Re: HTTPS client configuration using JaxWsProxyFactoryBean
Wanted to post the solution I found to this here so that it will live on the
Internet for others to find with Google
For whatever reason...Java would not send my client certificate no matter
all the advice I managed to find on Google.
I had my JaxWsProxyFactoryBean already setup in an xml file with a
WSS4JOutInterceptor that handles encryption and signing of the message
parts, plus a custom OutInterceptor that injects a custom XML header into
every SOAP message. All that was working fine and then the server switched
to mutual authentication mode required, and I started getting SSL handshake
failures.
What I was able to do was leave the XML alone, and configure the CXF
Client's HTTPConduit using only Java code...
[CODE]
Client cxfClient = ClientProxy.getClient(service);
HTTPConduit conduit = (HTTPConduit) cxfClient.getConduit();
//trust any server, quick and easy, not the focus of this
problem
TrustManager[] simpleTrustManager = new TrustManager[]{new
X509TrustManager() {
public java.security.cert.X509Certificate[]
getAcceptedIssuers() {
return null;
}
public void
checkClientTrusted(java.security.cert.X509Certificate[]
certs, String authType) {
}
public void
checkServerTrusted(java.security.cert.X509Certificate[]
certs, String authType) {
}
}};
KeyStore ks = KeyStore.getInstance(PKCS12);
FileInputStream in = new
FileInputStream(/*KEYSTORE_FILENAME*/); //.pfx
file exported from IE with private key
ks.load(in, /*KEYSTORE_PASSWORD*/.toCharArray());
in.close();
KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(SunX509);
keyManagerFactory.init(ks,
/*KEYSTORE_PASSWORD*/.toCharArray());
KeyManager[] keyManagers = new
KeyManager[]{keyManagerFactory.getKeyManagers()[0]};
TLSClientParameters tlsParams = new TLSClientParameters();
tlsParams.setTrustManagers(simpleTrustManager);
tlsParams.setKeyManagers(keyManagers);
tlsParams.setSecureSocketProtocol(TLSv1);
tlsParams.setCertAlias(/*CERT_ALIAS_MATCHING_IN_KEYSTORE*/);
conduit.setTlsClientParameters(tlsParams);
[/CODE]
Hope this helps someone else who runs into this problem...
--
View this message in context:
http://cxf.547215.n5.nabble.com/HTTPS-client-configuration-using-JaxWsProxyFactoryBean-tp4914087p5745032.html
Sent from the cxf-user mailing list archive at Nabble.com.
FW: HTTPS client configuration using JaxWsProxyFactoryBean
Sorry, this got replied to the wrong address.
-Original Message-
From: David Sills
Sent: Wednesday, October 19, 2011 7:06 AM
To: 'Daniel Kulp'
Subject: RE: HTTPS client configuration using JaxWsProxyFactoryBean
Daniel:
Many thanks for the suggestions. I have tried using
factory.setEndpointName(new
QName(http://of306.ws.abis.datasourceinc.com/;, Of306ServerPort));
Given the configuration below, does that seem right? It did not work
correctly.
I also tried several variations on your idea of calling the setAddress
method and naming conventions, none of which have yet worked.
Further ideas? I have probably missed something
David
-Original Message-
From: Daniel Kulp [mailto:dk...@apache.org]
Sent: Tuesday, October 18, 2011 1:35 PM
To: users@cxf.apache.org
Cc: David Sills
Subject: Re: HTTPS client configuration using JaxWsProxyFactoryBean
I think if you add a factory.setEndpointName() call to the
appropriate
qname used in the http:conduit, it should work.
Alternatively, if you setup the address on the factory prior to calling
create
(factory.setAddress(...)), you can configure the http conduit via
something
like:
http:conduit name=https://blah.com:9000/.*;
(note the .* at the end to match all tails)
Dan
On Tuesday, October 18, 2011 11:18:24 AM David Sills wrote:
All:
Is it possible to configure the JaxWsProxyFactoryBean to use HTTPS? It
looks as though it should be, but I can't quite figure out how to
connect up the bits. I have added this to the Spring configuration
file:
http:conduit
name={http://of306.ws.abis.datasourceinc.com/}Of306ServerPort.http-cond
uit
http:tlsClientParameters secureSocketProtocol=SSL
sec:keyManagers
sec:keyStore type=JKS password=0ftobp8ssw0rd
file=C:/Java/jks/of306-truststore.jks/
/sec:keyManagers
sec:trustManagers
sec:keyStore type=JKS password=0ftobp8ssw0rd
file=C:/Java/jks/of306-truststore.jks/
/sec:trustManagers
sec:cipherSuitesFilter
!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks --
sec:include.*_EXPORT_.*/sec:include
sec:include.*_EXPORT1024_.*/sec:include
sec:include.*_WITH_DES_.*/sec:include
sec:include.*_WITH_NULL_.*/sec:include
sec:exclude.*_DH_anon_.*/sec:exclude
/sec:cipherSuitesFilter
/http:tlsClientParameters
http:client AutoRedirect=true Connection=Keep-Alive/
/http:conduit
The name is (appropriately, I think) the namespace + port name +
.http-conduit. (I have also tried using sec:certStore
file=C:/Java/jks/of306-truststore.jks/ under sec:trustManagers)
However, when I try this:
JaxWsProxyFactoryBean factory = new
JaxWsProxyFactoryBean();
LoggingInInterceptor inInterceptor = new
LoggingInInterceptor();
inInterceptor.setLimit(-1);
factory.getInInterceptors().add(inInterceptor);
LoggingOutInterceptor outInterceptor = new
LoggingOutInterceptor();
outInterceptor.setLimit(-1);
factory.getOutInterceptors().add(outInterceptor);
factory.setServiceClass(Of306Service.class);
factory.setAddress(applicationConfig.getMessage(of306.service.url));
** ConduitSelector conduitSelector =
factory.getConduitSelector();
Of306Service client = (Of306Service)
factory.create();
PinValidationDataImpl data = new
PinValidationDataImpl();
Of306 of306 = (Of306) command;
data.setPin(of306.getPin());
data.setSsn(of306.getSsn());
data.setDateOfBirth(formatter.format(of306.getDateOfBirth().getDate()));
ValidationOutcome outcome =
client.validatePin(data);
The ConduitSelector is null (which didn't surprise me too much, though
it certainly looks in the HTTPS setup that it should just work, as
so
much in Spring does). Do I need to set the ConduitSelector? Is it even
possible to do so? Which type should be used?
This is what the logging looks like - it looks as though it's possible
it is getting the idea, in fact (and yes, the appropriate exported
self-signed certificate is imported into the trust-store, before
anyone
asks):
2011-10-18 10:53:36,398 DEBUG
[org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleMessage
on
interceptor
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingI
nterceptor@1a85a3b0
2011-10-18 10:53:36,400 INFO
[org.apache.cxf.interceptor.LoggingOutInterceptor] - Outbound Message
HTTPS client configuration using JaxWsProxyFactoryBean
All:
Is it possible to configure the JaxWsProxyFactoryBean to use HTTPS? It
looks as though it should be, but I can't quite figure out how to
connect up the bits. I have added this to the Spring configuration file:
http:conduit
name={http://of306.ws.abis.datasourceinc.com/}Of306ServerPort.http-cond
uit
http:tlsClientParameters secureSocketProtocol=SSL
sec:keyManagers
sec:keyStore type=JKS password=0ftobp8ssw0rd
file=C:/Java/jks/of306-truststore.jks/
/sec:keyManagers
sec:trustManagers
sec:keyStore type=JKS password=0ftobp8ssw0rd
file=C:/Java/jks/of306-truststore.jks/
/sec:trustManagers
sec:cipherSuitesFilter
!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks --
sec:include.*_EXPORT_.*/sec:include
sec:include.*_EXPORT1024_.*/sec:include
sec:include.*_WITH_DES_.*/sec:include
sec:include.*_WITH_NULL_.*/sec:include
sec:exclude.*_DH_anon_.*/sec:exclude
/sec:cipherSuitesFilter
/http:tlsClientParameters
http:client AutoRedirect=true Connection=Keep-Alive/
/http:conduit
The name is (appropriately, I think) the namespace + port name +
.http-conduit. (I have also tried using sec:certStore
file=C:/Java/jks/of306-truststore.jks/ under sec:trustManagers)
However, when I try this:
JaxWsProxyFactoryBean factory = new
JaxWsProxyFactoryBean();
LoggingInInterceptor inInterceptor = new
LoggingInInterceptor();
inInterceptor.setLimit(-1);
factory.getInInterceptors().add(inInterceptor);
LoggingOutInterceptor outInterceptor = new
LoggingOutInterceptor();
outInterceptor.setLimit(-1);
factory.getOutInterceptors().add(outInterceptor);
factory.setServiceClass(Of306Service.class);
factory.setAddress(applicationConfig.getMessage(of306.service.url));
** ConduitSelector conduitSelector =
factory.getConduitSelector();
Of306Service client = (Of306Service)
factory.create();
PinValidationDataImpl data = new
PinValidationDataImpl();
Of306 of306 = (Of306) command;
data.setPin(of306.getPin());
data.setSsn(of306.getSsn());
data.setDateOfBirth(formatter.format(of306.getDateOfBirth().getDate()));
ValidationOutcome outcome =
client.validatePin(data);
The ConduitSelector is null (which didn't surprise me too much, though
it certainly looks in the HTTPS setup that it should just work, as so
much in Spring does). Do I need to set the ConduitSelector? Is it even
possible to do so? Which type should be used?
This is what the logging looks like - it looks as though it's possible
it is getting the idea, in fact (and yes, the appropriate exported
self-signed certificate is imported into the trust-store, before anyone
asks):
2011-10-18 10:53:36,398 DEBUG
[org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleMessage on
interceptor
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingI
nterceptor@1a85a3b0
2011-10-18 10:53:36,400 INFO
[org.apache.cxf.interceptor.LoggingOutInterceptor] - Outbound Message
---
ID: 1
Address: https://dsills-t1500:8300/dsi-services/secure/Of306Service
Encoding: UTF-8
Content-Type: text/xml
Headers: {Accept=[*/*], SOAPAction=[]}
Messages: (message truncated to -1 bytes)
Payload: soap:Envelope
xmlns:soap=http://schemas.xmlsoap.org/soap/envelope/;soap:Bodyns1:v
alidatePin
xmlns:ns1=http://of306.ws.abis.datasourceinc.com/;validationDatapin
33/pinssn555827444/ssndateOfBirth11/01/1953/dateOfBirth/
validationData/ns1:validatePin/soap:Body/soap:Envelope
--
2011-10-18 10:53:36,402 DEBUG [org.apache.cxf.transport.http.Headers] -
Accept: */*
2011-10-18 10:53:36,402 DEBUG [org.apache.cxf.transport.http.Headers] -
SOAPAction:
2011-10-18 10:53:36,404 DEBUG
[org.apache.cxf.transport.http.TrustDecisionUtil] - No Trust Decider for
Conduit
'{http://of306.ws.abis.datasourceinc.com/}Of306ServicePort.http-conduit'
. An afirmative Trust Decision is assumed.
2011-10-18 10:53:36,430 DEBUG
[org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
interceptor
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingI
nterceptor@1a85a3b0
2011-10-18 10:53:36,430 DEBUG
[org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
interceptor org.apache.cxf.interceptor.StaxOutEndingInterceptor@553d26fd
2011-10-18 10:53:36,430 DEBUG
[org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleFault on
interceptor
Re: HTTPS client configuration using JaxWsProxyFactoryBean
I think if you add a factory.setEndpointName() call to the appropriate
qname used in the http:conduit, it should work.
Alternatively, if you setup the address on the factory prior to calling create
(factory.setAddress(...)), you can configure the http conduit via something
like:
http:conduit name=https://blah.com:9000/.*;
(note the .* at the end to match all tails)
Dan
On Tuesday, October 18, 2011 11:18:24 AM David Sills wrote:
All:
Is it possible to configure the JaxWsProxyFactoryBean to use HTTPS? It
looks as though it should be, but I can't quite figure out how to
connect up the bits. I have added this to the Spring configuration file:
http:conduit
name={http://of306.ws.abis.datasourceinc.com/}Of306ServerPort.http-cond
uit
http:tlsClientParameters secureSocketProtocol=SSL
sec:keyManagers
sec:keyStore type=JKS password=0ftobp8ssw0rd
file=C:/Java/jks/of306-truststore.jks/
/sec:keyManagers
sec:trustManagers
sec:keyStore type=JKS password=0ftobp8ssw0rd
file=C:/Java/jks/of306-truststore.jks/
/sec:trustManagers
sec:cipherSuitesFilter
!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks --
sec:include.*_EXPORT_.*/sec:include
sec:include.*_EXPORT1024_.*/sec:include
sec:include.*_WITH_DES_.*/sec:include
sec:include.*_WITH_NULL_.*/sec:include
sec:exclude.*_DH_anon_.*/sec:exclude
/sec:cipherSuitesFilter
/http:tlsClientParameters
http:client AutoRedirect=true Connection=Keep-Alive/
/http:conduit
The name is (appropriately, I think) the namespace + port name +
.http-conduit. (I have also tried using sec:certStore
file=C:/Java/jks/of306-truststore.jks/ under sec:trustManagers)
However, when I try this:
JaxWsProxyFactoryBean factory = new
JaxWsProxyFactoryBean();
LoggingInInterceptor inInterceptor = new
LoggingInInterceptor();
inInterceptor.setLimit(-1);
factory.getInInterceptors().add(inInterceptor);
LoggingOutInterceptor outInterceptor = new
LoggingOutInterceptor();
outInterceptor.setLimit(-1);
factory.getOutInterceptors().add(outInterceptor);
factory.setServiceClass(Of306Service.class);
factory.setAddress(applicationConfig.getMessage(of306.service.url));
** ConduitSelector conduitSelector =
factory.getConduitSelector();
Of306Service client = (Of306Service)
factory.create();
PinValidationDataImpl data = new
PinValidationDataImpl();
Of306 of306 = (Of306) command;
data.setPin(of306.getPin());
data.setSsn(of306.getSsn());
data.setDateOfBirth(formatter.format(of306.getDateOfBirth().getDate()));
ValidationOutcome outcome =
client.validatePin(data);
The ConduitSelector is null (which didn't surprise me too much, though
it certainly looks in the HTTPS setup that it should just work, as so
much in Spring does). Do I need to set the ConduitSelector? Is it even
possible to do so? Which type should be used?
This is what the logging looks like - it looks as though it's possible
it is getting the idea, in fact (and yes, the appropriate exported
self-signed certificate is imported into the trust-store, before anyone
asks):
2011-10-18 10:53:36,398 DEBUG
[org.apache.cxf.phase.PhaseInterceptorChain] - Invoking handleMessage on
interceptor
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingI
nterceptor@1a85a3b0
2011-10-18 10:53:36,400 INFO
[org.apache.cxf.interceptor.LoggingOutInterceptor] - Outbound Message
---
ID: 1
Address: https://dsills-t1500:8300/dsi-services/secure/Of306Service
Encoding: UTF-8
Content-Type: text/xml
Headers: {Accept=[*/*], SOAPAction=[]}
Messages: (message truncated to -1 bytes)
Payload: soap:Envelope
xmlns:soap=http://schemas.xmlsoap.org/soap/envelope/;soap:Bodyns1:v
alidatePin
xmlns:ns1=http://of306.ws.abis.datasourceinc.com/;validationDatapin
33/pinssn555827444/ssndateOfBirth11/01/1953/dateOfBirth/
validationData/ns1:validatePin/soap:Body/soap:Envelope
--
2011-10-18 10:53:36,402 DEBUG [org.apache.cxf.transport.http.Headers] -
Accept: */*
2011-10-18 10:53:36,402 DEBUG [org.apache.cxf.transport.http.Headers] -
SOAPAction:
2011-10-18 10:53:36,404 DEBUG
[org.apache.cxf.transport.http.TrustDecisionUtil] - No Trust Decider for
Conduit
