Use of client certificates via http conduit configuration broken
----------------------------------------------------------------
Key: CXF-2403
URL: https://issues.apache.org/jira/browse/CXF-2403
Project: CXF
Issue Type: Bug
Components: Configuration
Reporter: Wolfgang Nagele
To use standard SSL client certificates for authentication the following
configuration should work:
<http:conduit name="*.http-conduit">
<http:tlsClientParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password" file="keystore" />
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password" file="truststore" />
</sec:trustManagers>
</http:tlsClientParameters>
</http:conduit>
In this configuration we would have the public certificate of the server we
want to connect to in the truststore and the private key and certificate in the
keystore.
With the current CXF implementation this results in the following exception:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
[na:1.6.0_13]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
[na:1.6.0_13]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
[na:1.6.0_13]
... 39 common frames omitted
Once we additionally define the following properties it works:
* javax.net.ssl.keyStore=keystore
* javax.net.ssl.keyStorePassword=password
* javax.net.ssl.trustStore=truststore
* javax.net.ssl.trustStorePassword=password
This however results in very ugly setups where we have to define the same data
twice. Also we miss out on CXF's option of defining specific keystores and
truststores per webservice.
For further information also see: http://www.quendor.org/archiv/428
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
