1. Run SpringBoot application.
mvn clean package
java Djavax.net.debug=ssl,handshake -jar target/hello1-0.0.1-SNAPSHOT.jar
Following way two way SSL is configured in spring-boot app.
[cpandey@cpandey hello1]$ cat ./src/main/resources/application.properties
server.port=8444security.require-ssl=trueserver.ssl.key-store-type=JKS
server.ssl.key-store=classpath:server2.jks
server.ssl.key-store-password=secretserver.ssl.trust-store=classpath:server1_trust.jks
server.ssl.trust-store-password=secret
server.ssl.client-auth=NEED
2. Now build war file for deploying EAP 7.2.7 + Red Hat Fuse 7.7.
- mvn clean package
- cp target/camel-test-spring.war [EAP_HOME]/standalone/deployments/
- Here Keystore and truststore are set in httpEAP/src/main/webapp/META-INF/jboss-camel-context.xml
<camel:sslContextParameters id="sslCtxParmsEV">
<camel:keyManagers keyPassword="secret">
<camel:keyStore password="secret" resource="/home/cpandey/Downloads/mycerts/client1.jks"/>
</camel:keyManagers>
<camel:trustManagers>
<camel:keyStore password="secret" resource="/home/cpandey/Downloads/mycerts/client1_trust.jks"/>
</camel:trustManagers>
</camel:sslContextParameters>
3. Start EAP- [EAP_HOME]/bin/standalone.sh
4. Check EAP logs.
17:06:32,484 INFO [testoutput] (Camel (camelContext-fe2f82c3-3ec1-4d5d-a0f4-c090e22de7eb) thread #1 - timer:
5. So 2 way ssl works when keystore and truststore are set as camel's sslContextParameters.
6. Now let us try same but when keystore and truststore are set as EAP's system properties. This is as per article https://access.redhat.com/solutions/172203.
7. Go to EAP camel Application: httpEAP/src/main/webapp/META-INF/jboss-camel-context.xml. Here remove sslContextParameters from camel-http4 component and set useGobalSslContextParameters, useSystemProperties to true. This is because we want this route to use keystore + truststore defined in system properties of EAP.
Replace :
<to id="httpProfile" uri="http4:/>
With :
<to id="httpProfile" uri="http4:/>
Build Application and copy war to deployment folder of EAP
mvn clean package
cp target/camel-test-spring.war [EAP_HOME]/standalone/deployments/
8. Go to [EAP_HOME]/standalone/configuration/standalone.xml. Append keystore and truststore path and password as system property.
<system-properties>
<property name="javax.net.ssl.trustStore" value="/path_to/mycerts/client1_trust.jks"/>
<property name="javax.net.ssl.trustStorePassword" value="secret"/>
<property name="javax.net.ssl.keyStore" value="/path_to/mycerts/client1.jks"/>
<property name="javax.net.ssl.keyStorePassword" value="secret"/>
</system-properties>
9. Start SpringBoot app and EAP both.
SpringBoot: java -Djavax.net.debug=ssl,handshake -jar target/hello1-0.0.1-SNAPSHOT.jar
EAP: [EAP_HOME]/bin/standalone.sh
10. In spring-boot app we will observe exception like
javax.net.ssl|SEVERE|12|https-jsse-nio-8444-exec-3|2021-01-22 17:57:11.209 IST|Logger.java:765|Fatal (BAD_CERTIFICATE): Empty server certificate chain ("throwable" : { javax.net.ssl.SSLHandshakeException: Empty server certificate chain at sun.security.ssl.Alert.createSSLException(Alert.java:131) at sun.security.ssl.Alert.createSSLException(Alert.java:117)
And in EAP we will observe exception
Stacktrace---------------------------------------------------------------------------------------------------------------------------------------: javax.net.ssl.SSLException: readHandshakeRecord at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
Bug
Major
Jiri Ondrusek
Chandra Shekhar Pandey (Inactive)
Branislav Smolicek