It's not possible to use "certAlias" with a FIPS provider. See here for a related discussion:
https://community.oracle.com/thread/1533883?start=0&tstart=0 Colm. On Thu, Feb 11, 2016 at 6:52 PM, Michael Jeppesen <[email protected]> wrote: > I'm trying to set up a secure service (https) that uses a different URL > than others on that server. I've loaded the new certificate into the NSS > database, but now I can't get the service to return it. When I set the > certAlias parameter, the application fails at startup. If I remove the > certAlias, the application starts and runs as expected, other than > returning the wrong certificate. > > Details: > CXF 3.0.3 (also tested with 3.0.4, 3.0.7, and 3.1.5 with the same > results). > Camel 2.14.1 > Spring 4.0.9 > Tomcat 8.0.20 > OpenJDK 1.7.0_91 using NSS in FIPS mode > > Relevent config: > > <httpj:engine-factory bus="cxf"> > <httpj:engine port="${jetty.https.port}"> > <httpj:tlsServerParameters> > <sec:keyManagers keyPassword="${jetty.key.password}"> > <sec:keyStore password="${jetty.key.password}" > resource="file:///opt/osb/nss_pkcs11_fips.cfg" > provider="SunPKCS11-NSS" type="PKCS11" /> > </sec:keyManagers> > <sec:cipherSuitesFilter> > <sec:include>TLS.*ECDSA_WITH_AES.*</sec:include> > <sec:include>TLS.*ECDSA_WITH_3DES.*</sec:include> > <sec:include>TLS.*RSA_WITH_AES.*</sec:include> > <sec:include>TLS.*RSA_WITH_3DES.*</sec:include> > </sec:cipherSuitesFilter> > <sec:certAlias>CN=dev.sample.org, C=US, ST=Washington, L=Seattle, > O=SAMPLE ORG</sec:certAlias> > </httpj:tlsServerParameters> > </httpj:engine> > </httpj:engine-factory> > > The stacktrace: > > 2016-02-10 09:14:09.207 INFO o.a.c.w.s.f.ReflectionServiceFactoryBean - > Creating Service {http://www.seattle.gov/police/sector/wsdl/2016/02}sector > from WSDL: wsdl/sector.wsdl > 2016-02-10 09:14:10.404 INFO o.a.cxf.endpoint.ServerImpl - Setting the > server's publish address to be https://sectd.seattle.gov:5920/sector > 2016-02-10 09:14:10.465 INFO o.eclipse.jetty.server.Server - > jetty-8.1.15.v20140411 > 2016-02-10 09:14:10.484 WARN o.e.j.u.c.AbstractLifeCycle - FAILED > [email protected]:5920: > java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers > may be used > java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers > may be used > at > sun.security.ssl.SSLContextImpl.chooseKeyManager(SSLContextImpl.java:156) > ~[na:1.7.0_91] > at > sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:73) > ~[na:1.7.0_91] > at javax.net.ssl.SSLContext.init(SSLContext.java:283) > ~[na:1.7.0_91] > at > > org.apache.cxf.transport.https_jetty.CXFJettySslSocketConnector.createSSLContext(CXFJettySslSocketConnector.java:142) > ~[cxf-rt-transports-http-jetty-3.0.3.jar:3.0.3] > at > > org.apache.cxf.transport.https_jetty.CXFJettySslSocketConnector.doStart(CXFJettySslSocketConnector.java:115) > ~[cxf-rt-transports-http-jetty-3.0.3.jar:3.0.3] > at > > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64) > [jetty-util-8.1.15.v20140411.jar:8.1.15.v20140411] > at org.eclipse.jetty.server.Server.doStart(Server.java:293) > [jetty-server-8.1.15.v20140411.jar:8.1.15.v20140411] > at > > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64) > [jetty-util-8.1.15.v20140411.jar:8.1.15.v20140411] > at > > org.apache.cxf.transport.http_jetty.JettyHTTPServerEngine.addServant(JettyHTTPServerEngine.java:417) > [cxf-rt-transports-http-jetty-3.0.3.jar:3.0.3] > at > > org.apache.cxf.transport.http_jetty.JettyHTTPDestination.activate(JettyHTTPDestination.java:179) > [cxf-rt-transports-http-jetty-3.0.3.jar:3.0.3] > at > > org.apache.cxf.transport.AbstractObservable.setMessageObserver(AbstractObservable.java:49) > [cxf-core-3.0.3.jar:3.0.3] > at > > org.apache.cxf.binding.AbstractBindingFactory.addListener(AbstractBindingFactory.java:95) > [cxf-core-3.0.3.jar:3.0.3] > at > > org.apache.cxf.binding.soap.SoapBindingFactory.addListener(SoapBindingFactory.java:895) > [cxf-rt-bindings-soap-3.0.3.jar:3.0.3] > at org.apache.cxf.endpoint.ServerImpl.start(ServerImpl.java:123) > [cxf-core-3.0.3.jar:3.0.3] > at > org.apache.camel.component.cxf.CxfConsumer.doStart(CxfConsumer.java:271) > [camel-cxf-2.14.1.jar:2.14.1] > at > org.apache.camel.support.ServiceSupport.start(ServiceSupport.java:61) > [camel-core-2.14.1.jar:2.14.1] > at > > org.apache.camel.impl.DefaultCamelContext.startService(DefaultCamelContext.java:2148) > [camel-core-2.14.1.jar:2.14.1] > at > > org.apache.camel.impl.DefaultCamelContext.doStartOrResumeRouteConsumers(DefaultCamelContext.java:2442) > [camel-core-2.14.1.jar:2.14.1] > at > > org.apache.camel.impl.DefaultCamelContext.doStartRouteConsumers(DefaultCamelContext.java:2378) > [camel-core-2.14.1.jar:2.14.1] > at > > org.apache.camel.impl.DefaultCamelContext.safelyStartRouteServices(DefaultCamelContext.java:2308) > [camel-core-2.14.1.jar:2.14.1] > at > > org.apache.camel.impl.DefaultCamelContext.doStartOrResumeRoutes(DefaultCamelContext.java:2081) > [camel-core-2.14.1.jar:2.14.1] > at > > org.apache.camel.impl.DefaultCamelContext.doStartCamel(DefaultCamelContext.java:1941) > [camel-core-2.14.1.jar:2.14.1] > at > > org.apache.camel.impl.DefaultCamelContext.doStart(DefaultCamelContext.java:1767) > [camel-core-2.14.1.jar:2.14.1] > at > org.apache.camel.support.ServiceSupport.start(ServiceSupport.java:61) > [camel-core-2.14.1.jar:2.14.1] > at > > org.apache.camel.impl.DefaultCamelContext.start(DefaultCamelContext.java:1735) > [camel-core-2.14.1.jar:2.14.1] > at > > org.apache.camel.spring.SpringCamelContext.maybeStart(SpringCamelContext.java:254) > [camel-spring-2.14.1.jar:2.14.1] > at > > org.apache.camel.spring.SpringCamelContext.onApplicationEvent(SpringCamelContext.java:120) > [camel-spring-2.14.1.jar:2.14.1] > at > > org.apache.camel.spring.CamelContextFactoryBean.onApplicationEvent(CamelContextFactoryBean.java:327) > [camel-spring-2.14.1.jar:2.14.1] > at > > org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:98) > [spring-context-4.0.9.RELEASE.jar:4.0.9.RELEASE] > at > > org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:333) > [spring-context-4.0.9.RELEASE.jar:4.0.9.RELEASE] > at > > org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:778) > [spring-context-4.0.9.RELEASE.jar:4.0.9.RELEASE] > at > > org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:485) > [spring-context-4.0.9.RELEASE.jar:4.0.9.RELEASE] > at > > org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:403) > [spring-web-4.0.9.RELEASE.jar:4.0.9.RELEASE] > at > > org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:306) > [spring-web-4.0.9.RELEASE.jar:4.0.9.RELEASE] > at > > org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:106) > [spring-web-4.0.9.RELEASE.jar:4.0.9.RELEASE] > at > > org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4728) > [catalina.jar:8.0.20] > at > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5162) > [catalina.jar:8.0.20] > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > [catalina.jar:8.0.20] > at > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) > [catalina.jar:8.0.20] > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701) > [catalina.jar:8.0.20] > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) > [catalina.jar:8.0.20] > at > org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:917) > [catalina.jar:8.0.20] > at > org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1701) > [catalina.jar:8.0.20] > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > [na:1.7.0_91] > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > [na:1.7.0_91] > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > [na:1.7.0_91] > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > [na:1.7.0_91] > at java.lang.Thread.run(Thread.java:745) [na:1.7.0_91] > > Any help? > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
