Apache CXF client issue with calling SSL service
As the stack trace indicates, the SSL connection is refused by the server. Both your test clients are trying to establish a simple HTTPS connection (i.e. the client has a trustore where it keeps certificates that it will trust). However, the WS-Policy of your WSDL is clear on this matter:
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="true"/>
</wsp:Policy>
The clients will require a mutual HTTPS connection to authorize access to the web service (i.e. same as simple HTTPS + the client has its own keypair to identify himself to the server). This probably works with other clients (SOAPUI) because they are more lenient and / or completely ignore the WS-Policy contraints.
So you have two options:
- You update one of your test scripts to setup a mutual HTTPS connection (I do not have code handy for this).
- You develop a simple test CXF client which does mutual HTTPS connection, there is a very nice sample project available from cxf-samples that does exactly what you need: http://svn.apache.org/repos/asf/cxf/tags/cxf-2.4.4/distribution/src/main/release/samples/wsdl_first_https/
oskarae
Updated on July 09, 2022Comments
-
oskarae almost 2 years
I am trying to write a WS client using Apache CXF framework. Remote WS has SSL security. I have yydats-keys.jks Java KeyStore with all necessary certificates for this remote WS. Using browser (FF, Chrome) (When I import necessary keys) I can access WSDL definition. Using SoapUI (With setting SSL keystore ti yydats-keys.jks) I can access these WS and also execute them. Based on WSDL definition using wsdl2java I have generated starting point for implementing my client call. Notice. This is command I use: ./wsdl2java.sh -p org.yydats -d /home/john -exsh false -dns true -dex true -verbose /home/john/yydats.wsdl
Here is WSDL (little bit modified for hiding real URLs):
<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:tns="http://tempuri.org/" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:i0="http://ws.yydats.org/services/StatusService" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" name="StatusService" targetNamespace="http://tempuri.org/"> <wsp:Policy wsu:Id="basicBinding_policy"> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken RequireClientCertificate="true"/> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> </wsp:Policy> </sp:TransportBinding> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsdl:import namespace="http://ws.yydats.org/services/IndigentStatusService" location="https://ws.yydats.org/services/StatusService.svc?wsdl=wsdl0"/> <wsdl:types/> <wsdl:binding name="basicBinding" type="i0:IIndigentStatusService"> <wsp:PolicyReference URI="#basicBinding_policy"/> <soap:binding transport="http://schemas.xmlsoap.org/soap/http"/> <wsdl:operation name="Check"> <soap:operation soapAction="http://ws.yydats.org/services/Check" style="document"/> <wsdl:input> <soap:body use="literal"/> </wsdl:input> <wsdl:output> <soap:body use="literal"/> </wsdl:output> <wsdl:fault name="AddressAccessDeniedExceptionFault"> <soap:fault name="AddressAccessDeniedExceptionFault" use="literal"/> </wsdl:fault> </wsdl:operation> <wsdl:operation name="SurveyCheck"> <soap:operation soapAction="http://ws.yydats.org/services/SurveyCheck" style="document"/> <wsdl:input> <soap:body use="literal"/> </wsdl:input> <wsdl:output> <soap:body use="literal"/> </wsdl:output> <wsdl:fault name="AddressAccessDeniedExceptionFault"> <soap:fault name="AddressAccessDeniedExceptionFault" use="literal"/> </wsdl:fault> </wsdl:operation> <wsdl:operation name="ServicesCheck"> <soap:operation soapAction="http://ws.yydats.org/services/ServicesCheck" style="document"/> <wsdl:input> <soap:body use="literal"/> </wsdl:input> <wsdl:output> <soap:body use="literal"/> </wsdl:output> <wsdl:fault name="AddressAccessDeniedExceptionFault"> <soap:fault name="AddressAccessDeniedExceptionFault" use="literal"/> </wsdl:fault> </wsdl:operation> </wsdl:binding> <wsdl:service name="IndigentStatusService"> <wsdl:port name="basicBinding" binding="tns:basicBinding"> <soap:address location="https://ws.yydats.org/services/StatusService.svc"/> </wsdl:port> </wsdl:service> </wsdl:definitions>
I have issue setting up client so it would use yydats-keys.jks. I have tried two approaches: 1) Setting JVM System Keystore and TrustStore properties:
public static void main(String args[]) throws java.lang.Exception { System.setProperty("javax.net.ssl.trustStore","/home/john/yydats-keys.jks"); System.setProperty("javax.net.ssl.trustStorePassword","changeit"); System.setProperty("com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump","true"); System.setProperty("javax.net.ssl.keyStore","/home/john/yydats-keys.jks"); System.setProperty("javax.net.ssl.keyStorePassword","changeit"); QName SERVICE_NAME = new QName("http://tempuri.org/", "StatusService"); StatusService ss = new StatusService(new URL("file:///home/john/yydats.wsdl"), SERVICE_NAME); IStatusService port = ss.getBasicBinding(); port.surveyCheck(); }
2) Setting a HTTPConduit (based on: http://aruld.info/programming-ssl-for-jetty-based-cxf-services/):
private static void configureSSLOnTheClient(Object c) { Client client = ClientProxy.getClient(c); HTTPConduit httpConduit = (HTTPConduit) client.getConduit(); try { TLSClientParameters tlsParams = new TLSClientParameters(); tlsParams.setDisableCNCheck(true); KeyStore keyStore = KeyStore.getInstance("JKS"); String trustpass = "changeit"; File truststore = new File("/home/john/yydats-keys.jks"); keyStore.load(new FileInputStream(truststore), trustpass.toCharArray()); TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustFactory.init(keyStore); TrustManager[] tm = trustFactory.getTrustManagers(); tlsParams.setTrustManagers(tm); truststore = new File("/home/john/yydats-keys.jks"); keyStore.load(new FileInputStream(truststore), trustpass.toCharArray()); KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyFactory.init(keyStore, trustpass.toCharArray()); KeyManager[] km = keyFactory.getKeyManagers(); tlsParams.setKeyManagers(km); FiltersType filter = new FiltersType(); filter.getInclude().add(".*_EXPORT_.*"); filter.getInclude().add(".*_EXPORT1024_.*"); filter.getInclude().add(".*_WITH_DES_.*"); filter.getInclude().add(".*_WITH_NULL_.*"); filter.getExclude().add(".*_DH_anon_.*"); tlsParams.setCipherSuitesFilter(filter); httpConduit.setTlsClientParameters(tlsParams); } catch (KeyStoreException kse) { System.out.println("Security configuration failed with the following: " + kse.getCause()); } catch (NoSuchAlgorithmException nsa) { System.out.println("Security configuration failed with the following: " + nsa.getCause()); } catch (FileNotFoundException fnfe) { System.out.println("Security configuration failed with the following: " + fnfe.getCause()); } catch (UnrecoverableKeyException uke) { System.out.println("Security configuration failed with the following: " + uke.getCause()); } catch (CertificateException ce) { System.out.println("Security configuration failed with the following: " + ce.getCause()); } catch (GeneralSecurityException gse) { System.out.println("Security configuration failed with the following: " + gse.getCause()); } catch (IOException ioe) { System.out.println("Security configuration failed with the following: " + ioe.getCause()); } } public static void main(String args[]) throws java.lang.Exception { QName SERVICE_NAME = new QName("http://tempuri.org/", "StatusService"); StatusService ss = new StatusService(new URL("file:///home/john/yydats.wsdl"), SERVICE_NAME); IStatusService port = ss.getBasicBinding(); configureSSLOnTheClient(port); port.surveyCheck(); }
This is stack trace that I am getting:
--------------------------- ID: 1 Address: https://ws.yydats.org/services/StatusService.svc Encoding: UTF-8 Content-Type: text/xml Headers: {Accept=[*/*], SOAPAction=["http://ws.yydats.org/services/StatusService.svc/ServicesCheck"]} Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header/><soap:Body><ServicesCheck xmlns="http://ws.yydats.org/services/StatusService" xmlns:ns2="http://schemas.microsoft.com/2003/10/Serialization/" xmlns:ns3="yydats://yydats.Status" xmlns:ns4="http://schemas.datacontract.org/2004/07/System" xmlns:ns5="http://schemas.datacontract.org/2004/07/System.ServiceModel"><personCode></personCode><userName></userName><userSecondName></userSecondName><userPersonCode></userPersonCode><outErrText></outErrText><outPersCode></outPersCode></ServicesCheck></soap:Body></soap:Envelope> -------------------------------------- Dec 06, 2011 5:57:29 PM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging WARNING: Interceptor for {http://tempuri.org/}StatusService#{http://ws.yydats.org/services/StatusService}ServicesCheck has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Could not send Message. at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:533) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134) at $Proxy37.servicesCheck(Unknown Source) at lv.lattelecom.npais.sopa.IIndigentStatusService_BasicBinding_Client.main(IIndigentStatusService_BasicBinding_Client.java:170) Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: UntrustedURLConnectionIOException invoking https://ws.yydats.org/services/StatusService.svc: RequireClientCertificate is set, but no local certificates were negotiated. Is the server set to ask for client authorization? at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:525) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1428) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1413) at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47) at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:188) at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:646) at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) ... 9 more Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: RequireClientCertificate is set, but no local certificates were negotiated. Is the server set to ask for client authorization? at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:121) at org.apache.cxf.transport.http.TrustDecisionUtil.makeTrustDecision(TrustDecisionUtil.java:80) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1342) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1307) at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42) at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1385) ... 14 more Exception in thread "main" javax.xml.ws.WebServiceException: Could not send Message. at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:145) at $Proxy37.servicesCheck(Unknown Source) at lv.lattelecom.npais.sopa.IIndigentStatusService_BasicBinding_Client.main(IIndigentStatusService_BasicBinding_Client.java:170) Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: UntrustedURLConnectionIOException invoking https://ws.yydats.org/services/StatusService.svc: RequireClientCertificate is set, but no local certificates were negotiated. Is the server set to ask for client authorization? at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:525) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1428) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1413) at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47) at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:188) at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:646) at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:533) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134) ... 2 more Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: RequireClientCertificate is set, but no local certificates were negotiated. Is the server set to ask for client authorization? at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:121) at org.apache.cxf.transport.http.TrustDecisionUtil.makeTrustDecision(TrustDecisionUtil.java:80) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1342) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1307) at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42) at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1385)`enter code here`
Have anybody faced similar issue? Or maybe have any ideas what I could be doing wrong?