[jira] Commented: (CXF-2403) Use of client certificates via http conduit configuration broken

[Eamonn Dwyer (JIRA)]

    [ 
https://issues.apache.org/jira/browse/CXF-2403?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12747480#action_12747480
 ] 

Eamonn Dwyer commented on CXF-2403:
-----------------------------------

Hi Wolfgang
the use of http:conduit / http:tlsClientParameters is quite widespread and has 
worked for me (at least). Maybe it is something to do with the particular 
keystore/trustsore you have set up. Can you upload your truststore and keystore 
so it can be tested?

Thanks
Eamonn

> Use of client certificates via http conduit configuration broken
> ----------------------------------------------------------------
>
>                 Key: CXF-2403
>                 URL: https://issues.apache.org/jira/browse/CXF-2403
>             Project: CXF
>          Issue Type: Bug
>          Components: Configuration
>            Reporter: Wolfgang Nagele
>
> To use standard SSL client certificates for authentication the following 
> configuration should work:
> <http:conduit name="*.http-conduit">
>   <http:tlsClientParameters>
>     <sec:keyManagers keyPassword="password">
>       <sec:keyStore type="JKS" password="password" file="keystore" />
>     </sec:keyManagers>
>     <sec:trustManagers>
>       <sec:keyStore type="JKS" password="password" file="truststore" />
>     </sec:trustManagers>
>   </http:tlsClientParameters>
> </http:conduit>
> In this configuration we would have the public certificate of the server we 
> want to connect to in the truststore and the private key and certificate in 
> the keystore.
> With the current CXF implementation this results in the following exception:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target
>       at 
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
>  [na:1.6.0_13]
>       at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) 
> [na:1.6.0_13]
>       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280) 
> [na:1.6.0_13]
>       ... 39 common frames omitted
> Once we additionally define the following properties it works:
> * javax.net.ssl.keyStore=keystore
> * javax.net.ssl.keyStorePassword=password
> * javax.net.ssl.trustStore=truststore
> * javax.net.ssl.trustStorePassword=password
> This however results in very ugly setups where we have to define the same 
> data twice. Also we miss out on CXF's option of defining specific keystores 
> and truststores per webservice.
> For further information also see: http://www.quendor.org/archiv/428

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.