Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-15625

Red Hat Fuse 7.x on EAP : Two way ssl is not working when keystore and truststore details are set as system property in EAP.

    XMLWordPrintable

Details

    • Bug
    • Status: Done
    • Major
    • Resolution: Done
    • fuse-7.8-GA
    • fuse-7.9-GA
    • Fuse EAP
    • None
    • Hide

      1. Run SpringBoot application.

      mvn clean package
      java Djavax.net.debug=ssl,handshake -jar target/hello1-0.0.1-SNAPSHOT.jar 

      Following way two way SSL is configured in spring-boot app.

      [cpandey@cpandey hello1]$ cat ./src/main/resources/application.properties
      server.port=8444security.require-ssl=trueserver.ssl.key-store-type=JKS
      server.ssl.key-store=classpath:server2.jks
      server.ssl.key-store-password=secretserver.ssl.trust-store=classpath:server1_trust.jks
      server.ssl.trust-store-password=secret
      server.ssl.client-auth=NEED
      

      2. Now build war file for deploying EAP 7.2.7 + Red Hat Fuse 7.7. 

      • mvn clean package
      • cp target/camel-test-spring.war [EAP_HOME]/standalone/deployments/
      • Here Keystore and truststore are set in httpEAP/src/main/webapp/META-INF/jboss-camel-context.xml
         
      
      <camel:sslContextParameters id="sslCtxParmsEV">
       <camel:keyManagers keyPassword="secret">
       <camel:keyStore password="secret" resource="/home/cpandey/Downloads/mycerts/client1.jks"/>
       </camel:keyManagers>
       <camel:trustManagers>
       <camel:keyStore password="secret" resource="/home/cpandey/Downloads/mycerts/client1_trust.jks"/>
       </camel:trustManagers>
       </camel:sslContextParameters>
      
      

      3. Start EAP- [EAP_HOME]/bin/standalone.sh

      4. Check EAP logs.

        
      17:06:32,484 INFO  [testoutput] (Camel (camelContext-fe2f82c3-3ec1-4d5d-a0f4-c090e22de7eb) thread #1 - timer://tester) Response is: Hello World!

      5. So 2 way ssl works when keystore and truststore are set as camel's sslContextParameters.

      6. Now let us try same but when keystore and truststore are set as EAP's system properties. This is as per article https://access.redhat.com/solutions/172203.

      7. Go to EAP camel Application: httpEAP/src/main/webapp/META-INF/jboss-camel-context.xml. Here remove sslContextParameters from camel-http4 component and set useGobalSslContextParameters, useSystemProperties to true. This is because we want this route to use keystore + truststore defined in system properties of EAP.
      Replace :

      <to id="httpProfile" uri="http4://dummyurl?throwExceptionOnFailure=false&amp;sslContextParameters=sslCtxParmsEV&amp;x509HostnameVerifier=apacheHstNmVerifyDefeater"/>
      
      

      With    : 

      <to id="httpProfile" uri="http4://dummyurl?throwExceptionOnFailure=false&x509HostnameVerifier=apacheHstNmVerifyDefeater&useGobalSslContextParameters=true&useSystemProperties=true"/>
      
      

      Build Application and copy war to deployment folder of EAP

      mvn clean package
      
      cp target/camel-test-spring.war [EAP_HOME]/standalone/deployments/
      
      

      8. Go to [EAP_HOME]/standalone/configuration/standalone.xml. Append keystore and truststore path and password as system property.

      <system-properties>
       <property name="javax.net.ssl.trustStore" value="/path_to/mycerts/client1_trust.jks"/>        
       <property name="javax.net.ssl.trustStorePassword" value="secret"/>       
       <property name="javax.net.ssl.keyStore" value="/path_to/mycerts/client1.jks"/>        
       <property name="javax.net.ssl.keyStorePassword" value="secret"/>    
      </system-properties> 
      

       

      9. Start SpringBoot app and EAP both.

      SpringBoot: java -Djavax.net.debug=ssl,handshake -jar target/hello1-0.0.1-SNAPSHOT.jar
      EAP: [EAP_HOME]/bin/standalone.sh
      

      10. In spring-boot app we will observe exception like

      javax.net.ssl|SEVERE|12|https-jsse-nio-8444-exec-3|2021-01-22 17:57:11.209 IST|Logger.java:765|Fatal (BAD_CERTIFICATE): Empty server certificate chain ("throwable" : {  javax.net.ssl.SSLHandshakeException: Empty server certificate chain  at sun.security.ssl.Alert.createSSLException(Alert.java:131)  at sun.security.ssl.Alert.createSSLException(Alert.java:117)
      
      

      And in EAP we will observe exception

      Stacktrace---------------------------------------------------------------------------------------------------------------------------------------: javax.net.ssl.SSLException: readHandshakeRecord at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
      
      
      Show
      1. Run SpringBoot application. mvn clean package java Djavax.net.debug=ssl,handshake -jar target/hello1-0.0.1-SNAPSHOT.jar  Following way two way SSL is configured in spring-boot app. [cpandey@cpandey hello1]$ cat ./src/main/resources/application.properties server.port=8444security.require-ssl=trueserver.ssl.key-store-type=JKS server.ssl.key-store=classpath:server2.jks server.ssl.key-store-password=secretserver.ssl.trust-store=classpath:server1_trust.jks server.ssl.trust-store-password=secret server.ssl.client-auth=NEED 2. Now build war file for deploying EAP 7.2.7 + Red Hat Fuse 7.7.  mvn clean package cp target/camel-test-spring.war [EAP_HOME] /standalone/deployments/ Here Keystore and truststore are set in httpEAP/src/main/webapp/META-INF/jboss-camel-context.xml     <camel:sslContextParameters id= "sslCtxParmsEV" > <camel:keyManagers keyPassword= "secret" > <camel:keyStore password= "secret" resource= "/home/cpandey/Downloads/mycerts/client1.jks" /> </camel:keyManagers> <camel:trustManagers> <camel:keyStore password= "secret" resource= "/home/cpandey/Downloads/mycerts/client1_trust.jks" /> </camel:trustManagers> </camel:sslContextParameters> 3. Start EAP- [EAP_HOME] /bin/standalone.sh 4. Check EAP logs.   17:06:32,484 INFO  [testoutput] (Camel (camelContext-fe2f82c3-3ec1-4d5d-a0f4-c090e22de7eb) thread #1 - timer: //tester) Response is: Hello World! 5. So 2 way ssl works when keystore and truststore are set as camel's sslContextParameters. 6. Now let us try same but when keystore and truststore are set as EAP's system properties. This is as per article https://access.redhat.com/solutions/172203 . 7. Go to EAP camel Application: httpEAP/src/main/webapp/META-INF/jboss-camel-context.xml. Here remove sslContextParameters from camel-http4 component and set useGobalSslContextParameters , useSystemProperties to true. This is because we want this route to use keystore + truststore defined in system properties of EAP. Replace : <to id= "httpProfile" uri= "http4: //dummyurl?throwExceptionOnFailure= false &amp;sslContextParameters=sslCtxParmsEV&amp;x509HostnameVerifier=apacheHstNmVerifyDefeater" /> With    :  <to id= "httpProfile" uri= "http4: //dummyurl?throwExceptionOnFailure= false &x509HostnameVerifier=apacheHstNmVerifyDefeater&useGobalSslContextParameters= true &useSystemProperties= true " /> Build Application and copy war to deployment folder of EAP mvn clean package cp target/camel-test-spring.war [EAP_HOME]/standalone/deployments/ 8. Go to [EAP_HOME] /standalone/configuration/standalone.xml. Append keystore and truststore path and password as system property. <system-properties> <property name= "javax.net.ssl.trustStore" value= "/path_to/mycerts/client1_trust.jks" />        <property name= "javax.net.ssl.trustStorePassword" value= "secret" />        <property name= "javax.net.ssl.keyStore" value= "/path_to/mycerts/client1.jks" />        <property name= "javax.net.ssl.keyStorePassword" value= "secret" />    </system-properties>    9. Start SpringBoot app and EAP both. SpringBoot: java -Djavax.net.debug=ssl,handshake -jar target/hello1-0.0.1-SNAPSHOT.jar EAP: [EAP_HOME]/bin/standalone.sh 10. In spring-boot app we will observe exception like javax.net.ssl|SEVERE|12|https-jsse-nio-8444-exec-3|2021-01-22 17:57:11.209 IST|Logger.java:765|Fatal (BAD_CERTIFICATE): Empty server certificate chain ( "throwable" : {  javax.net.ssl.SSLHandshakeException: Empty server certificate chain  at sun.security.ssl.Alert.createSSLException(Alert.java:131)  at sun.security.ssl.Alert.createSSLException(Alert.java:117) And in EAP we will observe exception Stacktrace---------------------------------------------------------------------------------------------------------------------------------------: javax.net.ssl.SSLException: readHandshakeRecord at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
    • Hide

      Set keystore and truststore as camel's sslContextParameters.

      Show
      Set keystore and truststore as camel's sslContextParameters.
    • ?

    Description

      One way SSL works. 

      Attachments

        1. eap_2waySSL_https_poc.zip
          16 kB
        2. mycerts.tar.gz
          5 kB
        3. springBoot2waySSLPOC.zip
          11 kB

        Activity

          People

            jondruse@redhat.com Jiri Ondrusek
            rhn-support-cpandey Chandra Shekhar Pandey (Inactive)
            Branislav Smolicek Branislav Smolicek
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: