Hi Glen, Thank you. It looks much clear. I passed issues with SSL by generating new tomcat keystore(I used real host name). I generated certificate request and received cert chain from CA(we have dev purpose CA) and imported it to tomcat keystore. I need this for .NET client(recognize root cert) to access STS endpoints over https.
At some point, I am going to check out Fediz example which has your update and test it. Thanks again. Gina On Mon, Jul 16, 2012 at 3:13 PM, Glen Mazza <gma...@talend.com> wrote: > Hi Gina, I updated Fediz trunk a few days ago with new specific keystores > (all provided in the download) for each portion of the application and also > fully spelled out the trust requirements between the various components. I > also provided scripts on how to make your own keys should you wish to > update yours: > http://svn.apache.org/viewvc/**cxf/fediz/trunk/examples/**samplekeys/** > HowToGenerateKeysREADME.html?**view=co<http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co> > > They all work fine with the present samples. This should show up in the > next release of Fediz. > > I don't know if any of this would help you, if so (or if not...), let me > know which portion of your questions below remain. > > Regards, > Glen > > > > On 07/16/2012 02:28 PM, Gina Choi wrote: > >> Hi All, >> >> Both my web service and STS are running on different Tomcat instance and >> are configured to run on https. When I run CXF client, I was getting "PKIX >> path building failed: SunCertPathBuilderException: unable to find valid >> certification path to requested target.". So, I exported Tomcat cert and >> imported it to Java Keystore. >> >> Then I was getting following error message. I think that this is because >> my >> tomcat keystore uses CN as "localhost" while I am pointing >> "wkengchoi.global.sdl.corp" elsewhere. I was too lazy to create Tomcat >> keystore or to change my references to "wkengchoi.global.sdl.corp", so I >> decided to set "disableCNCheck" to true. >> >> Caused by: com.ctc.wstx.exc.**WstxIOException: The https URL hostname >> does >> not match the Common Name (CN) on the server certificate. To disable this >> check (NOT recommended for production) set the CXF client TLS >> configuration >> property "disableCNCheck" to true >> >> So, I added following content to my cxf.xml on the client. I found two >> problems here. First, should I reference keyStore to Java keyStore or >> clientstore.jks? >> >> <http:conduit name="https://.*";> >> >> <http:tlsClientParameters disableCNCheck="true"> >> >> <sec:trustManagers> >> >> <sec:keyStore type="jks" password="cspass" >> resource="clientstore.jks"/> >> >> </sec:trustManagers> >> >> </http:tlsClientParameters> >> </http:conduit> >> >> Second, with above configuration, I am getting following error message. It >> looks like that I need to add schema file about element "http:conduit". >> So, >> I searched CXF test file, but couldn't find it. I have been spent several >> hours to deal with this issue and running out my time for today. Could >> anyone tell me what is correct configuration for https in client side? >> >> Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.c: The >> matching wildcard is strict, but no declaration can be found for element >> 'http:conduit'. >> >> Thanks. >> >> Gina >> >> > > -- > Glen Mazza > Talend Community Coders > coders.talend.com > blog: www.jroller.com/gmazza > >
