I just found out that if I introduce another key in the keystore with some password, I get following:
Caused by: java.security.UnrecoverableKeyException: Cannot recover key at com.ibm.crypto.provider.s.recover(s.java:90) at com.ibm.crypto.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:256) at java.security.KeyStore.getKey(KeyStore.java:803) at com.ibm.jsse2.uc.<init>(uc.java:113) at com.ibm.jsse2.cc$a_.engineInit(cc$a_.java:15) at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:16) at org.apache.cxf.configuration.jsse.TLSParameterJaxBUtils.getKeyManagers(TLSParameterJaxBUtils.java:279) If I delete the new entry from the keystore, my test works fine, so the moment I have another protected key in keystore, I get UnrecoverableKeyException. Do I need to setup something in order to avoid it? Thanks, Giriraj. On Thu, Jul 17, 2014 at 5:24 PM, Giriraj Bhojak <girira...@gmail.com> wrote: > I did try that. I must have goofed up with the passwords. But it's working > now. > But I need to understand something. The entry looks something like this: > > <sec:keyManagers keyPassword="keyPassword" > > <sec:keyStore file=".keystore" > password="keyStorepassword" type="jks" /> > </sec:keyManagers> > > If there are more than one keys in the keystore with the same password, > which entry is the correct entry as per CXF? > How does it identify the correct one if we do not specify an alias? > Perhaps I am missing something very elementary. > > Thanks, > Giriraj. > > > > On Tue, Jul 15, 2014 at 11:58 AM, Andrei Shakirin <ashaki...@talend.com> > wrote: > >> Hi, >> >> "Unrecoverable key" usually means that your keystore password is >> incorrect. >> Have you tried to access keystore/truststore using JDK keytool? >> >> Regards, >> Andrei. >> >> > -----Original Message----- >> > From: Giriraj Bhojak [mailto:girira...@gmail.com] >> > Sent: Dienstag, 15. Juli 2014 00:05 >> > To: users@cxf.apache.org >> > Subject: Re: Supplying passwords for key manager and trust manager to >> > http:conduit >> > >> > Thank you Andrei. >> > I ended up using Spring EL to supply the password. >> > But I have noticed that if the keystore and key passwords are >> different, I get >> > "Unrecoverable key" exception. >> > Is this some sort of bug with Merlin or am I missing something? >> > >> > Thanks, >> > Giriraj. >> > >> > >> > On Sat, Jul 12, 2014 at 11:15 AM, Andrei Shakirin <ashaki...@talend.com >> > >> > wrote: >> > >> > > Hi, >> > > >> > > In spring configuration you can only specify password directly: >> > > <httpj:engine-factory id="port-9001-tls-config"> >> > > <httpj:engine port="9001"> >> > > <httpj:tlsServerParameters> >> > > <sec:keyManagers keyPassword="password"> >> > > <sec:keyStore type="JKS" password="password" >> > > >> file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/> >> > > </sec:keyManagers> >> > > <sec:trustManagers> >> > > <sec:keyStore type="JKS" password="password" >> > > >> file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/> >> > > </sec:trustManagers> >> > > </httpj:tlsServerParameters> >> > > </httpj:engine> >> > > </httpj:engine-factory> >> > > >> > > But you can get password from the callback or other store using >> > > programmatic initialization of tlsClientParameters: >> > > TLSClientParameters tlsClientParameters = new >> TLSClientParameters(); >> > > ... >> > > String alg = KeyManagerFactory.getDefaultAlgorithm(); >> > > char[] keyPass = keyPassword != null >> > > ? keyPassword.toCharArray() >> > > : null; >> > > KeyManagerFactory fac = KeyManagerFactory.getInstance(alg); >> > > fac.init(keyStore, keyPass); >> > > tlsClientParameters.setKeyManagers(fac.getKeyManagers()); >> > > HTTPConduit http = >> > > (HTTPConduit) client.getConduit(); >> > > http.setTlsClientParameters(tlsClientParameters); >> > > ... >> > > >> > > Regards, >> > > Andrei. >> > > >> > > >> > > > -----Original Message----- >> > > > From: Giriraj Bhojak [mailto:girira...@gmail.com] >> > > > Sent: Freitag, 11. Juli 2014 22:16 >> > > > To: users@cxf.apache.org >> > > > Subject: Supplying passwords for key manager and trust manager to >> > > > http:conduit >> > > > >> > > > Hello all, >> > > > >> > > > I am using http-conduit for SSL support in CXF 2.7.11. >> > > > Is there a way I can specify a password callback for >> > > > <sec:keyManagers> >> > > and >> > > > <sec:trustManagers>? >> > > > >> > > > Thanks, >> > > > Giriraj. >> > > >> > >