cxfbc:provider with SSL
Locked
cxfbc:provider with SSL
 
|
This post was updated on .
Hello,
I have to call webservice throught SSL (HTTPS). For the first test I deployed testservice on Servicemix and exposed it through https using httpj:engine-factory. I can call this service succesfully from SoapUI test client with and without certificates deployed on this client. But whenn I try to call this service from cxfbc:provider deployed on the same Servicemix, I become this fault message: <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Fault occured</faultstring> <detail> <detail>sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target</detail> </detail> </soap:Fault> I use self signed certificates generated as described in the amq_security.pdf guide. Have You any idea or tips, what can be wrong? It seems, the certificates are not found on the client (cxfbc:provider). Is perhaps the http:conduit wrong? My Servicemix version: apache-servicemix-4.4.1-fuse-02-05 All is deployed as osgi bundles. Thank You Radomir Kadlec The configuration: <cxfbc:provider service="isl-a:IslAWebService" endpoint="IslAWebServiceSoapProvider" wsdl="classpath:wsdl/isl_a.wsdl" locationURI="https://localhost:8195/islAFile" > </cxfbc:provider> <cxfbc:consumer service="isl-a:IslAWebServiceFile" endpoint="IslAWebServiceSoapFile" locationURI="https://localhost:8195/islAFile" wsdl="classpath:wsdl/isl_a.wsdl" targetService="isl:fakturaFile" targetEndpoint="xquery" schemaValidationEnabled="true" delegateToJaas="true" properties="#properties" > </cxfbc:consumer> <httpt:conduit name="{http://www.aura.cz/xrg/isl/a/v_1.0.0.0}IslAWebServiceSoap.http-conduit"> <httpt:tlsClientParameters> <sec:trustManagers> <sec:keyStore type="JKS" password="jks123" file="/opt/smx/truststore.ts" /> </sec:trustManagers> <sec:keyManagers keyPassword="jks123"> <sec:keyStore type="JKS" password="jks123" file="${keyStore.file}" /> </sec:keyManagers> <sec:cipherSuitesFilter> <sec:include>.*_WITH_3DES_.*</sec:include> <sec:include>.*_WITH_DES_.*</sec:include> <sec:exclude>.*_WITH_NULL_.*</sec:exclude> <sec:exclude>.*_DH_anon_.*</sec:exclude> </sec:cipherSuitesFilter> </httpt:tlsClientParameters> <httpt:authorization > <sec:UserName>ws_sluzba</sec:UserName> <sec:Password>h</sec:Password> </httpt:authorization> </httpt:conduit> The WSDL definition (only service-part): <wsdl:service name="IslAWebService"> <wsdl:port name="IslAWebServiceSoap" binding="tns:IslAWebServiceSoap"> <soap:address location="<a href="http://127.0.0.1:5000"/>">http://127.0.0.1:5000"/> </wsdl:port> </wsdl:service> <wsdl:service name="IslAWebServiceProvider"> <wsdl:port name="IslAWebServiceSoapProvider" binding="tns:IslAWebServiceSoap"> <soap:address location="<a href="http://127.0.0.1:5000"/>">http://127.0.0.1:5000"/> </wsdl:port> </wsdl:service> <wsdl:service name="IslAWebServiceFile"> <wsdl:port name="IslAWebServiceSoapFile" binding="tns:IslAWebServiceSoap"> <soap:address location="<a href="http://127.0.0.1:5000"/>">http://127.0.0.1:5000"/> </wsdl:port> </wsdl:service> Stacktrace in DEBUG mode: Is this message the point?: No Trust Decider for Conduit 17:46:23,690 | DEBUG | rovider-thread-3 | Headers | - - | Accept: */* 17:46:23,690 | DEBUG | rovider-thread-3 | Headers | - - | SOAPAction: "http://www.aura.cz/xrg/isl/a/v_1.0.0.0/Faktura" 17:46:23,691 | DEBUG | rovider-thread-3 | TrustDecisionUtil | - - | No Trust Decider for Conduit '{http://www.aura.cz/xrg/isl/a/v_1.0.0.0}IslAWebServiceSoap.http-conduit'. An afirmative Trust Decision is assumed. 17:46:23,692 | DEBUG | 0.0:8195 STARTED | ssl | 116 - org.eclipse.jetty.util - 7.4.5.fuse20111017 | [Session-1, SSL_NULL_WITH_NULL_NULL] channel=java.nio.channels.SocketChannel[connected local=/127.0.0.1:8195 remote=/127.0.0.1:55140] 17:46:23,692 | DEBUG | qtp21998214-136 | log | 116 - org.eclipse.jetty.util - 7.4.5.fuse20111017 | async request 17:46:23,693 | DEBUG | qtp21998214-136 | ssl | 116 - org.eclipse.jetty.util - 7.4.5.fuse20111017 | [Session-1, SSL_NULL_WITH_NULL_NULL] unwrap filled 133 17:46:23,693 | DEBUG | qtp21998214-136 | ssl | 116 - org.eclipse.jetty.util - 7.4.5.fuse20111017 | [Session-1, SSL_NULL_WITH_NULL_NULL] unwrap filled 0 17:46:23,693 | DEBUG | qtp21998214-136 | ssl | 116 - org.eclipse.jetty.util - 7.4.5.fuse20111017 | [Session-1, SSL_NULL_WITH_NULL_NULL] unwrap unwrap Status = OK HandshakeStatus = NEED_TASK bytesConsumed = 133 bytesProduced = 0 17:46:23,701 | DEBUG | qtp21998214-136 | ssl | 116 - org.eclipse.jetty.util - 7.4.5.fuse20111017 | [Session-1, SSL_NULL_WITH_NULL_NULL] fill wrap Status = OK HandshakeStatus = NEED_UNWRAP bytesConsumed = 0 bytesProduced = 1179 17:46:23,701 | DEBUG | qtp21998214-136 | ssl | 116 - org.eclipse.jetty.util - 7.4.5.fuse20111017 | [Session-1, SSL_NULL_WITH_NULL_NULL] Flushed 1179/1179 17:46:23,701 | DEBUG | qtp21998214-136 | ssl | 116 - org.eclipse.jetty.util - 7.4.5.fuse20111017 | [Session-1, SSL_NULL_WITH_NULL_NULL] unwrap filled 0 17:46:23,705 | DEBUG | qtp21998214-137 | log | 116 - org.eclipse.jetty.util - 7.4.5.fuse20111017 | async request 17:46:23,707 | DEBUG | qtp21998214-137 | ssl | 116 - org.eclipse.jetty.util - 7.4.5.fuse20111017 | [Session-1, SSL_NULL_WITH_NULL_NULL] unwrap filled 7 17:46:23,707 | DEBUG | qtp21998214-137 | ssl | 116 - org.eclipse.jetty.util - 7.4.5.fuse20111017 | [Session-1, SSL_NULL_WITH_NULL_NULL] unwrap filled -1 17:46:23,707 | TRACE | rovider-thread-3 | BundleDelegatingClassLoader | 81 - org.springframework.osgi.core - 1.2.1 | Looking for resource META-INF/services/org.apache.xerces.xni.parser.XMLParserConfiguration 17:46:23,708 | WARN | qtp21998214-137 | log | 116 - org.eclipse.jetty.util - 7.4.5.fuse20111017 | 127.0.0.1:55140 javax.net.ssl.SSLException: Received fatal alert: certificate_unknown 17:46:23,708 | DEBUG | qtp21998214-137 | log | 116 - org.eclipse.jetty.util - 7.4.5.fuse20111017 | EXCEPTION javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)[:1.6] at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1429)[:1.6] at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1397)[:1.6] at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1563)[:1.6] at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1023)[:1.6] at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:837)[:1.6] at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:713)[:1.6] at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)[:1.6] at org.eclipse.jetty.io.nio.SslSelectChannelEndPoint.unwrap(SslSelectChannelEndPoint.java:755)[111:org.eclipse.jetty.io:7.4.5.fuse20111017] at org.eclipse.jetty.io.nio.SslSelectChannelEndPoint.fill(SslSelectChannelEndPoint.java:346)[111:org.eclipse.jetty.io:7.4.5.fuse20111017] |
|
Hi,
Your cxf bc provider didn't pick up the bus which have the http:conduit configuration. You need take a look at CxfBcProviderHttpsTest[1], especially the configuration for this test[2] [1]https://svn.apache.org/repos/asf/servicemix/components/trunk/bindings/servicemix-cxf-bc/src/test/java/org/apache/servicemix/cxfbc/ws/security/CxfBcProviderHttpsTest.java [2]https://svn.apache.org/repos/asf/servicemix/components/trunk/bindings/servicemix-cxf-bc/src/test/resources/org/apache/servicemix/cxfbc/ws/security/provider.xml Freeman On 2012-4-3, at 下午3:15, Radomir Kadlec wrote: > Hello, > I have to call webservice throught SSL (HTTPS). > For the first test I deployed testservice on Servicemix and exposed > through > https. > I can call this service from SoapUI test client. > But whenn I try to call this service from cxfbc:provider deployed on > the > same Servicemix, I become this *fault message*: > > <soap:Fault> > <faultcode>soap:Server</faultcode> > <faultstring>Fault occured</faultstring> > <detail> > <detail>sun.security.validator.ValidatorException: PKIX > path > building failed: > sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target</detail> > </detail> > </soap:Fault> > > I use self signed certificates generated as described in the > amq_security.pdf guide. > > Have You any idea or tips, what can be wrong? > It seems, the certificates on the client (cxfbc:provider) are not > found. > > Thank You > Radomir Kadlec > > The configuration: > <cxfbc:provider > service="isl-a:IslAWebService" > endpoint="IslAWebServiceSoapProvider" > wsdl="classpath:wsdl/isl_a.wsdl" > locationURI="https://localhost:8195/islAFile" >> > </cxfbc:provider> > > <cxfbc:consumer > service="isl-a:IslAWebServiceFile" > endpoint="IslAWebServiceSoapFile" > locationURI="https://localhost:8195/islAFile" > wsdl="classpath:wsdl/isl_a.wsdl" > targetService="isl:fakturaFile" > targetEndpoint="xquery" > schemaValidationEnabled="true" > delegateToJaas="true" > properties="#properties" >> > </cxfbc:consumer> > > <httpt:conduit > name="{http://www.aura.cz/xrg/isl/a/ > v_1.0.0.0}IslAWebServiceSoapProvider.http-conduit"> > <httpt:tlsClientParameters> > <sec:trustManagers> > <sec:keyStore > type="JKS" > password="jks123" > file="/opt/smx/truststore.ts" /> > </sec:trustManagers> > <sec:keyManagers keyPassword="jks123"> > <sec:keyStore > type="JKS" > password="jks123" > file="${keyStore.file}" /> > </sec:keyManagers> > <sec:cipherSuitesFilter> > <sec:include>.*_WITH_3DES_.*</sec:include> > <sec:include>.*_WITH_DES_.*</sec:include> > <sec:exclude>.*_WITH_NULL_.*</sec:exclude> > <sec:exclude>.*_DH_anon_.*</sec:exclude> > </sec:cipherSuitesFilter> > </httpt:tlsClientParameters> > <httpt:authorization > > <sec:UserName>ws_sluzba</sec:UserName> > <sec:Password>h</sec:Password> > </httpt:authorization> > </httpt:conduit> > > > -- > View this message in context: http://servicemix.396122.n5.nabble.com/cxfbc-provider-with-SSL-tp5614411p5614411.html > Sent from the ServiceMix - User mailing list archive at Nabble.com. --------------------------------------------- Freeman Fang FuseSource Email:[hidden email] Web: fusesource.com Twitter: freemanfang Blog: http://freemanfang.blogspot.com http://blog.sina.com.cn/u/1473905042 weibo: http://weibo.com/u/1473905042 |
Re: cxfbc:provider with SSL
|
|
Thank You Freeman for the tips,
I use the providedBus with the SpringBus implementation now (CXFBusImpl was incomplette - WSDLManager was missed) and in debugging I can see, that my conduit will be used for the cxfbc:provider (it contains my truststore and keystore with certificates). But I have still an exception/soapfault: No trusted certificate found. I can see in the log, that no TrustDesider is used, it is null in the conduit. Is it correct? Why isn't used the HttpsMessageTrustDesider? I use osgi deployment in apache-servicemix-4.4.1-fuse-02-05 The log: 08:50:27,795 | DEBUG | rovider-thread-1 | TrustDecisionUtil | - - | No Trust Decider for Conduit '{http://www.aura.cz/xrg/isl/a/v_1.0.0.0}IslAWebServiceSoap.http-conduit'. An afirmative Trust Decision is assumed. .... 08:50:27,819 | WARN | qtp22225759-142 | log | 116 - org.eclipse.jetty.util - 7.4.5.fuse20111017 | 127.0.0.1:47624 javax.net.ssl.SSLException: Received fatal alert: certificate_unknown 08:50:27,819 | DEBUG | qtp22225759-142 | log | 116 - org.eclipse.jetty.util - 7.4.5.fuse20111017 | EXCEPTION javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)[:1.6] The fault message: <faultstring>Fault occured</faultstring> <detail> <detail>sun.security.validator.ValidatorException: No trusted certificate found</detail> </detail> The Spring configuration (security providers are in separate module) test_beans.xml |
«
Return to ServiceMix - User
|
1 view|%1 views
Loading...
| Powered by Nabble | Edit this page |