Configuring a CFXEndPoint with multiple certificates
We are trying to make client requests to a SOAP web service using the Apache CXF component from a central Camel server. The endpoint is always the same address, however, the owner of the endpoint wants a different SSL certificate depending on which of our high street stores the request originates from. We have created one CFXEndpoint per store, each with its own CxfEndpointConfigurer that sets up the conduit's TlsClientParameters with the correct certificate store information. Then we've used a RecipientList in the route to dynamically select the correct endpoint with the relevant certificate. Unfortunately, because the endpoints all share the same address, the configureClient method on the CxfEndpointConfigurer is only ever called once, even though each endpoint has a different instance containing different SSL configuration info. This results in all the endpoint instances sharing the same certificate. As a test we changed the endpoint address for one of the CFXEndpoint instances and saw that its related configureClient was called correctly. So it appears that if CFXEndPoints have different addresses then their CxfEndpointConfigurer will be called, but if 2 or more endpoint instances share the same address then the CxfEndpointConfigurer is only called once even though those configurers are different instances with different configurations. Does anyone have any advice on how we can dynamically allocate certificates to the same endpoint based on message content (store id effectively)? Richard Davis | Architect | Healthcare | Boots IT D90 East EG03| 1 Thane Road | Nottingham | NG90 1BS * Internal: 725481 | * External: +44(0) 115 959 5481 | * Email: richard.da...@boots.co.uk<mailto:richard.da...@boots.co.uk> Boots UK Limited, Registered 928555, Nottingham NG2 3AA This e-mail (including any attachments) is confidential. It may be read, copied and used only by the intended recipient. If you are not the intended recipient you should not copy it or use it for any purpose or disclose its contents to any other person. If you have received this message in error, please notify us and remove it from your system. We cannot accept liability for any damage you incur as a result of virus infection.
RE: Configuring a CFXEndPoint with multiple certificates
I have found what I believe to be the problem:
ProducerCache.doGetProducer does not compare the Endpoint contained in the
Producer returned by its producers Map with the endpoint supplied by
RecipientList.resolveEndpoint. ProducerCache keys its Producers by endpoint URI
but this does not allow for the creation of Endpoints that have the same URI
but a different configuration e.g. a different SSL certificate. Here is the
piece of code I think is erroneous:
protected synchronized Producer doGetProducer(Endpoint endpoint, boolean
pooled) {
String key = endpoint.getEndpointUri();
Producer answer = producers.get(key);
if (pooled && answer == null) {
// try acquire from connection pool
answer = pool.acquire(endpoint);
}
if (answer == null) {
// create a new producer
If this were changed to something like the following it would allow for
endpoints with the same URI but different configs:
protected synchronized Producer doGetProducer(Endpoint endpoint, boolean
pooled) {
String key = endpoint.getEndpointUri();
Producer answer = producers.get(key);
if (pooled && answer == null) {
// try acquire from connection pool
answer = pool.acquire(endpoint);
}
// CHANGE TO COMPARE ENDPOINT IN CACHE WITH PROVIDED ENDPOINT
if (answer == null || answer.getEndpoint() != endpoint) {
// create a new producer
I have done a simple test and it works fine for my use case i.e. using the same
Endpoint URI but having a different keystore attached to its config. Not sure
what side effects it may have but on the face of it I would say it's pretty
harmless. I guess it needs approval and testing.
-Original Message-
From: users-return-67968-Richard.Davis=boots.co...@camel.apache.org
[mailto:users-return-67968-Richard.Davis=boots.co...@camel.apache.org]
Sent: 03 December 2018 16:04
To: users@camel.apache.org
Subject: [CAUTION] Configuring a CFXEndPoint with multiple certificates
We are trying to make client requests to a SOAP web service using the Apache
CXF component from a central Camel server. The endpoint is always the same
address, however, the owner of the endpoint wants a different SSL certificate
depending on which of our high street stores the request originates from.
We have created one CFXEndpoint per store, each with its own
CxfEndpointConfigurer that sets up the conduit's TlsClientParameters with the
correct certificate store information. Then we've used a RecipientList in the
route to dynamically select the correct endpoint with the relevant certificate.
Unfortunately, because the endpoints all share the same address, the
configureClient method on the CxfEndpointConfigurer is only ever called once,
even though each endpoint has a different instance containing different SSL
configuration info. This results in all the endpoint instances sharing the same
certificate. As a test we changed the endpoint address for one of the
CFXEndpoint instances and saw that its related configureClient was called
correctly.
So it appears that if CFXEndPoints have different addresses then their
CxfEndpointConfigurer will be called, but if 2 or more endpoint instances share
the same address then the CxfEndpointConfigurer is only called once even though
those configurers are different instances with different configurations.
Does anyone have any advice on how we can dynamically allocate certificates to
the same endpoint based on message content (store id effectively)?
Richard Davis | Architect | Healthcare | Boots IT
D90 East EG03| 1 Thane Road | Nottingham | NG90 1BS
* Internal: 725481 | * External: +44(0) 115 959 5481 | * Email:
richard.da...@boots.co.uk<mailto:richard.da...@boots.co.uk>
Boots UK Limited, Registered 928555, Nottingham NG2 3AA This e-mail (including
any attachments) is confidential. It may be read, copied and used only by the
intended recipient. If you are not the intended recipient you should not copy
it or use it for any purpose or disclose its contents to any other person. If
you have received this message in error, please notify us and remove it from
your system. We cannot accept liability for any damage you incur as a result of
virus infection.
Boots UK Limited, Registered 928555, Nottingham NG2 3AA This e-mail (including
any attachments) is confidential. It may be read, copied and used only by the
intended recipient. If you are not the intended recipient you should not copy
it or use it for any purpose or disclose its contents to any other person. If
you have received this message in error, please notify us and remove it from
your system. We cannot accept liability for any damage you incur as a result of
virus infection.
RE: Configuring a CFXEndPoint with multiple certificates
That solution is actually not very efficient as the Producer will continually
be created if the RecipientList endpoints are constantly changing which is
likely for my case. The problem is that the cache is keyed on the URI but for
my use case this is not enough. I really need the ability to set the
ProducerCache key programmatically much as I can when I add the Endpoint to the
CamelContext.
Extending the CXFEndPoint and overriding getEndpointUri would not work as the
Uri is always the same and adding extra characters to the returned result would
break the actual communication.
Really I need something like:
protected synchronized Producer doGetProducer(Endpoint endpoint, boolean
pooled) {
String key = endpoint.getProducerCacheKey(); // new method on Endpoint
or Service interface
Producer answer = producers.get(key);
I could then implement / override the getProducerCacheKey() myself.
Boots UK Limited, Registered 928555, Nottingham NG2 3AA This e-mail (including
any attachments) is confidential. It may be read, copied and used only by the
intended recipient. If you are not the intended recipient you should not copy
it or use it for any purpose or disclose its contents to any other person. If
you have received this message in error, please notify us and remove it from
your system. We cannot accept liability for any damage you incur as a result of
virus infection.
Re: Configuring a CFXEndPoint with multiple certificates
Couldn't find a clean solution for this so I've created a JIRA issue: CAMEL
12989 Allow Endpoint to set the key that ProducerCache uses
I've also created an implementation and submitted a PR.
Solution works well and I now have the ability to use a RecipientList with the
CXFEndpoints that have the same URI but different SSL certificates.
From: users-return-68000-Richard.Davis=boots.co...@camel.apache.org
Sent: 07 December 2018 16:28:18
To: users@camel.apache.org
Subject: [CAUTION] RE: Configuring a CFXEndPoint with multiple certificates
That solution is actually not very efficient as the Producer will continually
be created if the RecipientList endpoints are constantly changing which is
likely for my case. The problem is that the cache is keyed on the URI but for
my use case this is not enough. I really need the ability to set the
ProducerCache key programmatically much as I can when I add the Endpoint to the
CamelContext.
Extending the CXFEndPoint and overriding getEndpointUri would not work as the
Uri is always the same and adding extra characters to the returned result would
break the actual communication.
Really I need something like:
protected synchronized Producer doGetProducer(Endpoint endpoint, boolean
pooled) {
String key = endpoint.getProducerCacheKey(); // new method on Endpoint
or Service interface
Producer answer = producers.get(key);
I could then implement / override the getProducerCacheKey() myself.
Boots UK Limited, Registered 928555, Nottingham NG2 3AA This e-mail (including
any attachments) is confidential. It may be read, copied and used only by the
intended recipient. If you are not the intended recipient you should not copy
it or use it for any purpose or disclose its contents to any other person. If
you have received this message in error, please notify us and remove it from
your system. We cannot accept liability for any damage you incur as a result of
virus infection.
Boots UK Limited, Registered 928555, Nottingham NG2 3AA This e-mail (including
any attachments) is confidential. It may be read, copied and used only by the
intended recipient. If you are not the intended recipient you should not copy
it or use it for any purpose or disclose its contents to any other person. If
you have received this message in error, please notify us and remove it from
your system. We cannot accept liability for any damage you incur as a result of
virus infection.
