Hi,
I think you should put this question on servciemix mailling list.
Other comments inline
On 2011-12-13, at 下午6:08, raakula wrote:
Hi,
We are using ServiceMix CXF Binding component, which has CXF 2.2.6
version.
In it we want to have the below functionality implemented.
1. Basic TLS configuration (2 way handshake)
Did your client SOAPUi also configure the SSL support?
We have a testcase[1] in SMX to demonstrate how to configure it with
both client[2] and server[3] in servicemix-cxf-bc, you may need take a
look.
[1]https://svn.apache.org/repos/asf/servicemix/components/trunk/bindings/servicemix-cxf-bc/src/test/java/org/apache/servicemix/cxfbc/ws/security/CxfBcHttpsConsumerTest.java
[2]https://svn.apache.org/repos/asf/servicemix/components/trunk/bindings/servicemix-cxf-bc/src/test/resources/org/apache/servicemix/cxfbc/ws/security/provider/WibbleClient.xml
[3]https://svn.apache.org/repos/asf/servicemix/components/trunk/bindings/servicemix-cxf-bc/src/test/resources/org/apache/servicemix/cxfbc/ws/security/provider/CherryServer.xml
2. In case if handshake fails due to invalid certificate, we want to
findout
from where the request is coming and log the details of the client.
You can basically write a customer interceptor and add it to
servicemix-cxf-bc to do so.
3. CRL support. I guess CXF 2.2.6 doesn't have CRL support.
No, CXF 2.2.6 not support CRL support, CRL is supported since from
WSS4j1.6.1. So you can wait Servicemix 4.4(which is during release
process) or use FUSE ESB[4].
[4]http://fusesource.com/products/enterprise-servicemix/
Freeman
For 1> I have used below configuration
---------------------------------------------------------------------
<httpj:engine-factory bus="cxf">
<httpj:engine port="30510">
<httpj:tlsServerParameters>
<sec:keyManagers keyPassword="servicemix">
<sec:keyStore type="JKS" resource="CertName.jks"
password="servicemix" />
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="PKCS12" resource="clientpkcs.p12"
password="servicemix" />
</sec:trustManagers>
<sec:clientAuthentication want="true" required="true"/>
</httpj:tlsServerParameters>
---------------------------------------------------------------------
And then I tried to send the request using SOAPUi.
SOAPUI am getting the error --> Tue Dec 13 15:36:36 IST
2011:ERROR:java.net.SocketException: Connection closed by remote host
And the exception I am getting on the server side is -->
3937543 [1621935001@qtp-1894313925-4] WARN org.mortbay.log - EXCEPTION
javax.net.ssl.SSLHandshakeException: null cert chain
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:
1649)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:231)
at
com
.sun
.net
.ssl
.internal
.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1369)
at
com
.sun
.net
.ssl
.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:
160)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:
593)
at
com
.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:
529)
at
com
.sun
.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
at
com
.sun
.net
.ssl
.internal
.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at
com
.sun
.net
.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:
1165)
at
com
.sun
.net
.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:
1149)
at
org.mortbay.jetty.security.SslSocketConnector
$SslConnection.run(SslSocketConnector.java:675)
at
org.mortbay.thread.QueuedThreadPool
$PoolThread.run(QueuedThreadPool.java:582)
--------------------------------------------------------
Any pointers on these 3 points would be really of great help.
Thanks and regards,
Ramu
--
View this message in context:
http://cxf.547215.n5.nabble.com/CXF-TLS-configuration-tp5071021p5071021.html
Sent from the cxf-user mailing list archive at Nabble.com.
---------------------------------------------
Freeman Fang
FuseSource
Email:[email protected]
Web: fusesource.com
Twitter: freemanfang
Blog: http://freemanfang.blogspot.com
