CXF SSL Spring 配置 - 空客户端证书链
我正在尝试使用 CXF Spring 配置构建 SSL 安全的 Web 服务客户端,我想知道如何告诉 CXF 在我的密钥库中使用此客户端证书。 这应该存在,因为如果我的密钥库拥有大量证书,CXF 应该如何找到好的证书?
这是我的配置:
<http-conf:conduit name="{urn:ihe:iti:xds-b:2007}DocumentRepositoryPortType.http-conduit">
<http-conf:client AutoRedirect="true" Connection="Keep-Alive"/>
<http-conf:tlsClientParameters secureSocketProtocol="SSL">
<sec:keyManagers keyPassword="storepass">
<sec:keyStore type="JKS" password="storepass" file="src/main/resources/keystore.jks" />
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="storepass" file="src/main/resources/truststore.jks" />
</sec:trustManagers>
<sec:cipherSuitesFilter>
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http-conf:tlsClientParameters>
</http-conf:conduit>
在该
<sec:keyManagers keyPassword="
<sec:keyStore type="JKS" password="storepass" file="src/main/resources/keystore.jks" />
</sec:keyManagers>
部分中,有没有办法写类似的内容
alias="mycertificate"
?
我在几个网站上进行了搜索,但暂时没有结果。
实际上,我的问题是,当我的 CXF 客户端与 SSL 安全服务器通信时,服务器会发出证书请求,以便使用证书来识别自己的身份。服务器告诉我它正在等待哪些证书颁发机构,在我的密钥库中,我确实有一个已由这些机构之一认证的证书,但没有来自我的客户端的证书传输...
这是它在SSL 日志:
CertificateRequest:
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
<CN=****, DC=****, DC=****>
Others authorities...
空客户端证书链:
*** Certificate chain
***
你们有什么想法吗?
提前致谢!
I am trying to build a SSL secured Web Service client using CXF Spring configuration and I wonder how is it possible to tell to CXF to use this client certificate in my keystore.
This should exists because if my keystore holds plenty of certificate how does CXF is supposed to do to find the good one?
Here is my configuration:
<http-conf:conduit name="{urn:ihe:iti:xds-b:2007}DocumentRepositoryPortType.http-conduit">
<http-conf:client AutoRedirect="true" Connection="Keep-Alive"/>
<http-conf:tlsClientParameters secureSocketProtocol="SSL">
<sec:keyManagers keyPassword="storepass">
<sec:keyStore type="JKS" password="storepass" file="src/main/resources/keystore.jks" />
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="storepass" file="src/main/resources/truststore.jks" />
</sec:trustManagers>
<sec:cipherSuitesFilter>
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http-conf:tlsClientParameters>
</http-conf:conduit>
In the
<sec:keyManagers keyPassword="
<sec:keyStore type="JKS" password="storepass" file="src/main/resources/keystore.jks" />
</sec:keyManagers>
section, is there a way to write something like
alias="mycertificate"
?
I searched on several Web sites but no result for the moment.
Actually my problem is that when my CXF client communicates with a SSL secured server there is a Certificate Request coming from the server in order to identify myself with a certificate. The server tells me which are the cert authorities it is waiting for, in my keystore I do have a certificate which has been certified by one of these authorities but there is no certificate transmission from my client...
Here is how it looks in the SSL logs:
CertificateRequest:
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
<CN=****, DC=****, DC=****>
Others authorities...
Empty client certificate chain:
*** Certificate chain
***
Do you guys have any idea?
Thanks in advance!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
http-conduit 上的“名称”属性可能是错误的。它应该是端点名称(来自服务元素内),而不是端口类型名称。
不过,我建议使用 URL 作为名称。
请注意末尾的通配符 (.*) 以匹配所有 URL。
It's likely the "name" attribute on the http-conduit is wrong. It should be the Endpoint name (from within the Service element), not the PortType name.
However, I would recommend using a URL for the name.
Note the wildcard (.*) at the end to match all URL's.