0

We have a CXF webservice that has been working for over a year deployed in Jboss EAP 5.1 and uses Spring 2.5

Our existing strategy for Client Cert management is as follows:

  1. For Non-PROD, the cert is named "NAME-NON-PROD.cer".
  2. For PROD, the cert is named "NAME-PROD.cer"

From (1) we extract the privateKey into a file with name NAME.pfx and deploy it to non-prod server.

From (2) we extract the privateKey into a file with name NAME.pfx (exact same as above and exactly same password as above), but deploy this into the prod server only.

Or the cert name follows the pattern NAME-ENVIRONMENT.cer. While the private Key extracted has only NAME.pfx (without the environment suffix).

To enable MutualSSL, we have this in our jboss-cxf.xml:

<http:conduit name="*.http-conduit"> <http:tlsClientParameters secureSocketProtocol="SSL"> <!-- START - setup private key for Mutual SSL --> <sec:keyManagers keyPassword="MyPassword"> <sec:keyStore type="PKCS12" password="MyPassword" resource="Path/To/Private/Key/NAME.pfx" /> </sec:keyManagers> <!-- END - setup private key for Mutual SSL --> <sec:cipherSuitesFilter> <sec:include>.*_EXPORT_.*</sec:include> <sec:include>.*_EXPORT1024_.*</sec:include> <sec:include>.*_WITH_DES_.*</sec:include> <sec:include>.*_WITH_AES_.*</sec:include> <sec:include>.*_WITH_NULL_.*</sec:include> <sec:exclude>.*_DH_anon_.*</sec:exclude> </sec:cipherSuitesFilter> </http:tlsClientParameters> </http:conduit>

The above works well.

However, the cert (private Key) is expiring soon. There was a re-org recently, so another team is now responsible for maintaining the cert and password. The problem is that they refuse to extract the key from both non-prod and prod above into a file named exactly same. They feel that the pfx file should be named different INCLUDING the suffix (-PROD or -NON-PROD) and the configuration should be externalized ... .. perhaps read from JNDI.

I cannot find an example online which reads a JNDI to instantiate a spring bean for privateKey Name and another spring bean for password ... And then use it to to instantiate keyManagers above inside tlsClientParameters.

For example, if I create the following spring beans from JNDI;

<bean id="MyPvtKey" class="org.springframework.jndi.JndiObjectFactoryBean" p:jndiName="config/MyPvtKey" /> <bean id="MyPvtKeyPwd" class="org.springframework.jndi.JndiObjectFactoryBean" p:jndiName="config/MyPvtKeyPwd" />

How do I use the above to set the keystore inside tlsClientParameters.

Can someone point me to a resource or example.

SGB

Improve this question
1
  • I have already seen this ( stackoverflow.com/a/11190816 ), but this is not what I want. I would prefer to read from JNDI instead of a property file as all our external configuration is currently done via JNDI. Commented Aug 26, 2013 at 17:13

1 Answer 1

Reset to default
0

The above approach did not work. Instead we opted to use a property file and use spring as follows:

<context:property-placeholder location="classpath:${environment}-key.properties"/>

The details are here: in this stackoverflow thread

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.