RE: not using defined truststore?

Mon, 18 Mar 2013 10:17:20 -0700 

Here is the error we get:

javax.net.ssl.SSLKeyException: SSLKeyException invoking https://123.1.2.3:876: 
[Security:090477]Certificate chain received from 192.168.88.89 - 192.168.88.89 
--> 123.1.2.3 was not trusted causing SSL handshake failure.

-----Original Message-----
From: David Balažic [mailto:[email protected]] 
Sent: 18. March 2013 17:55
To: [email protected]
Subject: not using defined truststore?
Importance: Low

Hi!

we use apache cxf 2.3.3 (was actual at that time...) with Spring to call some 
web services over HTTPS.

In config we have:

        <jaxws:client id="problemClient" serviceClass="com.example.FooWS" 
address="https://localhost:8080/fake/"; />
        <jaxws:client id="workingClient" serviceClass="com.example.BarWs" 
address="https://bar.example.com:443/barws/BarWs"; />

        <http-conf:conduit name=".*">
                <http-conf:tlsClientParameters disableCNCheck="true">
                        <sec:keyManagers keyPassword="keyPassOne">
                                <sec:keyStore type="PKCS12" 
password="keyPassOne" file="our.pfx"/>
                        </sec:keyManagers>
                        <sec:trustManagers>
                                <sec:keyStore password="passTwo" 
file="/trustKeystore/file"/>
                        </sec:trustManagers>
                </http-conf:tlsClientParameters>
                <http-conf:client AutoRedirect="true" Connection="Keep-Alive"  
ConnectionTimeout="120000" ReceiveTimeout="600000" />
        </http-conf:conduit>


The problem is that one ("workingClient") works, the other ("problemClient") 
does not. The only difference in calling code is that the problemClient has an 
extra line to set the actual server address:

        @Autowired
        @Qualifier("problemClient")
        private FooWS m_fooClient;
...

                if(m_fooClient  instanceof BindingProvider) {
                        provider = (BindingProvider) m_fooClient;
                        
provider.getRequestContext().put("thread.local.request.context", "true");
                // extra line to set service address:
                        
provider.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, 
"https://some.working.address/x/yWS";);
                }
                m_fooClient.theCall("fooooo"); // the actuall call


The error is a certificate trust error. The certificate is added to the 
configured truststore, but is seems to be ignored. If it is added to the system 
truststore, then it works.

Is there something simple that we overlooked?

The application server running the app is WebLogic.

Regards,
David Balažic

Reply via email to