Hi
Will it make sense to introduce a callback password provider ? I guess
it may also be useful in cases where HttpConduit falls back to using
system properties ?
Cheers, Sergey
On 18/07/14 12:03, Andrei Shakirin wrote:
Hi,
I did try that. I must have goofed up with the passwords. But it's working now.
But I need to understand something. The entry looks something like this:
<sec:keyManagers keyPassword="keyPassword" >
<sec:keyStore file=".keystore"
password="keyStorepassword" type="jks" />
</sec:keyManagers>
If there are more than one keys in the keystore with the same password, which
entry is the correct entry as per CXF?
How does it identify the correct one if we do not specify an alias?
Perhaps I am missing something very elementary.
By default KeyManager assume that there is only one key in keystore. If you
have more than one key, it is necessary to add certAlias element to
tlsClientParameters:
<http:tlsClientParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password"
file="my/file/dir/Morpit.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password"
file="my/file/dir/Truststore.jks"/>
</sec:trustManagers>
<sec:certAlias>myKey</sec:certAlias>
</http:tlsClientParameters>
https://cwiki.apache.org/confluence/display/CXF20DOC/TLS+Configuration
Regards,
Andrei.
Thanks,
Giriraj.
On Tue, Jul 15, 2014 at 11:58 AM, Andrei Shakirin <[email protected]>
wrote:
Hi,
"Unrecoverable key" usually means that your keystore password is incorrect.
Have you tried to access keystore/truststore using JDK keytool?
Regards,
Andrei.
-----Original Message-----
From: Giriraj Bhojak [mailto:[email protected]]
Sent: Dienstag, 15. Juli 2014 00:05
To: [email protected]
Subject: Re: Supplying passwords for key manager and trust manager
to http:conduit
Thank you Andrei.
I ended up using Spring EL to supply the password.
But I have noticed that if the keystore and key passwords are
different,
I get
"Unrecoverable key" exception.
Is this some sort of bug with Merlin or am I missing something?
Thanks,
Giriraj.
On Sat, Jul 12, 2014 at 11:15 AM, Andrei Shakirin
<[email protected]>
wrote:
Hi,
In spring configuration you can only specify password directly:
<httpj:engine-factory id="port-9001-tls-config">
<httpj:engine port="9001">
<httpj:tlsServerParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password"
file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.j
ks"/>
</sec:trustManagers>
</httpj:tlsServerParameters>
</httpj:engine>
</httpj:engine-factory>
But you can get password from the callback or other store using
programmatic initialization of tlsClientParameters:
TLSClientParameters tlsClientParameters = new
TLSClientParameters();
...
String alg = KeyManagerFactory.getDefaultAlgorithm();
char[] keyPass = keyPassword != null
? keyPassword.toCharArray()
: null;
KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
fac.init(keyStore, keyPass);
tlsClientParameters.setKeyManagers(fac.getKeyManagers());
HTTPConduit http =
(HTTPConduit) client.getConduit();
http.setTlsClientParameters(tlsClientParameters);
...
Regards,
Andrei.
-----Original Message-----
From: Giriraj Bhojak [mailto:[email protected]]
Sent: Freitag, 11. Juli 2014 22:16
To: [email protected]
Subject: Supplying passwords for key manager and trust manager
to http:conduit
Hello all,
I am using http-conduit for SSL support in CXF 2.7.11.
Is there a way I can specify a password callback for
<sec:keyManagers>
and
<sec:trustManagers>?
Thanks,
Giriraj.
