Hi,
> I did try that. I must have goofed up with the passwords. But it's working
> now.
> But I need to understand something. The entry looks something like this:
>
> <sec:keyManagers keyPassword="keyPassword" >
> <sec:keyStore file=".keystore"
> password="keyStorepassword" type="jks" />
> </sec:keyManagers>
>
> If there are more than one keys in the keystore with the same password, which
> entry is the correct entry as per CXF?
> How does it identify the correct one if we do not specify an alias?
> Perhaps I am missing something very elementary.
By default KeyManager assume that there is only one key in keystore. If you
have more than one key, it is necessary to add certAlias element to
tlsClientParameters:
<http:tlsClientParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password"
file="my/file/dir/Morpit.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password"
file="my/file/dir/Truststore.jks"/>
</sec:trustManagers>
<sec:certAlias>myKey</sec:certAlias>
</http:tlsClientParameters>
https://cwiki.apache.org/confluence/display/CXF20DOC/TLS+Configuration
Regards,
Andrei.
>
> Thanks,
> Giriraj.
>
>
> On Tue, Jul 15, 2014 at 11:58 AM, Andrei Shakirin <ashaki...@talend.com>
> wrote:
>
> > Hi,
> >
> > "Unrecoverable key" usually means that your keystore password is incorrect.
> > Have you tried to access keystore/truststore using JDK keytool?
> >
> > Regards,
> > Andrei.
> >
> > > -----Original Message-----
> > > From: Giriraj Bhojak [mailto:girira...@gmail.com]
> > > Sent: Dienstag, 15. Juli 2014 00:05
> > > To: users@cxf.apache.org
> > > Subject: Re: Supplying passwords for key manager and trust manager
> > > to http:conduit
> > >
> > > Thank you Andrei.
> > > I ended up using Spring EL to supply the password.
> > > But I have noticed that if the keystore and key passwords are
> > > different,
> > I get
> > > "Unrecoverable key" exception.
> > > Is this some sort of bug with Merlin or am I missing something?
> > >
> > > Thanks,
> > > Giriraj.
> > >
> > >
> > > On Sat, Jul 12, 2014 at 11:15 AM, Andrei Shakirin
> > > <ashaki...@talend.com>
> > > wrote:
> > >
> > > > Hi,
> > > >
> > > > In spring configuration you can only specify password directly:
> > > > <httpj:engine-factory id="port-9001-tls-config">
> > > > <httpj:engine port="9001">
> > > > <httpj:tlsServerParameters>
> > > > <sec:keyManagers keyPassword="password">
> > > > <sec:keyStore type="JKS" password="password"
> > > > file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
> > > > </sec:keyManagers>
> > > > <sec:trustManagers>
> > > > <sec:keyStore type="JKS" password="password"
> > > >
> > file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.j
> > ks"/>
> > > > </sec:trustManagers>
> > > > </httpj:tlsServerParameters>
> > > > </httpj:engine>
> > > > </httpj:engine-factory>
> > > >
> > > > But you can get password from the callback or other store using
> > > > programmatic initialization of tlsClientParameters:
> > > > TLSClientParameters tlsClientParameters = new
> > TLSClientParameters();
> > > > ...
> > > > String alg = KeyManagerFactory.getDefaultAlgorithm();
> > > > char[] keyPass = keyPassword != null
> > > > ? keyPassword.toCharArray()
> > > > : null;
> > > > KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
> > > > fac.init(keyStore, keyPass);
> > > > tlsClientParameters.setKeyManagers(fac.getKeyManagers());
> > > > HTTPConduit http =
> > > > (HTTPConduit) client.getConduit();
> > > > http.setTlsClientParameters(tlsClientParameters);
> > > > ...
> > > >
> > > > Regards,
> > > > Andrei.
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Giriraj Bhojak [mailto:girira...@gmail.com]
> > > > > Sent: Freitag, 11. Juli 2014 22:16
> > > > > To: users@cxf.apache.org
> > > > > Subject: Supplying passwords for key manager and trust manager
> > > > > to http:conduit
> > > > >
> > > > > Hello all,
> > > > >
> > > > > I am using http-conduit for SSL support in CXF 2.7.11.
> > > > > Is there a way I can specify a password callback for
> > > > > <sec:keyManagers>
> > > > and
> > > > > <sec:trustManagers>?
> > > > >
> > > > > Thanks,
> > > > > Giriraj.
> > > >
> >
