Karaf SSL CXF Client https

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Karaf SSL CXF Client https

erwan
Hi all,

We are facing some issues for configuring SSL for CXF as a HTTPS client.
Our environment is karaf 4.0.8, cxf 3.1.9.
The page https://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport(includingSSLsupport)-ConfiguringSSLSupport (Section "Configuring SSL Support") explains how to do that when using Spring.
However we don’t use Spring; just karaf & CXF.

So we tried  with the "-Djavax.net.ssl.trustStore" and "-Djavax.net.ssl.trustStorePassword" stuff, with no success :

Caused by: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://[...]: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        [...]
        at org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:1035)[93:org.apache.cxf.cxf-rt-rs-client:3.1.9]
        at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:892)[93:org.apache.cxf.cxf-rt-rs-client:3.1.9]
        at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:863)[93:org.apache.cxf.cxf-rt-rs-client:3.1.9]
        at org.apache.cxf.jaxrs.client.WebClient.invoke(WebClient.java:426)[93:org.apache.cxf.cxf-rt-rs-client:3.1.9]
        at org.apache.cxf.jaxrs.client.WebClient$SyncInvokerImpl.method(WebClient.java:1562)[93:org.apache.cxf.cxf-rt-rs-client:3.1.9]
        at org.apache.cxf.jaxrs.client.WebClient$SyncInvokerImpl.method(WebClient.java:1557)[93:org.apache.cxf.cxf-rt-rs-client:3.1.9]
        at org.apache.cxf.jaxrs.client.spec.InvocationBuilderImpl.method(InvocationBuilderImpl.java:115)[93:org.apache.cxf.cxf-rt-rs-client:3.1.9]
        at org.apache.cxf.jaxrs.client.spec.InvocationBuilderImpl$InvocationImpl.invoke(InvocationBuilderImpl.java:334)[93:org.apache.cxf.cxf-rt-rs-client:3.1.9]
        [...]

So how do we configure SSL (truststore) for the CXF HTTPS client ?

Thanks,
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Karaf SSL CXF Client https

jbonofre
Hi,

you can take a look on:

http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html

Especially, you will find the  <http:tlsClientParameters/> where you define the
SSL configuration for the http-conduit (the client part of CXF).

Regards
JB

On 07/13/2017 11:27 AM, erwan wrote:

> Hi all,
>
> We are facing some issues for configuring SSL for CXF as a HTTPS *client*.
> Our environment is karaf 4.0.8, cxf 3.1.9.
> The page
> https://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport(includingSSLsupport)-ConfiguringSSLSupport
> (Section "Configuring SSL Support") explains how to do that when using
> Spring.
> However we don’t use Spring; just karaf & CXF.
>
> So we tried  with the "-Djavax.net.ssl.trustStore" and
> "-Djavax.net.ssl.trustStorePassword" stuff, with no success :
>
> Caused by: javax.ws.rs.ProcessingException:
> javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking
> https://[...]: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
>          [...]
>          at
> org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:1035)[93:org.apache.cxf.cxf-rt-rs-client:3.1.9]
>          at
> org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:892)[93:org.apache.cxf.cxf-rt-rs-client:3.1.9]
>          at
> org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:863)[93:org.apache.cxf.cxf-rt-rs-client:3.1.9]
>          at
> org.apache.cxf.jaxrs.client.WebClient.invoke(WebClient.java:426)[93:org.apache.cxf.cxf-rt-rs-client:3.1.9]
>          at
> org.apache.cxf.jaxrs.client.WebClient$SyncInvokerImpl.method(WebClient.java:1562)[93:org.apache.cxf.cxf-rt-rs-client:3.1.9]
>          at
> org.apache.cxf.jaxrs.client.WebClient$SyncInvokerImpl.method(WebClient.java:1557)[93:org.apache.cxf.cxf-rt-rs-client:3.1.9]
>          at
> org.apache.cxf.jaxrs.client.spec.InvocationBuilderImpl.method(InvocationBuilderImpl.java:115)[93:org.apache.cxf.cxf-rt-rs-client:3.1.9]
>          at
> org.apache.cxf.jaxrs.client.spec.InvocationBuilderImpl$InvocationImpl.invoke(InvocationBuilderImpl.java:334)[93:org.apache.cxf.cxf-rt-rs-client:3.1.9]
>          [...]
>
> So how do we configure SSL (truststore) for the CXF HTTPS client ?
>
> Thanks,
>
>
>
>
> --
> View this message in context: http://karaf.922171.n3.nabble.com/Karaf-SSL-CXF-Client-https-tp4050999.html
> Sent from the Karaf - User mailing list archive at Nabble.com.
>

--
Jean-Baptiste Onofré
[hidden email]
http://blog.nanthrax.net
Talend - http://www.talend.com
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Karaf SSL CXF Client https

erwan
Hello, and thanks for your reply.
I tried to use what is described in the documentation without any success.
I still have these kind of messages in traces:
2017-07-17 09:22:57,344 | DEBUG | heduler_Worker-1 | HTTPConduit                     :940 | 137 - org.apache.cxf.cxf-rt-transports-http - 3.1.9 | Conduit '{https://mydomain}WebClient.http-conduit' has been (re)configured for plain http.

I though it was a configuration problem.
I add this parameter to the command line:

-Dcxf.config.file=cxf.xml

but got an error as well:
[FelixStartLevel] ERROR org.apache.felix.fileinstall - Failed to install artifact: \etc\org.apache.cxf.osgi.cfg
java.util.InvalidPropertiesFormatException: org.xml.sax.SAXParseException: Document root element "beans", must match DOCTYPE root "null".

content cxf.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:sec="http://cxf.apache.org/configuration/security"
  xmlns:http="http://cxf.apache.org/transports/http/configuration"
  xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"
  xsi:schemaLocation="
      http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd
      http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
      http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
     
     
 
  <http:conduit name="*.http-conduit">
 
    <http:tlsClientParameters>
      <sec:keyManagers keyPassword="dummy">
        <sec:keyStore type="JKS" password="dummy"
                      file="etc/keystores/dummy.jks"/>
      </sec:keyManagers>
      <sec:trustManagers>
        <sec:keyStore type="JKS" password="dummy"
                      file="etc/truststores/dummy.jks"/>
      </sec:trustManagers>
      <sec:cipherSuitesFilter>
       
        <sec:include>.*_EXPORT_.*</sec:include>
        <sec:include>.*_EXPORT1024_.*</sec:include>
        <sec:include>.*_WITH_DES_.*</sec:include>
        <sec:include>.*_WITH_AES_.*</sec:include>
        <sec:include>.*_WITH_NULL_.*</sec:include>
        <sec:exclude>.*_DH_anon_.*</sec:exclude>
      </sec:cipherSuitesFilter>
    </http:tlsClientParameters>
    <http:client AutoRedirect="true" Connection="Keep-Alive"/>
 
  </http:conduit>
 
</beans>
So not working yet...
Something seems to be strange as well in startup traces:
2017-07-17 09:22:47,625 | INFO  | FelixStartLevel  | HttpServiceFactoryImpl          :35 | 240 - org.ops4j.pax.web.pax-web-runtime - 4.3.0 | Binding bundle: [cxf-dosgi-ri-dsw-cxf [68]] to http service

do we have to configure pax-web as well?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Karaf SSL CXF Client https

jbonofre
Hi,

Pax Web is for the "server" side, not the client side. That's why you have to
configure the http-conduits (which is the client side).

The org.apache.cxf.osgi.cfg is wrong in  your case.

Can you explain what did you do exactly ?

Regards
JB

On 07/17/2017 09:34 AM, erwan wrote:

> Hello, and thanks for your reply.
> I tried to use what is described in the documentation without any success.
> I still have these kind of messages in traces:
> 2017-07-17 09:22:57,344 | DEBUG | heduler_Worker-1 | HTTPConduit
> :940 | 137 - org.apache.cxf.cxf-rt-transports-http - 3.1.9 | Conduit
> '{https://mydomain}WebClient.http-conduit' has been (re)configured for plain
> http.
>
> I though it was a configuration problem.
> I add this parameter to the command line:
>
> -Dcxf.config.file=cxf.xml
>
> but got an error as well:
> [FelixStartLevel] ERROR org.apache.felix.fileinstall - Failed to install
> artifact: \etc\org.apache.cxf.osgi.cfg
> java.util.InvalidPropertiesFormatException: org.xml.sax.SAXParseException:
> Document root element "beans", must match DOCTYPE root "null".
>
> content cxf.xml:
> <?xml version="1.0" encoding="UTF-8"?>
> <beans xmlns="http://www.springframework.org/schema/beans"
>    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>    xmlns:sec="http://cxf.apache.org/configuration/security"
>    xmlns:http="http://cxf.apache.org/transports/http/configuration"
>    xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"
>    xsi:schemaLocation="
>        http://cxf.apache.org/configuration/security
> http://cxf.apache.org/schemas/configuration/security.xsd
>        http://cxf.apache.org/transports/http/configuration
> http://cxf.apache.org/schemas/configuration/http-conf.xsd
>        http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans.xsd">
>        
>        
>  
>    <http:conduit name="*.http-conduit">
>  
>      <http:tlsClientParameters>
>        <sec:keyManagers keyPassword="dummy">
>          <sec:keyStore type="JKS" password="dummy"
>                        file="etc/keystores/dummy.jks"/>
>        </sec:keyManagers>
>        <sec:trustManagers>
>          <sec:keyStore type="JKS" password="dummy"
>                        file="etc/truststores/dummy.jks"/>
>        </sec:trustManagers>
>        <sec:cipherSuitesFilter>
>          
>          <sec:include>.*_EXPORT_.*</sec:include>
>          <sec:include>.*_EXPORT1024_.*</sec:include>
>          <sec:include>.*_WITH_DES_.*</sec:include>
>          <sec:include>.*_WITH_AES_.*</sec:include>
>          <sec:include>.*_WITH_NULL_.*</sec:include>
>          <sec:exclude>.*_DH_anon_.*</sec:exclude>
>        </sec:cipherSuitesFilter>
>      </http:tlsClientParameters>
>      <http:client AutoRedirect="true" Connection="Keep-Alive"/>
>  
>    </http:conduit>
>  
> </beans>
> So not working yet...
> Something seems to be strange as well in startup traces:
> 2017-07-17 09:22:47,625 | INFO  | FelixStartLevel  | HttpServiceFactoryImpl
> :35 | 240 - org.ops4j.pax.web.pax-web-runtime - 4.3.0 | Binding bundle:
> [cxf-dosgi-ri-dsw-cxf [68]] to http service
>
> do we have to configure pax-web as well?
>
>
>
> --
> View this message in context: http://karaf.922171.n3.nabble.com/Karaf-SSL-CXF-Client-https-tp4050999p4051025.html
> Sent from the Karaf - User mailing list archive at Nabble.com.
>

--
Jean-Baptiste Onofré
[hidden email]
http://blog.nanthrax.net
Talend - http://www.talend.com
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Karaf SSL CXF Client https

erwan
That's what we were thinking about the pax web configuration (server side).

We are sending some http requests using cxf to an external server (javax.ws.rs.client.WebTarget used).
We configure a org.apache.cxf.osgi.cfg in etc/ directory and launch
karaf.bat -Dcxf.config.file=org.apache.cxf.osgi.cfg
content is the one previously entered. (org.apache.cxf.osgi.cfg = cxf.xml)

We also tried using cxf.config.file=${karaf.etc}/org.apache.cxf.osgi.cfg in
\apache-karaf-4.0.8\etc\system.properties without success.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Karaf SSL CXF Client https

erwan
Hello,
don't have any clue for the moment.
Hope you will be able to give an answer on your side.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Karaf SSL CXF Client https

erwan
This post was updated on .
wondering if it has something to do with this note in cxf site:
Note starting with CXF 2.6.0, Maven users will need to add the following dependency for the cxf.xml file to be read:

<dependency>
   <groupId>org.springframework</groupId>
   <artifactId>spring-context</artifactId>
   <version>3.0.6.RELEASE</version>  (or most recent supported)
</dependency>

Do we have to install a specific feature inside karaf to be able for the file to be loaded?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Karaf SSL CXF Client https

erwan
I'm still trying to do some https as a client.
I installed some features:
spring
spring-dm
spring-security

includes :
cxf.config.file = C:\\apache-karaf-4.0.8\\etc\\org.apache.cxf.osgi.cfg
to system.properties

and other problems appeared...
still getting :
2017-07-21 16:34:52,262 | ERROR | 4.0.8\bin\..\etc | fileinstall                      | 4 - org.apache.felix.fileinstall - 3.5.6 | Failed to install artifact: C:\apache-karaf-4.0.8\etc\org.apache.cxf.osgi.cfg
java.util.InvalidPropertiesFormatException: org.xml.sax.SAXParseException: Document root element "beans", must match DOCTYPE root "null".

but get this first time
2017-07-21 16:35:07,196 | INFO  | eduler_Worker-10 | BusApplicationContext            | 79 - org.apache.cxf.cxf-core - 3.1.9 | Loaded configuration file C:\apache-karaf-4.0.8\etc\org.apache.cxf.osgi.cfg.
2017-07-21 16:35:07,196 | INFO  | eduler_Worker-10 | alidationXmlBeanDefinitionReader | 263 - org.apache.servicemix.bundles.spring-beans - 4.2.8.RELEASE_1 | Loading XML bean definitions from class path resource [META-INF/cxf/cxf.xml]
2017-07-21 16:35:07,196 | WARN  | eduler_Worker-10 | SpringBusFactory                 | 79 - org.apache.cxf.cxf-core - 3.1.9 | Initial attempt to create application context was unsuccessful.
org.springframework.beans.factory.BeanDefinitionStoreException: IOException parsing XML document from class path resource [META-INF/cxf/cxf.xml]; nested exception is java.io.FileNotFoundException: class path resource [META-INF/cxf/cxf.xml] cannot be opened because it does not exist

then
2017-07-21 16:35:07,209 | INFO  | eduler_Worker-10 | alidationXmlBeanDefinitionReader | 263 - org.apache.servicemix.bundles.spring-beans - 4.2.8.RELEASE_1 | Loading XML bean definitions from class path resource [META-INF/cxf/cxf.xml]
2017-07-21 16:35:07,210 | INFO  | eduler_Worker-10 | alidationXmlBeanDefinitionReader | 263 - org.apache.servicemix.bundles.spring-beans - 4.2.8.RELEASE_1 | Loading XML bean definitions from file [C:\apache-karaf-4.0.8\etc\org.apache.cxf.osgi.cfg]
2017-07-21 16:35:07,383 | WARN  | eduler_Worker-10 | SpringBusFactory                 | 79 - org.apache.cxf.cxf-core - 3.1.9 | Failed to create application context.
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Unable to locate Spring NamespaceHandler for XML schema namespace [http://cxf.apache.org/transports/http/configuration]

Loading...