Re: HTTPS client configuration using JaxWsProxyFactoryBean
Wanted to post the solution I found to this here so that it will live on the Internet for others to find with Google For whatever reason...Java would not send my client certificate no matter all the advice I managed to find on Google. I had my JaxWsProxyFactoryBean already setup in an xml file with a WSS4JOutInterceptor that handles encryption and signing of the message parts, plus a custom OutInterceptor that injects a custom XML header into every SOAP message. All that was working fine and then the server switched to mutual authentication mode required, and I started getting SSL handshake failures. What I was able to do was leave the XML alone, and configure the CXF Client's HTTPConduit using only Java code... [CODE] Client cxfClient = ClientProxy.getClient(service); HTTPConduit conduit = (HTTPConduit) cxfClient.getConduit(); //trust any server, quick and easy, not the focus of this problem TrustManager[] simpleTrustManager = new TrustManager[]{new X509TrustManager() { public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) { } public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) { } }}; KeyStore ks = KeyStore.getInstance(PKCS12); FileInputStream in = new FileInputStream(/*KEYSTORE_FILENAME*/); //.pfx file exported from IE with private key ks.load(in, /*KEYSTORE_PASSWORD*/.toCharArray()); in.close(); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(SunX509); keyManagerFactory.init(ks, /*KEYSTORE_PASSWORD*/.toCharArray()); KeyManager[] keyManagers = new KeyManager[]{keyManagerFactory.getKeyManagers()[0]}; TLSClientParameters tlsParams = new TLSClientParameters(); tlsParams.setTrustManagers(simpleTrustManager); tlsParams.setKeyManagers(keyManagers); tlsParams.setSecureSocketProtocol(TLSv1); tlsParams.setCertAlias(/*CERT_ALIAS_MATCHING_IN_KEYSTORE*/); conduit.setTlsClientParameters(tlsParams); [/CODE] Hope this helps someone else who runs into this problem... -- View this message in context: http://cxf.547215.n5.nabble.com/HTTPS-client-configuration-using-JaxWsProxyFactoryBean-tp4914087p5745032.html Sent from the cxf-user mailing list archive at Nabble.com.
FW: HTTPS client configuration using JaxWsProxyFactoryBean
Sorry, this got replied to the wrong address. -Original Message- From: David Sills Sent: Wednesday, October 19, 2011 7:06 AM To: 'Daniel Kulp' Subject: RE: HTTPS client configuration using JaxWsProxyFactoryBean Daniel: Many thanks for the suggestions. I have tried using factory.setEndpointName(new QName(http://of306.ws.abis.datasourceinc.com/;, Of306ServerPort)); Given the configuration below, does that seem right? It did not work correctly. I also tried several variations on your idea of calling the setAddress method and naming conventions, none of which have yet worked. Further ideas? I have probably missed something David -Original Message- From: Daniel Kulp [mailto:dk...@apache.org] Sent: Tuesday, October 18, 2011 1:35 PM To: users@cxf.apache.org Cc: David Sills Subject: Re: HTTPS client configuration using JaxWsProxyFactoryBean I think if you add a factory.setEndpointName() call to the appropriate qname used in the http:conduit, it should work. Alternatively, if you setup the address on the factory prior to calling create (factory.setAddress(...)), you can configure the http conduit via something like: http:conduit name=https://blah.com:9000/.*; (note the .* at the end to match all tails) Dan On Tuesday, October 18, 2011 11:18:24 AM David Sills wrote: All: Is it possible to configure the JaxWsProxyFactoryBean to use HTTPS? It looks as though it should be, but I can't quite figure out how to connect up the bits. I have added this to the Spring configuration file: http:conduit name={http://of306.ws.abis.datasourceinc.com/}Of306ServerPort.http-cond uit http:tlsClientParameters secureSocketProtocol=SSL sec:keyManagers sec:keyStore type=JKS password=0ftobp8ssw0rd file=C:/Java/jks/of306-truststore.jks/ /sec:keyManagers sec:trustManagers sec:keyStore type=JKS password=0ftobp8ssw0rd file=C:/Java/jks/of306-truststore.jks/ /sec:trustManagers sec:cipherSuitesFilter !-- these filters ensure that a ciphersuite with export-suitable or null encryption is used, but exclude anonymous Diffie-Hellman key change as this is vulnerable to man-in-the-middle attacks -- sec:include.*_EXPORT_.*/sec:include sec:include.*_EXPORT1024_.*/sec:include sec:include.*_WITH_DES_.*/sec:include sec:include.*_WITH_NULL_.*/sec:include sec:exclude.*_DH_anon_.*/sec:exclude /sec:cipherSuitesFilter /http:tlsClientParameters http:client AutoRedirect=true Connection=Keep-Alive/ /http:conduit The name is (appropriately, I think) the namespace + port name + .http-conduit. (I have also tried using sec:certStore file=C:/Java/jks/of306-truststore.jks/ under sec:trustManagers) However, when I try this: JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean(); LoggingInInterceptor inInterceptor = new LoggingInInterceptor(); inInterceptor.setLimit(-1); factory.getInInterceptors().add(inInterceptor); LoggingOutInterceptor outInterceptor = new LoggingOutInterceptor(); outInterceptor.setLimit(-1); factory.getOutInterceptors().add(outInterceptor); factory.setServiceClass(Of306Service.class); factory.setAddress(applicationConfig.getMessage(of306.service.url)); ** ConduitSelector conduitSelector = factory.getConduitSelector(); Of306Service client = (Of306Service) factory.create(); PinValidationDataImpl data = new PinValidationDataImpl(); Of306 of306 = (Of306) command; data.setPin(of306.getPin()); data.setSsn(of306.getSsn()); data.setDateOfBirth(formatter.format(of306.getDateOfBirth().getDate())); ValidationOutcome outcome = client.validatePin(data); The ConduitSelector is null (which didn't surprise me too much, though it certainly looks in the HTTPS setup that it should just work, as so much in Spring does). Do I need to set the ConduitSelector? Is it even possible to do so? Which type should be used? This is what the logging looks like - it looks as though it's possible it is getting the idea, in fact (and yes, the appropriate exported self-signed certificate is imported into the trust-store, before anyone asks): 2011-10-18 10:53:36,398 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleMessage on interceptor org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingI nterceptor@1a85a3b0 2011-10-18 10:53:36,400 INFO [org.apache.cxf.interceptor.LoggingOutInterceptor] - Outbound Message
HTTPS client configuration using JaxWsProxyFactoryBean
All: Is it possible to configure the JaxWsProxyFactoryBean to use HTTPS? It looks as though it should be, but I can't quite figure out how to connect up the bits. I have added this to the Spring configuration file: http:conduit name={http://of306.ws.abis.datasourceinc.com/}Of306ServerPort.http-cond uit http:tlsClientParameters secureSocketProtocol=SSL sec:keyManagers sec:keyStore type=JKS password=0ftobp8ssw0rd file=C:/Java/jks/of306-truststore.jks/ /sec:keyManagers sec:trustManagers sec:keyStore type=JKS password=0ftobp8ssw0rd file=C:/Java/jks/of306-truststore.jks/ /sec:trustManagers sec:cipherSuitesFilter !-- these filters ensure that a ciphersuite with export-suitable or null encryption is used, but exclude anonymous Diffie-Hellman key change as this is vulnerable to man-in-the-middle attacks -- sec:include.*_EXPORT_.*/sec:include sec:include.*_EXPORT1024_.*/sec:include sec:include.*_WITH_DES_.*/sec:include sec:include.*_WITH_NULL_.*/sec:include sec:exclude.*_DH_anon_.*/sec:exclude /sec:cipherSuitesFilter /http:tlsClientParameters http:client AutoRedirect=true Connection=Keep-Alive/ /http:conduit The name is (appropriately, I think) the namespace + port name + .http-conduit. (I have also tried using sec:certStore file=C:/Java/jks/of306-truststore.jks/ under sec:trustManagers) However, when I try this: JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean(); LoggingInInterceptor inInterceptor = new LoggingInInterceptor(); inInterceptor.setLimit(-1); factory.getInInterceptors().add(inInterceptor); LoggingOutInterceptor outInterceptor = new LoggingOutInterceptor(); outInterceptor.setLimit(-1); factory.getOutInterceptors().add(outInterceptor); factory.setServiceClass(Of306Service.class); factory.setAddress(applicationConfig.getMessage(of306.service.url)); ** ConduitSelector conduitSelector = factory.getConduitSelector(); Of306Service client = (Of306Service) factory.create(); PinValidationDataImpl data = new PinValidationDataImpl(); Of306 of306 = (Of306) command; data.setPin(of306.getPin()); data.setSsn(of306.getSsn()); data.setDateOfBirth(formatter.format(of306.getDateOfBirth().getDate())); ValidationOutcome outcome = client.validatePin(data); The ConduitSelector is null (which didn't surprise me too much, though it certainly looks in the HTTPS setup that it should just work, as so much in Spring does). Do I need to set the ConduitSelector? Is it even possible to do so? Which type should be used? This is what the logging looks like - it looks as though it's possible it is getting the idea, in fact (and yes, the appropriate exported self-signed certificate is imported into the trust-store, before anyone asks): 2011-10-18 10:53:36,398 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleMessage on interceptor org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingI nterceptor@1a85a3b0 2011-10-18 10:53:36,400 INFO [org.apache.cxf.interceptor.LoggingOutInterceptor] - Outbound Message --- ID: 1 Address: https://dsills-t1500:8300/dsi-services/secure/Of306Service Encoding: UTF-8 Content-Type: text/xml Headers: {Accept=[*/*], SOAPAction=[]} Messages: (message truncated to -1 bytes) Payload: soap:Envelope xmlns:soap=http://schemas.xmlsoap.org/soap/envelope/;soap:Bodyns1:v alidatePin xmlns:ns1=http://of306.ws.abis.datasourceinc.com/;validationDatapin 33/pinssn555827444/ssndateOfBirth11/01/1953/dateOfBirth/ validationData/ns1:validatePin/soap:Body/soap:Envelope -- 2011-10-18 10:53:36,402 DEBUG [org.apache.cxf.transport.http.Headers] - Accept: */* 2011-10-18 10:53:36,402 DEBUG [org.apache.cxf.transport.http.Headers] - SOAPAction: 2011-10-18 10:53:36,404 DEBUG [org.apache.cxf.transport.http.TrustDecisionUtil] - No Trust Decider for Conduit '{http://of306.ws.abis.datasourceinc.com/}Of306ServicePort.http-conduit' . An afirmative Trust Decision is assumed. 2011-10-18 10:53:36,430 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on interceptor org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingI nterceptor@1a85a3b0 2011-10-18 10:53:36,430 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on interceptor org.apache.cxf.interceptor.StaxOutEndingInterceptor@553d26fd 2011-10-18 10:53:36,430 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on interceptor
Re: HTTPS client configuration using JaxWsProxyFactoryBean
I think if you add a factory.setEndpointName() call to the appropriate qname used in the http:conduit, it should work. Alternatively, if you setup the address on the factory prior to calling create (factory.setAddress(...)), you can configure the http conduit via something like: http:conduit name=https://blah.com:9000/.*; (note the .* at the end to match all tails) Dan On Tuesday, October 18, 2011 11:18:24 AM David Sills wrote: All: Is it possible to configure the JaxWsProxyFactoryBean to use HTTPS? It looks as though it should be, but I can't quite figure out how to connect up the bits. I have added this to the Spring configuration file: http:conduit name={http://of306.ws.abis.datasourceinc.com/}Of306ServerPort.http-cond uit http:tlsClientParameters secureSocketProtocol=SSL sec:keyManagers sec:keyStore type=JKS password=0ftobp8ssw0rd file=C:/Java/jks/of306-truststore.jks/ /sec:keyManagers sec:trustManagers sec:keyStore type=JKS password=0ftobp8ssw0rd file=C:/Java/jks/of306-truststore.jks/ /sec:trustManagers sec:cipherSuitesFilter !-- these filters ensure that a ciphersuite with export-suitable or null encryption is used, but exclude anonymous Diffie-Hellman key change as this is vulnerable to man-in-the-middle attacks -- sec:include.*_EXPORT_.*/sec:include sec:include.*_EXPORT1024_.*/sec:include sec:include.*_WITH_DES_.*/sec:include sec:include.*_WITH_NULL_.*/sec:include sec:exclude.*_DH_anon_.*/sec:exclude /sec:cipherSuitesFilter /http:tlsClientParameters http:client AutoRedirect=true Connection=Keep-Alive/ /http:conduit The name is (appropriately, I think) the namespace + port name + .http-conduit. (I have also tried using sec:certStore file=C:/Java/jks/of306-truststore.jks/ under sec:trustManagers) However, when I try this: JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean(); LoggingInInterceptor inInterceptor = new LoggingInInterceptor(); inInterceptor.setLimit(-1); factory.getInInterceptors().add(inInterceptor); LoggingOutInterceptor outInterceptor = new LoggingOutInterceptor(); outInterceptor.setLimit(-1); factory.getOutInterceptors().add(outInterceptor); factory.setServiceClass(Of306Service.class); factory.setAddress(applicationConfig.getMessage(of306.service.url)); ** ConduitSelector conduitSelector = factory.getConduitSelector(); Of306Service client = (Of306Service) factory.create(); PinValidationDataImpl data = new PinValidationDataImpl(); Of306 of306 = (Of306) command; data.setPin(of306.getPin()); data.setSsn(of306.getSsn()); data.setDateOfBirth(formatter.format(of306.getDateOfBirth().getDate())); ValidationOutcome outcome = client.validatePin(data); The ConduitSelector is null (which didn't surprise me too much, though it certainly looks in the HTTPS setup that it should just work, as so much in Spring does). Do I need to set the ConduitSelector? Is it even possible to do so? Which type should be used? This is what the logging looks like - it looks as though it's possible it is getting the idea, in fact (and yes, the appropriate exported self-signed certificate is imported into the trust-store, before anyone asks): 2011-10-18 10:53:36,398 DEBUG [org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleMessage on interceptor org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingI nterceptor@1a85a3b0 2011-10-18 10:53:36,400 INFO [org.apache.cxf.interceptor.LoggingOutInterceptor] - Outbound Message --- ID: 1 Address: https://dsills-t1500:8300/dsi-services/secure/Of306Service Encoding: UTF-8 Content-Type: text/xml Headers: {Accept=[*/*], SOAPAction=[]} Messages: (message truncated to -1 bytes) Payload: soap:Envelope xmlns:soap=http://schemas.xmlsoap.org/soap/envelope/;soap:Bodyns1:v alidatePin xmlns:ns1=http://of306.ws.abis.datasourceinc.com/;validationDatapin 33/pinssn555827444/ssndateOfBirth11/01/1953/dateOfBirth/ validationData/ns1:validatePin/soap:Body/soap:Envelope -- 2011-10-18 10:53:36,402 DEBUG [org.apache.cxf.transport.http.Headers] - Accept: */* 2011-10-18 10:53:36,402 DEBUG [org.apache.cxf.transport.http.Headers] - SOAPAction: 2011-10-18 10:53:36,404 DEBUG [org.apache.cxf.transport.http.TrustDecisionUtil] - No Trust Decider for Conduit