Apache CXF client issue with calling SSL service

java ssl cxf
32,421

As the stack trace indicates, the SSL connection is refused by the server. Both your test clients are trying to establish a simple HTTPS connection (i.e. the client has a trustore where it keeps certificates that it will trust). However, the WS-Policy of your WSDL is clear on this matter:

<wsp:Policy>
  <sp:HttpsToken RequireClientCertificate="true"/>
</wsp:Policy>

The clients will require a mutual HTTPS connection to authorize access to the web service (i.e. same as simple HTTPS + the client has its own keypair to identify himself to the server). This probably works with other clients (SOAPUI) because they are more lenient and / or completely ignore the WS-Policy contraints.

So you have two options:

Share:
32,421
oskarae
Author by

oskarae

Updated on July 09, 2022

Comments

  • oskarae
    oskarae almost 2 years

    I am trying to write a WS client using Apache CXF framework. Remote WS has SSL security. I have yydats-keys.jks Java KeyStore with all necessary certificates for this remote WS. Using browser (FF, Chrome) (When I import necessary keys) I can access WSDL definition. Using SoapUI (With setting SSL keystore ti yydats-keys.jks) I can access these WS and also execute them. Based on WSDL definition using wsdl2java I have generated starting point for implementing my client call. Notice. This is command I use: ./wsdl2java.sh -p org.yydats -d /home/john -exsh false -dns true -dex true -verbose /home/john/yydats.wsdl

    Here is WSDL (little bit modified for hiding real URLs):

      <wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
            xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
            xmlns:wsa10="http://www.w3.org/2005/08/addressing"
            xmlns:tns="http://tempuri.org/"
            xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
            xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
            xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"
            xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract"
            xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
            xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
            xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
            xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
            xmlns:i0="http://ws.yydats.org/services/StatusService"
            xmlns:xsd="http://www.w3.org/2001/XMLSchema"
            xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
            name="StatusService" targetNamespace="http://tempuri.org/">
    <wsp:Policy wsu:Id="basicBinding_policy">
      <wsp:ExactlyOne>
    <wsp:All>
      <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
        <wsp:Policy>
          <sp:TransportToken>
        <wsp:Policy>
          <sp:HttpsToken RequireClientCertificate="true"/>
        </wsp:Policy>
          </sp:TransportToken>
          <sp:AlgorithmSuite>
        <wsp:Policy>
          <sp:Basic256/>
        </wsp:Policy>
          </sp:AlgorithmSuite>
          <sp:Layout>
        <wsp:Policy>
          <sp:Strict/>
        </wsp:Policy>
          </sp:Layout>
        </wsp:Policy>
      </sp:TransportBinding>
    </wsp:All>
      </wsp:ExactlyOne>
    </wsp:Policy>
    <wsdl:import namespace="http://ws.yydats.org/services/IndigentStatusService" location="https://ws.yydats.org/services/StatusService.svc?wsdl=wsdl0"/>
    <wsdl:types/>
    <wsdl:binding name="basicBinding" type="i0:IIndigentStatusService">
      <wsp:PolicyReference URI="#basicBinding_policy"/>
      <soap:binding transport="http://schemas.xmlsoap.org/soap/http"/>
      <wsdl:operation name="Check">
    <soap:operation soapAction="http://ws.yydats.org/services/Check" style="document"/>
    <wsdl:input>
      <soap:body use="literal"/>
    </wsdl:input>
    <wsdl:output>
      <soap:body use="literal"/>
    </wsdl:output>
    <wsdl:fault name="AddressAccessDeniedExceptionFault">
      <soap:fault name="AddressAccessDeniedExceptionFault" use="literal"/>
    </wsdl:fault>
      </wsdl:operation>
      <wsdl:operation name="SurveyCheck">
    <soap:operation soapAction="http://ws.yydats.org/services/SurveyCheck" style="document"/>
    <wsdl:input>
      <soap:body use="literal"/>
    </wsdl:input>
    <wsdl:output>
      <soap:body use="literal"/>
    </wsdl:output>
    <wsdl:fault name="AddressAccessDeniedExceptionFault">
      <soap:fault name="AddressAccessDeniedExceptionFault" use="literal"/>
    </wsdl:fault>
      </wsdl:operation>
      <wsdl:operation name="ServicesCheck">
    <soap:operation soapAction="http://ws.yydats.org/services/ServicesCheck" style="document"/>
    <wsdl:input>
      <soap:body use="literal"/>
    </wsdl:input>
    <wsdl:output>
      <soap:body use="literal"/>
    </wsdl:output>
    <wsdl:fault name="AddressAccessDeniedExceptionFault">
      <soap:fault name="AddressAccessDeniedExceptionFault" use="literal"/>
    </wsdl:fault>
      </wsdl:operation>
    </wsdl:binding>
    <wsdl:service name="IndigentStatusService">
      <wsdl:port name="basicBinding" binding="tns:basicBinding">
    <soap:address location="https://ws.yydats.org/services/StatusService.svc"/>
      </wsdl:port>
    </wsdl:service>
  </wsdl:definitions>

    I have issue setting up client so it would use yydats-keys.jks. I have tried two approaches: 1) Setting JVM System Keystore and TrustStore properties:

      public static void main(String args[]) throws java.lang.Exception {
    System.setProperty("javax.net.ssl.trustStore","/home/john/yydats-keys.jks");
    System.setProperty("javax.net.ssl.trustStorePassword","changeit");
    System.setProperty("com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump","true");
    System.setProperty("javax.net.ssl.keyStore","/home/john/yydats-keys.jks");
    System.setProperty("javax.net.ssl.keyStorePassword","changeit");

    QName SERVICE_NAME = new QName("http://tempuri.org/", "StatusService");
    StatusService ss = new StatusService(new URL("file:///home/john/yydats.wsdl"), SERVICE_NAME);
    IStatusService port = ss.getBasicBinding();
    port.surveyCheck();
  }

    2) Setting a HTTPConduit (based on: http://aruld.info/programming-ssl-for-jetty-based-cxf-services/):

      private static void configureSSLOnTheClient(Object c) {
    Client client = ClientProxy.getClient(c);
    HTTPConduit httpConduit = (HTTPConduit) client.getConduit();

    try {
      TLSClientParameters tlsParams = new TLSClientParameters();
      tlsParams.setDisableCNCheck(true);

      KeyStore keyStore = KeyStore.getInstance("JKS");
      String trustpass = "changeit";

      File truststore = new File("/home/john/yydats-keys.jks");
      keyStore.load(new FileInputStream(truststore), trustpass.toCharArray());
      TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
      trustFactory.init(keyStore);
      TrustManager[] tm = trustFactory.getTrustManagers();
      tlsParams.setTrustManagers(tm);

      truststore = new File("/home/john/yydats-keys.jks");
      keyStore.load(new FileInputStream(truststore), trustpass.toCharArray());
      KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
      keyFactory.init(keyStore, trustpass.toCharArray());
      KeyManager[] km = keyFactory.getKeyManagers();
      tlsParams.setKeyManagers(km);

      FiltersType filter = new FiltersType();
      filter.getInclude().add(".*_EXPORT_.*");
      filter.getInclude().add(".*_EXPORT1024_.*");
      filter.getInclude().add(".*_WITH_DES_.*");
      filter.getInclude().add(".*_WITH_NULL_.*");
      filter.getExclude().add(".*_DH_anon_.*");
      tlsParams.setCipherSuitesFilter(filter);

      httpConduit.setTlsClientParameters(tlsParams);
    } catch (KeyStoreException kse) {
      System.out.println("Security configuration failed with the following: " + kse.getCause());
    } catch (NoSuchAlgorithmException nsa) {
      System.out.println("Security configuration failed with the following: " + nsa.getCause());
    } catch (FileNotFoundException fnfe) {
      System.out.println("Security configuration failed with the following: " + fnfe.getCause());
    } catch (UnrecoverableKeyException uke) {
      System.out.println("Security configuration failed with the following: " + uke.getCause());
    } catch (CertificateException ce) {
      System.out.println("Security configuration failed with the following: " + ce.getCause());
    } catch (GeneralSecurityException gse) {
      System.out.println("Security configuration failed with the following: " + gse.getCause());
    } catch (IOException ioe) {
      System.out.println("Security configuration failed with the following: " + ioe.getCause());
    }
  }

  public static void main(String args[]) throws java.lang.Exception {
    QName SERVICE_NAME = new QName("http://tempuri.org/", "StatusService");
    StatusService ss = new StatusService(new URL("file:///home/john/yydats.wsdl"), SERVICE_NAME);
    IStatusService port = ss.getBasicBinding();

    configureSSLOnTheClient(port);

    port.surveyCheck();
  }

    This is stack trace that I am getting:

      ---------------------------
  ID: 1
  Address: https://ws.yydats.org/services/StatusService.svc
  Encoding: UTF-8
  Content-Type: text/xml
  Headers: {Accept=[*/*], SOAPAction=["http://ws.yydats.org/services/StatusService.svc/ServicesCheck"]}
  Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header/><soap:Body><ServicesCheck xmlns="http://ws.yydats.org/services/StatusService" xmlns:ns2="http://schemas.microsoft.com/2003/10/Serialization/" xmlns:ns3="yydats://yydats.Status" xmlns:ns4="http://schemas.datacontract.org/2004/07/System" xmlns:ns5="http://schemas.datacontract.org/2004/07/System.ServiceModel"><personCode></personCode><userName></userName><userSecondName></userSecondName><userPersonCode></userPersonCode><outErrText></outErrText><outPersCode></outPersCode></ServicesCheck></soap:Body></soap:Envelope>
  --------------------------------------
  Dec 06, 2011 5:57:29 PM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging
  WARNING: Interceptor for {http://tempuri.org/}StatusService#{http://ws.yydats.org/services/StatusService}ServicesCheck has thrown exception, unwinding now
  org.apache.cxf.interceptor.Fault: Could not send Message.
      at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
      at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
      at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:533)
      at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463)
      at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366)
      at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319)
      at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
      at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
      at $Proxy37.servicesCheck(Unknown Source)
      at lv.lattelecom.npais.sopa.IIndigentStatusService_BasicBinding_Client.main(IIndigentStatusService_BasicBinding_Client.java:170)
  Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: UntrustedURLConnectionIOException invoking https://ws.yydats.org/services/StatusService.svc: RequireClientCertificate is set, but no local certificates were negotiated.  Is the server set to ask for client authorization?
      at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
      at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
      at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
      at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1428)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1413)
      at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
      at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:188)
      at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
      at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:646)
      at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
      ... 9 more
  Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: RequireClientCertificate is set, but no local certificates were negotiated.  Is the server set to ask for client authorization?
      at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:121)
      at org.apache.cxf.transport.http.TrustDecisionUtil.makeTrustDecision(TrustDecisionUtil.java:80)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1342)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1307)
      at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
      at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1385)
      ... 14 more

  Exception in thread "main" javax.xml.ws.WebServiceException: Could not send Message.
      at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:145)
      at $Proxy37.servicesCheck(Unknown Source)
      at lv.lattelecom.npais.sopa.IIndigentStatusService_BasicBinding_Client.main(IIndigentStatusService_BasicBinding_Client.java:170)
  Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: UntrustedURLConnectionIOException invoking https://ws.yydats.org/services/StatusService.svc: RequireClientCertificate is set, but no local certificates were negotiated.  Is the server set to ask for client authorization?
      at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
      at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
      at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
      at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1428)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1413)
      at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
      at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:188)
      at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
      at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:646)
      at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
      at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
      at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:533)
      at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463)
      at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366)
      at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319)
      at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
      at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
      ... 2 more
  Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: RequireClientCertificate is set, but no local certificates were negotiated.  Is the server set to ask for client authorization?
      at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:121)
      at org.apache.cxf.transport.http.TrustDecisionUtil.makeTrustDecision(TrustDecisionUtil.java:80)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1342)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1307)
      at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
      at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1385)`enter code here`

    Have anybody faced similar issue? Or maybe have any ideas what I could be doing wrong?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why do I get a handshake failure (Java SSL)
https URL hostname not matching Common Name (CN) despite setting 'disableCNCheck' to true
Extended server_name (SNI Extension) not sent with jdk1.8.0 but send with jdk1.7.0
Flutter Websocket client ssl handshake failure
"java.net.SocketException: Connection reset" when running a simpleSSL client
Getting CXF error: javax.xml.ws.WebServiceException: WSDL Metadata not available to create the proxy
Timeout for Webservice response?
How to post file as an attachment in CXF JAX-RS
Apache Camel and CXF : How do i send HTTP status code from bean
java.lang.NoClassDefFoundError: org/apache/cxf/jaxrs/impl/UriBuilderImpl