0

We have a CXF webservice that has been working for over a year deployed in Jboss EAP 5.1 and uses Spring 2.5

Our existing strategy for Client Cert management is as follows:

  1. For Non-PROD, the cert is named "NAME-NON-PROD.cer".
  2. For PROD, the cert is named "NAME-PROD.cer"

From (1) we extract the privateKey into a file with name NAME.pfx and deploy it to non-prod server.

From (2) we extract the privateKey into a file with name NAME.pfx (exact same as above and exactly same password as above), but deploy this into the prod server only.

Or the cert name follows the pattern NAME-ENVIRONMENT.cer. While the private Key extracted has only NAME.pfx (without the environment suffix).

To enable MutualSSL, we have this in our jboss-cxf.xml:

<http:conduit name="*.http-conduit">
    <http:tlsClientParameters
        secureSocketProtocol="SSL">
                      <!-- START - setup private key for Mutual SSL -->
        <sec:keyManagers keyPassword="MyPassword">
            <sec:keyStore type="PKCS12" password="MyPassword" resource="Path/To/Private/Key/NAME.pfx" />
        </sec:keyManagers>
                      <!-- END - setup private key for Mutual SSL -->
        <sec:cipherSuitesFilter>
            <sec:include>.*_EXPORT_.*</sec:include>
            <sec:include>.*_EXPORT1024_.*</sec:include>
            <sec:include>.*_WITH_DES_.*</sec:include>
            <sec:include>.*_WITH_AES_.*</sec:include>
            <sec:include>.*_WITH_NULL_.*</sec:include>
            <sec:exclude>.*_DH_anon_.*</sec:exclude>
        </sec:cipherSuitesFilter>
    </http:tlsClientParameters>
</http:conduit>

The above works well.

However, the cert (private Key) is expiring soon. There was a re-org recently, so another team is now responsible for maintaining the cert and password. The problem is that they refuse to extract the key from both non-prod and prod above into a file named exactly same. They feel that the pfx file should be named different INCLUDING the suffix (-PROD or -NON-PROD) and the configuration should be externalized ... .. perhaps read from JNDI.

I cannot find an example online which reads a JNDI to instantiate a spring bean for privateKey Name and another spring bean for password ... And then use it to to instantiate keyManagers above inside tlsClientParameters.

For example, if I create the following spring beans from JNDI;

<bean id="MyPvtKey" 
class="org.springframework.jndi.JndiObjectFactoryBean"
    p:jndiName="config/MyPvtKey" 
/>

<bean id="MyPvtKeyPwd" 
class="org.springframework.jndi.JndiObjectFactoryBean"
    p:jndiName="config/MyPvtKeyPwd" 
/>

How do I use the above to set the keystore inside tlsClientParameters.

Can someone point me to a resource or example.

SGB

SGB
  • 2,118
  • 6
  • 28
  • 35
  • I have already seen this ( http://stackoverflow.com/a/11190816 ), but this is not what I want. I would prefer to read from JNDI instead of a property file as all our external configuration is currently done via JNDI. – SGB Aug 26 '13 at 17:13

1 Answers1

0

The above approach did not work. Instead we opted to use a property file and use spring as follows:

<context:property-placeholder location="classpath:${environment}-key.properties"/>

The details are here: in this stackoverflow thread

Community
  • 1
  • 1
SGB
  • 2,118
  • 6
  • 28
  • 35