1
votes

I have been unable to make the Apache CXF client grails plugin work with two-way SSL authentication. The web service I am calling provides a development environment URL, which does not require two-way authentication, and everything works fine. However, the test environment URL they provide does require two-way authentication, and I have not been able to make it work.

The grails app is running in Tomcat on a Windows server.

I have written a stand-alone Java test app to test-out the 2-way authentication. I call it with the appropriate keystore, truststore, etc., and it works fine. (This is a pure Java app -- no CXF.) I have imported this same Java class into the grails app running on Tomcat, and that also works. However, as previously stated, when calling using CXF, it does not work.

I have turned on -Djavax.net.debug=ssl in Tomcat and can see that the client is not sending back a certificate when the server sends the CertificateRequest message. (When using the Java class, the client does respond with the correct cert.)

I have tried several different ways of setting the keystore and truststore parameters. I am currently setting them by using ++JvmOptions when I start Tomcat:

++JvmOptions
-Xrs;
-Djavax.net.debug=ssl;
-Djavax.net.ssl.trustStore=C:\path\to\truststore.jks;
-Djavax.net.ssl.keyStore=C:\path\to\keystore.jks;
-Dhttps.cipherSuites=SSL_RSA_WITH_3DES_EDE_CBC_SHA;
-Djavax.net.ssl.keyStorePassword=password;
-Djavax.net.ssl.trustStorePassword=password

I am currently using cxf-client:2.0.3, although I have also tried with cxf-client:1.5.6.

1

1 Answers

1
votes

I'm not that familar with grails, but how looks your cxf client call? Do you add the keystore/truststore to the http conduit?

example:

<http:conduit name="https:...">
    <http:tlsClientParameters>
        <sec:trustManagers>
                <sec:keyStore type="JKS" password="password" file="..."/>
            </sec:trustManagers>
            <sec:keyManagers keyPassword="password">
                <sec:keyStore type="JKS" password="password" file="..."/>
            </sec:keyManagers>
        <sec:cipherSuitesFilter>
        ...
        </sec:cipherSuitesFilter>
    </http:tlsClientParameters>
    <http:client AutoRedirect="true" Connection="Keep-Alive"/>   
</http:conduit>