CXF - Support 2-way SSL?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

CXF - Support 2-way SSL?

jaybytez
Does CXF support two way SSL?  And if so, is this done purely through the configuration of http:conduit?

Based on the following blogs, there is some good SSL information:

http://aruld.info/programming-ssl-for-jetty-based-cxf-services/
http://www.knowledgetip.com/index.php/home/software-development/1-java/32-sslauthentication
http://www.quendor.org/archiv/428#comments

But I don't see anything that essentially describes 2-way SSL.

The following is a snippet of my http:conduit...and I missing anything:

    <http:conduit name="{https://com.foo/service}FooServicePort.http-conduit">
       <http:tlsClientParameters disableCNCheck="true" secureSocketProtocol="SSL">
        <sec:keyManagers keyPassword="password">
         <sec:keyStore type="JKS" password="password"
                       resource="keyManager.jks" />
        </sec:keyManagers>
                        <sec:trustManagers>
                  <sec:keyStore type="JKS" password="password"
                       resource="trustManager.jks" />
              </sec:trustManagers>
              <sec:cipherSuitesFilter>
                <!-- these filters ensure that a ciphersuite with
                  export-suitable or null encryption is used,
                  but exclude anonymous Diffie-Hellman key change as
                  this is vulnerable to man-in-the-middle attacks -->
                <sec:include>.*_EXPORT_.*</sec:include>
                <sec:include>.*_EXPORT1024_.*</sec:include>
                <sec:include>.*_WITH_DES_.*</sec:include>
                <sec:include>.*_WITH_NULL_.*</sec:include>
                <sec:include>.*_RSA_.*</sec:include>
                <sec:exclude>.*_DH_anon_.*</sec:exclude>
              </sec:cipherSuitesFilter>
       </http:tlsClientParameters>
       <http:client AutoRedirect="true" Connection="Keep-Alive"/>
   </http:conduit>

Thanks,

Jay
Reply | Threaded
Open this post in threaded view
|

Re: CXF - Support 2-way SSL?

Daniel  Kulp
Administrator


On Tuesday 08 March 2011 12:32:41 PM jaybytez wrote:
> Does CXF support two way SSL?  

Honestly, I have no idea.   I assume the answer is yes.  

> And if so, is this done purely through the
> configuration of http:conduit?

Yep.

Not sure what to suggest without a testcase or even a stack trace as to what's
happening.    My initial inclination is to suggest you change your definition
to use a url name.  Like:



 <http:conduit name="https://localhost:8443/.*">

(note the .* wildcard on the end)

To make sure it's being picked up.    That's one of the main problems is not
getting the name right on that and thus the settings are getting picked up
properly.

Dan


>
> Based on the following blogs, there is some good SSL information:
>
> http://aruld.info/programming-ssl-for-jetty-based-cxf-services/
> http://www.knowledgetip.com/index.php/home/software-development/1-java/32-s
> slauthentication http://www.quendor.org/archiv/428#comments
>
> But I don't see anything that essentially describes 2-way SSL.
>
> The following is a snippet of my http:conduit...and I missing anything:
>
>
>
>
>
>
>
>
>
>
>
>        .*_EXPORT_.*
>        .*_EXPORT1024_.*
>        .*_WITH_DES_.*
>        .*_WITH_NULL_.*
>        .*_RSA_.*
>        .*_DH_anon_.*
>
>
>
>
>
> Thanks,
>
> Jay
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-Support-2-way-SSL-tp3414301p3414301.ht
> ml Sent from the cxf-user mailing list archive at Nabble.com.

--
Daniel Kulp
[hidden email]
http://dankulp.com/blog
Talend - http://www.talend.com
Reply | Threaded
Open this post in threaded view
|

RE: CXF - Support 2-way SSL?

Sven Zethelius
I'm not sure of the XML declaration, but the code to support 2 way SSL (Mutual Authentication) is there.  I'm pretty sure the XML support is there, I just don't use it so don't know the particulars.

org.apache.cxf.configuration.jsse.TLSClientParameters.setKeyManagers(...) is what would enable 2-way on the client.

-----Original Message-----
From: Daniel Kulp [mailto:[hidden email]]
Sent: Tuesday, March 08, 2011 12:52 PM
To: [hidden email]
Cc: jaybytez
Subject: Re: CXF - Support 2-way SSL?



On Tuesday 08 March 2011 12:32:41 PM jaybytez wrote:
> Does CXF support two way SSL?  

Honestly, I have no idea.   I assume the answer is yes.  

> And if so, is this done purely through the
> configuration of http:conduit?

Yep.

Not sure what to suggest without a testcase or even a stack trace as to what's
happening.    My initial inclination is to suggest you change your definition
to use a url name.  Like:



 <http:conduit name="https://localhost:8443/.*">

(note the .* wildcard on the end)

To make sure it's being picked up.    That's one of the main problems is not
getting the name right on that and thus the settings are getting picked up
properly.

Dan


>
> Based on the following blogs, there is some good SSL information:
>
> http://aruld.info/programming-ssl-for-jetty-based-cxf-services/
> http://www.knowledgetip.com/index.php/home/software-development/1-java/32-s
> slauthentication http://www.quendor.org/archiv/428#comments
>
> But I don't see anything that essentially describes 2-way SSL.
>
> The following is a snippet of my http:conduit...and I missing anything:
>
>
>
>
>
>
>
>
>
>
>
>        .*_EXPORT_.*
>        .*_EXPORT1024_.*
>        .*_WITH_DES_.*
>        .*_WITH_NULL_.*
>        .*_RSA_.*
>        .*_DH_anon_.*
>
>
>
>
>
> Thanks,
>
> Jay
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-Support-2-way-SSL-tp3414301p3414301.ht
> ml Sent from the cxf-user mailing list archive at Nabble.com.

--
Daniel Kulp
[hidden email]
http://dankulp.com/blog
Talend - http://www.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: CXF - Support 2-way SSL?

coheigea
Administrator
In reply to this post by jaybytez
For 1-way SSL, the client just needs to trust the server, so the
client needs a truststore, and the server needs a keystore. For 2-way
SSL, the server also needs to trust the client, so they both need a
keystore and truststore configured, and the server policy must be
configured to demand a client cert, e.g.:

<sec:clientAuthentication want="true" required="true"/>

Colm.

On Tue, Mar 8, 2011 at 5:32 PM, jaybytez <[hidden email]> wrote:

> Does CXF support two way SSL?  And if so, is this done purely through the
> configuration of http:conduit?
>
> Based on the following blogs, there is some good SSL information:
>
> http://aruld.info/programming-ssl-for-jetty-based-cxf-services/
> http://www.knowledgetip.com/index.php/home/software-development/1-java/32-sslauthentication
> http://www.quendor.org/archiv/428#comments
>
> But I don't see anything that essentially describes 2-way SSL.
>
> The following is a snippet of my http:conduit...and I missing anything:
>
>
>
>
>
>
>
>
>
>
>
>                .*_EXPORT_.*
>                .*_EXPORT1024_.*
>                .*_WITH_DES_.*
>                .*_WITH_NULL_.*
>                .*_RSA_.*
>                .*_DH_anon_.*
>
>
>
>
>
> Thanks,
>
> Jay
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-Support-2-way-SSL-tp3414301p3414301.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>