I'm trying to set up a secure service (https) that uses a different URL
than others on that server. I've loaded the new certificate into the NSS
database, but now I can't get the service to return it. When I set the
certAlias parameter, the application fails at startup. If I remove the
certAlias, the application starts and runs as expected, other than
returning the wrong certificate.
Details:
CXF 3.0.3 (also tested with 3.0.4, 3.0.7, and 3.1.5 with the same
results).
Camel 2.14.1
Spring 4.0.9
Tomcat 8.0.20
OpenJDK 1.7.0_91 using NSS in FIPS mode
Relevent config:
<httpj:engine-factory bus="cxf">
<httpj:engine port="${jetty.https.port}">
<httpj:tlsServerParameters>
<sec:keyManagers keyPassword="${jetty.key.password}">
<sec:keyStore password="${jetty.key.password}"
resource="file:///opt/osb/nss_pkcs11_fips.cfg"
provider="SunPKCS11-NSS" type="PKCS11" />
</sec:keyManagers>
<sec:cipherSuitesFilter>
<sec:include>TLS.*ECDSA_WITH_AES.*</sec:include>
<sec:include>TLS.*ECDSA_WITH_3DES.*</sec:include>
<sec:include>TLS.*RSA_WITH_AES.*</sec:include>
<sec:include>TLS.*RSA_WITH_3DES.*</sec:include>
</sec:cipherSuitesFilter>
<sec:certAlias>CN=dev.sample.org, C=US, ST=Washington, L=Seattle,
O=SAMPLE ORG</sec:certAlias>
</httpj:tlsServerParameters>
</httpj:engine>
</httpj:engine-factory>
The stacktrace:
2016-02-10 09:14:09.207 INFO o.a.c.w.s.f.ReflectionServiceFactoryBean -
Creating Service {http://www.seattle.gov/police/sector/wsdl/2016/02}sector
from WSDL: wsdl/sector.wsdl
2016-02-10 09:14:10.404 INFO o.a.cxf.endpoint.ServerImpl - Setting the
server's publish address to be https://sectd.seattle.gov:5920/sector
2016-02-10 09:14:10.465 INFO o.eclipse.jetty.server.Server -
jetty-8.1.15.v20140411
2016-02-10 09:14:10.484 WARN o.e.j.u.c.AbstractLifeCycle - FAILED
[email protected]:5920:
java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers
may be used
java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers
may be used
at
sun.security.ssl.SSLContextImpl.chooseKeyManager(SSLContextImpl.java:156)
~[na:1.7.0_91]
at
sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:73)
~[na:1.7.0_91]
at javax.net.ssl.SSLContext.init(SSLContext.java:283) ~[na:1.7.0_91]
at
org.apache.cxf.transport.https_jetty.CXFJettySslSocketConnector.createSSLContext(CXFJettySslSocketConnector.java:142)
~[cxf-rt-transports-http-jetty-3.0.3.jar:3.0.3]
at
org.apache.cxf.transport.https_jetty.CXFJettySslSocketConnector.doStart(CXFJettySslSocketConnector.java:115)
~[cxf-rt-transports-http-jetty-3.0.3.jar:3.0.3]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[jetty-util-8.1.15.v20140411.jar:8.1.15.v20140411]
at org.eclipse.jetty.server.Server.doStart(Server.java:293)
[jetty-server-8.1.15.v20140411.jar:8.1.15.v20140411]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
[jetty-util-8.1.15.v20140411.jar:8.1.15.v20140411]
at
org.apache.cxf.transport.http_jetty.JettyHTTPServerEngine.addServant(JettyHTTPServerEngine.java:417)
[cxf-rt-transports-http-jetty-3.0.3.jar:3.0.3]
at
org.apache.cxf.transport.http_jetty.JettyHTTPDestination.activate(JettyHTTPDestination.java:179)
[cxf-rt-transports-http-jetty-3.0.3.jar:3.0.3]
at
org.apache.cxf.transport.AbstractObservable.setMessageObserver(AbstractObservable.java:49)
[cxf-core-3.0.3.jar:3.0.3]
at
org.apache.cxf.binding.AbstractBindingFactory.addListener(AbstractBindingFactory.java:95)
[cxf-core-3.0.3.jar:3.0.3]
at
org.apache.cxf.binding.soap.SoapBindingFactory.addListener(SoapBindingFactory.java:895)
[cxf-rt-bindings-soap-3.0.3.jar:3.0.3]
at org.apache.cxf.endpoint.ServerImpl.start(ServerImpl.java:123)
[cxf-core-3.0.3.jar:3.0.3]
at
org.apache.camel.component.cxf.CxfConsumer.doStart(CxfConsumer.java:271)
[camel-cxf-2.14.1.jar:2.14.1]
at
org.apache.camel.support.ServiceSupport.start(ServiceSupport.java:61)
[camel-core-2.14.1.jar:2.14.1]
at
org.apache.camel.impl.DefaultCamelContext.startService(DefaultCamelContext.java:2148)
[camel-core-2.14.1.jar:2.14.1]
at
org.apache.camel.impl.DefaultCamelContext.doStartOrResumeRouteConsumers(DefaultCamelContext.java:2442)
[camel-core-2.14.1.jar:2.14.1]
at
org.apache.camel.impl.DefaultCamelContext.doStartRouteConsumers(DefaultCamelContext.java:2378)
[camel-core-2.14.1.jar:2.14.1]
at
org.apache.camel.impl.DefaultCamelContext.safelyStartRouteServices(DefaultCamelContext.java:2308)
[camel-core-2.14.1.jar:2.14.1]
at
org.apache.camel.impl.DefaultCamelContext.doStartOrResumeRoutes(DefaultCamelContext.java:2081)
[camel-core-2.14.1.jar:2.14.1]
at
org.apache.camel.impl.DefaultCamelContext.doStartCamel(DefaultCamelContext.java:1941)
[camel-core-2.14.1.jar:2.14.1]
at
org.apache.camel.impl.DefaultCamelContext.doStart(DefaultCamelContext.java:1767)
[camel-core-2.14.1.jar:2.14.1]
at
org.apache.camel.support.ServiceSupport.start(ServiceSupport.java:61)
[camel-core-2.14.1.jar:2.14.1]
at
org.apache.camel.impl.DefaultCamelContext.start(DefaultCamelContext.java:1735)
[camel-core-2.14.1.jar:2.14.1]
at
org.apache.camel.spring.SpringCamelContext.maybeStart(SpringCamelContext.java:254)
[camel-spring-2.14.1.jar:2.14.1]
at
org.apache.camel.spring.SpringCamelContext.onApplicationEvent(SpringCamelContext.java:120)
[camel-spring-2.14.1.jar:2.14.1]
at
org.apache.camel.spring.CamelContextFactoryBean.onApplicationEvent(CamelContextFactoryBean.java:327)
[camel-spring-2.14.1.jar:2.14.1]
at
org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:98)
[spring-context-4.0.9.RELEASE.jar:4.0.9.RELEASE]
at
org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:333)
[spring-context-4.0.9.RELEASE.jar:4.0.9.RELEASE]
at
org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:778)
[spring-context-4.0.9.RELEASE.jar:4.0.9.RELEASE]
at
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:485)
[spring-context-4.0.9.RELEASE.jar:4.0.9.RELEASE]
at
org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:403)
[spring-web-4.0.9.RELEASE.jar:4.0.9.RELEASE]
at
org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:306)
[spring-web-4.0.9.RELEASE.jar:4.0.9.RELEASE]
at
org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:106)
[spring-web-4.0.9.RELEASE.jar:4.0.9.RELEASE]
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4728)
[catalina.jar:8.0.20]
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5162)
[catalina.jar:8.0.20]
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
[catalina.jar:8.0.20]
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
[catalina.jar:8.0.20]
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701)
[catalina.jar:8.0.20]
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
[catalina.jar:8.0.20]
at
org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:917)
[catalina.jar:8.0.20]
at
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1701)
[catalina.jar:8.0.20]
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
[na:1.7.0_91]
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
[na:1.7.0_91]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[na:1.7.0_91]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[na:1.7.0_91]
at java.lang.Thread.run(Thread.java:745) [na:1.7.0_91]
Any help?
