Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-10386

Describe usage of SSL in camel-cxfrs with EAP

    XMLWordPrintable

Details

    • Clarification
    • Resolution: Not a Bug
    • Major
    • None
    • fuse-7.3
    • CXF, WildFly Camel
    • None
    • % %

    Description

      QE has a test scenario where we test security in camel-cxf. The scenario was broken in 7.3 on EAP(works with 7.2 and in 7.3 with karaf and sprintboot). It's possible the upgrade of EAP to 7.2 change some security settings.

      I'm setting the security in EAP as described here : 

      batch
/subsystem=elytron/key-store=httpsKS:add(path=${jaxrshome}/server-trustStore.jks, credential-reference={clear-text=mit123*}, type=JKS)
/subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS, algorithm="SunX509", credential-reference={clear-text=mit123*})
/subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM, protocols=["TLSv1.2"])

/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context, value=httpsSSC)
run-batch
reload

      Then we have the camel context with defined servers:

      <beans xmlns="http://www.springframework.org/schema/beans"
		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		xmlns:cxf-camel="http://camel.apache.org/schema/cxf" xmlns:sec="http://cxf.apache.org/configuration/security"
		xmlns:http-conf="http://cxf.apache.org/transports/http/configuration"
		xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
		http://camel.apache.org/schema/spring http://camel.apache.org/schema/spring/camel-spring.xsd
		http://camel.apache.org/schema/cxf http://camel.apache.org/schema/cxf/camel-cxf.xsd
		http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd
		http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd">

	<cxf-camel:rsServer id="rsServer" address="https://localhost:8443/" serviceClass="org.jboss.qe.camel.components.cxfssl.XtraderService" loggingFeatureEnabled="true">
		<cxf-camel:inInterceptors>
			<bean class="org.jboss.qe.camel.components.cxfssl.SecurityInInterceptor"/>
		</cxf-camel:inInterceptors>
	</cxf-camel:rsServer>

	<cxf-camel:rsClient id="rsClient" address="https://localhost:8443/" serviceClass="org.jboss.qe.camel.components.cxfssl.XtraderService" loggingFeatureEnabled="true"/>
	<cxf-camel:rsServer id="rsMockServer" address="http://localhost:8082/mock" serviceClass="org.jboss.qe.camel.components.cxfssl.XtraderService" loggingFeatureEnabled="true"/>
	<cxf-camel:rsClient id="rsMockClient" address="http://localhost:8082/mock" serviceClass="org.jboss.qe.camel.components.cxfssl.XtraderService" loggingFeatureEnabled="true"/>

	<bean id="xtraderRsProcessor" class="org.jboss.qe.camel.components.cxfssl.XtraderRsProcessor">
		<property name="customerId" value="changeme"/>
	</bean>

	<camelContext id="xtraderRsContext" trace="true" xmlns="http://camel.apache.org/schema/spring">
		<route id="1">
			<from uri="direct://http"/>
			<to uri="cxfrs://bean://rsClient"/>
		</route>
		<route id="2">
			<from uri="cxfrs://bean://rsServer"/>
			<process ref="xtraderRsProcessor"/>
			<to uri="cxfrs://bean://rsMockClient"/>
			<to uri="cxfrs://bean://rsMockClient"/>
		</route>
		<route id="3">
			<from uri="cxfrs://bean://rsMockServer"/>
			<setBody>
				<constant>MY_RESPONSE</constant>
			</setBody>
		</route>
	</camelContext>

	<http-conf:conduit name="*.http-conduit">
		<http-conf:client ConnectionTimeout="3000000" ReceiveTimeout="3000000" AutoRedirect="true" Connection="Keep-Alive"/>
		<http-conf:tlsClientParameters disableCNCheck="false">
			<sec:keyManagers keyPassword="mit123*">
				<sec:keyStore file="${project.basedir}${file.separator}client-trustStore.jks" password="mit123*" type="jks"/>
			</sec:keyManagers>
			<sec:trustManagers>
				<sec:keyStore file="${project.basedir}${file.separator}client-trustStore.jks" password="mit123*" type="jks"/>
			</sec:trustManagers>
			<sec:certAlias>client</sec:certAlias>
			<sec:cipherSuitesFilter>
				<sec:include>.*_WITH_3DES_.*</sec:include>
				<sec:include>.*_WITH_DES_.*</sec:include>
				<sec:include>.*_WITH_AES_.*</sec:include>
				<sec:include>.*_EXPORT_.*</sec:include>
				<sec:include>.*_EXPORT1024_.*</sec:include>
				<sec:exclude>.*_WITH_NULL_.*</sec:exclude>
				<sec:exclude>.*_DH_anon_.*</sec:exclude>
			</sec:cipherSuitesFilter>
		</http-conf:tlsClientParameters>
	</http-conf:conduit>
</beans>

      Even when this is configured, I still get this error:

      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

      Should I do something more? Configure it differently?

      Attachments

        Activity

          People

            ppalaga Peter Palaga
            jkasztur@redhat.com Jan Kasztura (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: