Hi Sergei, Yes, supporting callback password provider will make life easier for users configuring SSL in spring/blueprint, but having access to passwords only on runtime time.
Regards, Andrei. > -----Original Message----- > From: Sergey Beryozkin [mailto:[email protected]] > Sent: Dienstag, 22. Juli 2014 11:01 > To: [email protected] > Subject: Re: Supplying passwords for key manager and trust manager to > http:conduit > > Hi > > Will it make sense to introduce a callback password provider ? I guess it may > also be useful in cases where HttpConduit falls back to using system > properties > ? > > Cheers, Sergey > > On 18/07/14 12:03, Andrei Shakirin wrote: > > Hi, > > > >> I did try that. I must have goofed up with the passwords. But it's working > now. > >> But I need to understand something. The entry looks something like this: > >> > >> <sec:keyManagers keyPassword="keyPassword" > > >> <sec:keyStore file=".keystore" > >> password="keyStorepassword" type="jks" /> > >> </sec:keyManagers> > >> > >> If there are more than one keys in the keystore with the same > >> password, which entry is the correct entry as per CXF? > >> How does it identify the correct one if we do not specify an alias? > >> Perhaps I am missing something very elementary. > > > > By default KeyManager assume that there is only one key in keystore. If you > have more than one key, it is necessary to add certAlias element to > tlsClientParameters: > > > > <http:tlsClientParameters> > > <sec:keyManagers keyPassword="password"> > > <sec:keyStore type="JKS" password="password" > > file="my/file/dir/Morpit.jks"/> > > </sec:keyManagers> > > <sec:trustManagers> > > <sec:keyStore type="JKS" password="password" > > file="my/file/dir/Truststore.jks"/> > > </sec:trustManagers> > > <sec:certAlias>myKey</sec:certAlias> > > </http:tlsClientParameters> > > > > https://cwiki.apache.org/confluence/display/CXF20DOC/TLS+Configuration > > > > > > Regards, > > Andrei. > >> > >> Thanks, > >> Giriraj. > >> > >> > >> On Tue, Jul 15, 2014 at 11:58 AM, Andrei Shakirin > >> <[email protected]> > >> wrote: > >> > >>> Hi, > >>> > >>> "Unrecoverable key" usually means that your keystore password is > incorrect. > >>> Have you tried to access keystore/truststore using JDK keytool? > >>> > >>> Regards, > >>> Andrei. > >>> > >>>> -----Original Message----- > >>>> From: Giriraj Bhojak [mailto:[email protected]] > >>>> Sent: Dienstag, 15. Juli 2014 00:05 > >>>> To: [email protected] > >>>> Subject: Re: Supplying passwords for key manager and trust manager > >>>> to http:conduit > >>>> > >>>> Thank you Andrei. > >>>> I ended up using Spring EL to supply the password. > >>>> But I have noticed that if the keystore and key passwords are > >>>> different, > >>> I get > >>>> "Unrecoverable key" exception. > >>>> Is this some sort of bug with Merlin or am I missing something? > >>>> > >>>> Thanks, > >>>> Giriraj. > >>>> > >>>> > >>>> On Sat, Jul 12, 2014 at 11:15 AM, Andrei Shakirin > >>>> <[email protected]> > >>>> wrote: > >>>> > >>>>> Hi, > >>>>> > >>>>> In spring configuration you can only specify password directly: > >>>>> <httpj:engine-factory id="port-9001-tls-config"> > >>>>> <httpj:engine port="9001"> > >>>>> <httpj:tlsServerParameters> > >>>>> <sec:keyManagers keyPassword="password"> > >>>>> <sec:keyStore type="JKS" password="password" > >>>>> file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/> > >>>>> </sec:keyManagers> > >>>>> <sec:trustManagers> > >>>>> <sec:keyStore type="JKS" password="password" > >>>>> > >>> file="src/test/java/org/apache/cxf/systest/http/resources/Truststore > >>> .j > >>> ks"/> > >>>>> </sec:trustManagers> > >>>>> </httpj:tlsServerParameters> > >>>>> </httpj:engine> > >>>>> </httpj:engine-factory> > >>>>> > >>>>> But you can get password from the callback or other store using > >>>>> programmatic initialization of tlsClientParameters: > >>>>> TLSClientParameters tlsClientParameters = new > >>> TLSClientParameters(); > >>>>> ... > >>>>> String alg = KeyManagerFactory.getDefaultAlgorithm(); > >>>>> char[] keyPass = keyPassword != null > >>>>> ? keyPassword.toCharArray() > >>>>> : null; > >>>>> KeyManagerFactory fac = KeyManagerFactory.getInstance(alg); > >>>>> fac.init(keyStore, keyPass); > >>>>> tlsClientParameters.setKeyManagers(fac.getKeyManagers()); > >>>>> HTTPConduit http = > >>>>> (HTTPConduit) client.getConduit(); > >>>>> http.setTlsClientParameters(tlsClientParameters); > >>>>> ... > >>>>> > >>>>> Regards, > >>>>> Andrei. > >>>>> > >>>>> > >>>>>> -----Original Message----- > >>>>>> From: Giriraj Bhojak [mailto:[email protected]] > >>>>>> Sent: Freitag, 11. Juli 2014 22:16 > >>>>>> To: [email protected] > >>>>>> Subject: Supplying passwords for key manager and trust manager to > >>>>>> http:conduit > >>>>>> > >>>>>> Hello all, > >>>>>> > >>>>>> I am using http-conduit for SSL support in CXF 2.7.11. > >>>>>> Is there a way I can specify a password callback for > >>>>>> <sec:keyManagers> > >>>>> and > >>>>>> <sec:trustManagers>? > >>>>>> > >>>>>> Thanks, > >>>>>> Giriraj. > >>>>> > >>>
