Details

    • Type: Clarification
    • Status: Closed
    • Priority: Major
    • Resolution: Explained
    • Affects Version/s: fuse-7.3
    • Fix Version/s: None
    • Component/s: CXF, WildFly Camel
    • Labels:
      None

      Description

      QE has a test scenario where we test security in camel-cxf. The scenario was broken in 7.3 on EAP(works with 7.2 and in 7.3 with karaf and sprintboot). It's possible the upgrade of EAP to 7.2 change some security settings.

      I'm setting the security in EAP as described here :

      batch
      /subsystem=elytron/key-store=httpsKS:add(path=${jaxrshome}/server-trustStore.jks, credential-reference={clear-text=mit123*}, type=JKS)
      /subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS, algorithm="SunX509", credential-reference={clear-text=mit123*})
      /subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM, protocols=["TLSv1.2"])
      
      /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
      /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context, value=httpsSSC)
      run-batch
      reload
      

      Then we have the camel context with defined servers:

      <beans xmlns="http://www.springframework.org/schema/beans"
      		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      		xmlns:cxf-camel="http://camel.apache.org/schema/cxf" xmlns:sec="http://cxf.apache.org/configuration/security"
      		xmlns:http-conf="http://cxf.apache.org/transports/http/configuration"
      		xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
      		http://camel.apache.org/schema/spring http://camel.apache.org/schema/spring/camel-spring.xsd
      		http://camel.apache.org/schema/cxf http://camel.apache.org/schema/cxf/camel-cxf.xsd
      		http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd
      		http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd">
      
      	<cxf-camel:rsServer id="rsServer" address="https://localhost:8443/" serviceClass="org.jboss.qe.camel.components.cxfssl.XtraderService" loggingFeatureEnabled="true">
      		<cxf-camel:inInterceptors>
      			<bean class="org.jboss.qe.camel.components.cxfssl.SecurityInInterceptor"/>
      		</cxf-camel:inInterceptors>
      	</cxf-camel:rsServer>
      
      	<cxf-camel:rsClient id="rsClient" address="https://localhost:8443/" serviceClass="org.jboss.qe.camel.components.cxfssl.XtraderService" loggingFeatureEnabled="true"/>
      	<cxf-camel:rsServer id="rsMockServer" address="http://localhost:8082/mock" serviceClass="org.jboss.qe.camel.components.cxfssl.XtraderService" loggingFeatureEnabled="true"/>
      	<cxf-camel:rsClient id="rsMockClient" address="http://localhost:8082/mock" serviceClass="org.jboss.qe.camel.components.cxfssl.XtraderService" loggingFeatureEnabled="true"/>
      
      	<bean id="xtraderRsProcessor" class="org.jboss.qe.camel.components.cxfssl.XtraderRsProcessor">
      		<property name="customerId" value="changeme"/>
      	</bean>
      
      	<camelContext id="xtraderRsContext" trace="true" xmlns="http://camel.apache.org/schema/spring">
      		<route id="1">
      			<from uri="direct://http"/>
      			<to uri="cxfrs://bean://rsClient"/>
      		</route>
      		<route id="2">
      			<from uri="cxfrs://bean://rsServer"/>
      			<process ref="xtraderRsProcessor"/>
      			<to uri="cxfrs://bean://rsMockClient"/>
      			<to uri="cxfrs://bean://rsMockClient"/>
      		</route>
      		<route id="3">
      			<from uri="cxfrs://bean://rsMockServer"/>
      			<setBody>
      				<constant>MY_RESPONSE</constant>
      			</setBody>
      		</route>
      	</camelContext>
      
      	<http-conf:conduit name="*.http-conduit">
      		<http-conf:client ConnectionTimeout="3000000" ReceiveTimeout="3000000" AutoRedirect="true" Connection="Keep-Alive"/>
      		<http-conf:tlsClientParameters disableCNCheck="false">
      			<sec:keyManagers keyPassword="mit123*">
      				<sec:keyStore file="${project.basedir}${file.separator}client-trustStore.jks" password="mit123*" type="jks"/>
      			</sec:keyManagers>
      			<sec:trustManagers>
      				<sec:keyStore file="${project.basedir}${file.separator}client-trustStore.jks" password="mit123*" type="jks"/>
      			</sec:trustManagers>
      			<sec:certAlias>client</sec:certAlias>
      			<sec:cipherSuitesFilter>
      				<sec:include>.*_WITH_3DES_.*</sec:include>
      				<sec:include>.*_WITH_DES_.*</sec:include>
      				<sec:include>.*_WITH_AES_.*</sec:include>
      				<sec:include>.*_EXPORT_.*</sec:include>
      				<sec:include>.*_EXPORT1024_.*</sec:include>
      				<sec:exclude>.*_WITH_NULL_.*</sec:exclude>
      				<sec:exclude>.*_DH_anon_.*</sec:exclude>
      			</sec:cipherSuitesFilter>
      		</http-conf:tlsClientParameters>
      	</http-conf:conduit>
      </beans>
      

      Even when this is configured, I still get this error:

      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

      Should I do something more? Configure it differently?

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                ppalaga Peter Palaga
                Reporter:
                jkasztur Jan Kasztura
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: