Details
-
Clarification
-
Resolution: Not a Bug
-
Major
-
None
-
fuse-7.3
-
None
-
%
Description
QE has a test scenario where we test security in camel-cxf. The scenario was broken in 7.3 on EAP(works with 7.2 and in 7.3 with karaf and sprintboot). It's possible the upgrade of EAP to 7.2 change some security settings.
I'm setting the security in EAP as described here :
batch /subsystem=elytron/key-store=httpsKS:add(path=${jaxrshome}/server-trustStore.jks, credential-reference={clear-text=mit123*}, type=JKS) /subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS, algorithm="SunX509", credential-reference={clear-text=mit123*}) /subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM, protocols=["TLSv1.2"]) /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context, value=httpsSSC) run-batch reload
Then we have the camel context with defined servers:
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cxf-camel="http://camel.apache.org/schema/cxf" xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:http-conf="http://cxf.apache.org/transports/http/configuration" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://camel.apache.org/schema/spring http://camel.apache.org/schema/spring/camel-spring.xsd http://camel.apache.org/schema/cxf http://camel.apache.org/schema/cxf/camel-cxf.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd"> <cxf-camel:rsServer id="rsServer" address="https://localhost:8443/" serviceClass="org.jboss.qe.camel.components.cxfssl.XtraderService" loggingFeatureEnabled="true"> <cxf-camel:inInterceptors> <bean class="org.jboss.qe.camel.components.cxfssl.SecurityInInterceptor"/> </cxf-camel:inInterceptors> </cxf-camel:rsServer> <cxf-camel:rsClient id="rsClient" address="https://localhost:8443/" serviceClass="org.jboss.qe.camel.components.cxfssl.XtraderService" loggingFeatureEnabled="true"/> <cxf-camel:rsServer id="rsMockServer" address="http://localhost:8082/mock" serviceClass="org.jboss.qe.camel.components.cxfssl.XtraderService" loggingFeatureEnabled="true"/> <cxf-camel:rsClient id="rsMockClient" address="http://localhost:8082/mock" serviceClass="org.jboss.qe.camel.components.cxfssl.XtraderService" loggingFeatureEnabled="true"/> <bean id="xtraderRsProcessor" class="org.jboss.qe.camel.components.cxfssl.XtraderRsProcessor"> <property name="customerId" value="changeme"/> </bean> <camelContext id="xtraderRsContext" trace="true" xmlns="http://camel.apache.org/schema/spring"> <route id="1"> <from uri="direct://http"/> <to uri="cxfrs://bean://rsClient"/> </route> <route id="2"> <from uri="cxfrs://bean://rsServer"/> <process ref="xtraderRsProcessor"/> <to uri="cxfrs://bean://rsMockClient"/> <to uri="cxfrs://bean://rsMockClient"/> </route> <route id="3"> <from uri="cxfrs://bean://rsMockServer"/> <setBody> <constant>MY_RESPONSE</constant> </setBody> </route> </camelContext> <http-conf:conduit name="*.http-conduit"> <http-conf:client ConnectionTimeout="3000000" ReceiveTimeout="3000000" AutoRedirect="true" Connection="Keep-Alive"/> <http-conf:tlsClientParameters disableCNCheck="false"> <sec:keyManagers keyPassword="mit123*"> <sec:keyStore file="${project.basedir}${file.separator}client-trustStore.jks" password="mit123*" type="jks"/> </sec:keyManagers> <sec:trustManagers> <sec:keyStore file="${project.basedir}${file.separator}client-trustStore.jks" password="mit123*" type="jks"/> </sec:trustManagers> <sec:certAlias>client</sec:certAlias> <sec:cipherSuitesFilter> <sec:include>.*_WITH_3DES_.*</sec:include> <sec:include>.*_WITH_DES_.*</sec:include> <sec:include>.*_WITH_AES_.*</sec:include> <sec:include>.*_EXPORT_.*</sec:include> <sec:include>.*_EXPORT1024_.*</sec:include> <sec:exclude>.*_WITH_NULL_.*</sec:exclude> <sec:exclude>.*_DH_anon_.*</sec:exclude> </sec:cipherSuitesFilter> </http-conf:tlsClientParameters> </http-conf:conduit> </beans>
Even when this is configured, I still get this error:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Should I do something more? Configure it differently?