StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POApache CXF client issue with calling SSL service
text
Body
copied!<p>I am trying to write a WS client using Apache CXF framework. Remote WS has SSL security. I have yydats-keys.jks Java KeyStore with all necessary certificates for this remote WS. Using browser (FF, Chrome) (When I import necessary keys) I can access WSDL definition. Using SoapUI (With setting SSL keystore ti yydats-keys.jks) I can access these WS and also execute them. Based on WSDL definition using wsdl2java I have generated starting point for implementing my client call. Notice. This is command I use: ./wsdl2java.sh -p org.yydats -d /home/john -exsh false -dns true -dex true -verbose /home/john/yydats.wsdl</p> <p>Here is WSDL (little bit modified for hiding real URLs):</p> <pre><code> <wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:tns="http://tempuri.org/" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:i0="http://ws.yydats.org/services/StatusService" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" name="StatusService" targetNamespace="http://tempuri.org/"> <wsp:Policy wsu:Id="basicBinding_policy"> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken RequireClientCertificate="true"/> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> </wsp:Policy> </sp:TransportBinding> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsdl:import namespace="http://ws.yydats.org/services/IndigentStatusService" location="https://ws.yydats.org/services/StatusService.svc?wsdl=wsdl0"/> <wsdl:types/> <wsdl:binding name="basicBinding" type="i0:IIndigentStatusService"> <wsp:PolicyReference URI="#basicBinding_policy"/> <soap:binding transport="http://schemas.xmlsoap.org/soap/http"/> <wsdl:operation name="Check"> <soap:operation soapAction="http://ws.yydats.org/services/Check" style="document"/> <wsdl:input> <soap:body use="literal"/> </wsdl:input> <wsdl:output> <soap:body use="literal"/> </wsdl:output> <wsdl:fault name="AddressAccessDeniedExceptionFault"> <soap:fault name="AddressAccessDeniedExceptionFault" use="literal"/> </wsdl:fault> </wsdl:operation> <wsdl:operation name="SurveyCheck"> <soap:operation soapAction="http://ws.yydats.org/services/SurveyCheck" style="document"/> <wsdl:input> <soap:body use="literal"/> </wsdl:input> <wsdl:output> <soap:body use="literal"/> </wsdl:output> <wsdl:fault name="AddressAccessDeniedExceptionFault"> <soap:fault name="AddressAccessDeniedExceptionFault" use="literal"/> </wsdl:fault> </wsdl:operation> <wsdl:operation name="ServicesCheck"> <soap:operation soapAction="http://ws.yydats.org/services/ServicesCheck" style="document"/> <wsdl:input> <soap:body use="literal"/> </wsdl:input> <wsdl:output> <soap:body use="literal"/> </wsdl:output> <wsdl:fault name="AddressAccessDeniedExceptionFault"> <soap:fault name="AddressAccessDeniedExceptionFault" use="literal"/> </wsdl:fault> </wsdl:operation> </wsdl:binding> <wsdl:service name="IndigentStatusService"> <wsdl:port name="basicBinding" binding="tns:basicBinding"> <soap:address location="https://ws.yydats.org/services/StatusService.svc"/> </wsdl:port> </wsdl:service> </wsdl:definitions> </code></pre> <p>I have issue setting up client so it would use yydats-keys.jks. I have tried two approaches: 1) Setting JVM System Keystore and TrustStore properties:</p> <pre><code> public static void main(String args[]) throws java.lang.Exception { System.setProperty("javax.net.ssl.trustStore","/home/john/yydats-keys.jks"); System.setProperty("javax.net.ssl.trustStorePassword","changeit"); System.setProperty("com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump","true"); System.setProperty("javax.net.ssl.keyStore","/home/john/yydats-keys.jks"); System.setProperty("javax.net.ssl.keyStorePassword","changeit"); QName SERVICE_NAME = new QName("http://tempuri.org/", "StatusService"); StatusService ss = new StatusService(new URL("file:///home/john/yydats.wsdl"), SERVICE_NAME); IStatusService port = ss.getBasicBinding(); port.surveyCheck(); } </code></pre> <p>2) Setting a HTTPConduit (based on: <a href="http://aruld.info/programming-ssl-for-jetty-based-cxf-services/" rel="nofollow">http://aruld.info/programming-ssl-for-jetty-based-cxf-services/</a>):</p> <pre><code> private static void configureSSLOnTheClient(Object c) { Client client = ClientProxy.getClient(c); HTTPConduit httpConduit = (HTTPConduit) client.getConduit(); try { TLSClientParameters tlsParams = new TLSClientParameters(); tlsParams.setDisableCNCheck(true); KeyStore keyStore = KeyStore.getInstance("JKS"); String trustpass = "changeit"; File truststore = new File("/home/john/yydats-keys.jks"); keyStore.load(new FileInputStream(truststore), trustpass.toCharArray()); TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustFactory.init(keyStore); TrustManager[] tm = trustFactory.getTrustManagers(); tlsParams.setTrustManagers(tm); truststore = new File("/home/john/yydats-keys.jks"); keyStore.load(new FileInputStream(truststore), trustpass.toCharArray()); KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyFactory.init(keyStore, trustpass.toCharArray()); KeyManager[] km = keyFactory.getKeyManagers(); tlsParams.setKeyManagers(km); FiltersType filter = new FiltersType(); filter.getInclude().add(".*_EXPORT_.*"); filter.getInclude().add(".*_EXPORT1024_.*"); filter.getInclude().add(".*_WITH_DES_.*"); filter.getInclude().add(".*_WITH_NULL_.*"); filter.getExclude().add(".*_DH_anon_.*"); tlsParams.setCipherSuitesFilter(filter); httpConduit.setTlsClientParameters(tlsParams); } catch (KeyStoreException kse) { System.out.println("Security configuration failed with the following: " + kse.getCause()); } catch (NoSuchAlgorithmException nsa) { System.out.println("Security configuration failed with the following: " + nsa.getCause()); } catch (FileNotFoundException fnfe) { System.out.println("Security configuration failed with the following: " + fnfe.getCause()); } catch (UnrecoverableKeyException uke) { System.out.println("Security configuration failed with the following: " + uke.getCause()); } catch (CertificateException ce) { System.out.println("Security configuration failed with the following: " + ce.getCause()); } catch (GeneralSecurityException gse) { System.out.println("Security configuration failed with the following: " + gse.getCause()); } catch (IOException ioe) { System.out.println("Security configuration failed with the following: " + ioe.getCause()); } } public static void main(String args[]) throws java.lang.Exception { QName SERVICE_NAME = new QName("http://tempuri.org/", "StatusService"); StatusService ss = new StatusService(new URL("file:///home/john/yydats.wsdl"), SERVICE_NAME); IStatusService port = ss.getBasicBinding(); configureSSLOnTheClient(port); port.surveyCheck(); } </code></pre> <p>This is stack trace that I am getting:</p> <pre><code> --------------------------- ID: 1 Address: https://ws.yydats.org/services/StatusService.svc Encoding: UTF-8 Content-Type: text/xml Headers: {Accept=[*/*], SOAPAction=["http://ws.yydats.org/services/StatusService.svc/ServicesCheck"]} Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header/><soap:Body><ServicesCheck xmlns="http://ws.yydats.org/services/StatusService" xmlns:ns2="http://schemas.microsoft.com/2003/10/Serialization/" xmlns:ns3="yydats://yydats.Status" xmlns:ns4="http://schemas.datacontract.org/2004/07/System" xmlns:ns5="http://schemas.datacontract.org/2004/07/System.ServiceModel"><personCode></personCode><userName></userName><userSecondName></userSecondName><userPersonCode></userPersonCode><outErrText></outErrText><outPersCode></outPersCode></ServicesCheck></soap:Body></soap:Envelope> -------------------------------------- Dec 06, 2011 5:57:29 PM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging WARNING: Interceptor for {http://tempuri.org/}StatusService#{http://ws.yydats.org/services/StatusService}ServicesCheck has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Could not send Message. at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:533) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134) at $Proxy37.servicesCheck(Unknown Source) at lv.lattelecom.npais.sopa.IIndigentStatusService_BasicBinding_Client.main(IIndigentStatusService_BasicBinding_Client.java:170) Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: UntrustedURLConnectionIOException invoking https://ws.yydats.org/services/StatusService.svc: RequireClientCertificate is set, but no local certificates were negotiated. Is the server set to ask for client authorization? at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:525) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1428) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1413) at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47) at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:188) at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:646) at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) ... 9 more Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: RequireClientCertificate is set, but no local certificates were negotiated. Is the server set to ask for client authorization? at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:121) at org.apache.cxf.transport.http.TrustDecisionUtil.makeTrustDecision(TrustDecisionUtil.java:80) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1342) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1307) at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42) at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1385) ... 14 more Exception in thread "main" javax.xml.ws.WebServiceException: Could not send Message. at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:145) at $Proxy37.servicesCheck(Unknown Source) at lv.lattelecom.npais.sopa.IIndigentStatusService_BasicBinding_Client.main(IIndigentStatusService_BasicBinding_Client.java:170) Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: UntrustedURLConnectionIOException invoking https://ws.yydats.org/services/StatusService.svc: RequireClientCertificate is set, but no local certificates were negotiated. Is the server set to ask for client authorization? at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:525) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1428) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1413) at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47) at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:188) at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:646) at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:533) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134) ... 2 more Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: RequireClientCertificate is set, but no local certificates were negotiated. Is the server set to ask for client authorization? at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:121) at org.apache.cxf.transport.http.TrustDecisionUtil.makeTrustDecision(TrustDecisionUtil.java:80) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1342) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1307) at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42) at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1385)`enter code here` </code></pre> <p>Have anybody faced similar issue? Or maybe have any ideas what I could be doing wrong?</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload