); stsClient.requestSecurityToken(); --- The server truststore has the client cert. What might be the reason for this exception? -Vinay -----Original Message----- From: Daniel Kulp [mailto:[email protected]] Sent: Monday, August 08, 2011 12:30 PM To: [email protected] Cc: Penmatsa, Vinay Subject: Re: TLSClientParameters On Monday, August 08, 2011 8:42:53 AM Penmatsa, Vinay wrote: > Hi Dan, > Thanks. > How can I set the TLS params in the STSClient? Is there an example of using > STSClient this way? I just checked the code and there isn't a way to access the underlying client from the STSClient. I just added a getClient call which can be used in the future and that will be in CXF 2.4.2, but right now, the only way is through configuration. :-( (or use some reflection magic to call the private createClient() call and grab the client field, but that really sucks) Dan > -Vinay > > > > -----Original Message----- > From: Daniel Kulp [mailto:[email protected]] > Sent: Friday, August 05, 2011 5:29 PM > To: [email protected] > Cc: Penmatsa, Vinay > Subject: Re: TLSClientParameters > > > Client client = ClientProxy.getClient(port); > > STSClient stsClient = new STSClient(client.getBus()); > > You have two separate clients there.... the client from the port and an > STSClient. You are setting the TLS stuff on the port's client, but not the > STSClient. That's likely the issue. > > Dan > > On Friday, August 05, 2011 12:11:43 PM Penmatsa, Vinay wrote: > > Hi Dan, > > No. But not sure if I'm affecting it somehow. Here's my code: > > > > ------ > > Client client = ClientProxy.getClient(port); > > STSClient stsClient = new STSClient(client.getBus()); > > HTTPConduit http = (HTTPConduit) client.getConduit(); > > TLSClientParameters param = new TLSClientParameters(); > > param.setDisableCNCheck(true); > > Properties cProps = new Properties(); > > cProps.load(new FileReader("client.properties")); > > Merlin m = new Merlin(cProps); > > KeyManagerFactory kmf = > > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); > > TrustManagerFactory tmf = > > TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm( > > )); kmf.init(m.getKeyStore(), "password1".toCharArray()); > > tmf.init(m.getTrustStore()); > > param.setKeyManagers(kmf.getKeyManagers()); > > param.setTrustManagers(tmf.getTrustManagers()); > > http.setTlsClientParameters(param); > > > > stsClient.setWsdlLocation("<wsdl url>"); > > stsClient.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200 > > 512} STS"); > > stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/20 > > 051 2}UT"); Map<String,Object> stsProps = new HashMap<String,Object>(); > > stsProps.put("ws-security.username", "user"); > > stsProps.put("ws-security.password", "password"); > > stsClient.setProperties(stsProps); > > SecurityToken st = stsClient.requestSecurityToken(); > > ----- > > > > I'm using cxf 2.4. > > > > > > > > > > -----Original Message----- > > From: Daniel Kulp [mailto:[email protected]] > > Sent: Friday, August 05, 2011 11:49 AM > > To: [email protected] > > Cc: Penmatsa, Vinay > > Subject: Re: TLSClientParameters > > > > On Friday, August 05, 2011 11:32:08 AM Penmatsa, Vinay wrote: > > > Hi Prisca, > > > Thanks for the link. > > > This can be fallback solution, but I prefer to do it > > > programmatically. > > > While debugging the source, it seems a new conduit object is created > > > in > > > HttpTransportFactory.getConduit(). So, the client.getConduit() in my > > > code > > > is ignored. Not sure how to fix that > > > > Do you have a different ConduitSelector installed on the client? The > > default one should just be creating a single Conduit for the client and > > re-using it. I'm not sure why a second call to > > HttpTransportFactory.getConduit would be occuring. > > > > Dan > > > > > Regards, > > > Vinay > > > > > > -----Original Message----- > > > From: Prisca POLYTE [mailto:[email protected]] > > > Sent: Friday, August 05, 2011 11:18 AM > > > To: [email protected] > > > Subject: Re: TLSClientParameters > > > > > > Hey, > > > > > > is it possible for you to use Spring for instance ? > > > > > > If it is then you should have a look to > > > http://cxf.apache.org/docs/client-http-transport-including-ssl-suppo > > > rt.h tml# > > > ClientHTTPTransport%28includingSSLsupport%29-ConfiguringSSLSupport > > > > > > HTH > > > > > > Regards > > > -- > > > Prisca > > > > > > On Fri, Aug 5, 2011 at 5:10 PM, Penmatsa, Vinay > > > > <[email protected]>wrote: > > > > I'm unable to set the 'disableCNCheck' programmatically as > > > > below: > > > > > > > > HTTPConduit http = (HTTPConduit) client.getConduit(); > > > > TLSClientParameters param = new TLSClientParameters(); > > > > param.setDisableCNCheck(true); > > > > http.setTlsClientParameters(param); > > > > > > > > > > > > What's the correct way to do this? > > > > > > > > > > > > Thanks, > > > > Vinay -- Daniel Kulp [email protected] http://dankulp.com/blog Talend - http://www.talend.com
