2 Replies Latest reply: Jul 11, 2012 10:42 AM by Alessio Soldano RSS

CXF SSL Client to Register an WS-T participant

grunchitog Newbie

Hi!

 

I'm developing an application that needs to sync two different web services on both .NET and J2EE platform, using JBoss AS 7. I've already created all the WS-T stuff (MSTDC on .NET, WS-AT wsdl, JBOSSTS with XTS configuration, handlers for the J2EE services, etc).

 

After a lot of reading, all seems to be working fine.., except for just one las thing. When the JaxWSHeaderContextProcessor receives the request with an incoming transaction, it detects it ok and tries to register on MSTDC service as a participant. MS requires this communication to be done with SSL and sends the coordinator URL as https.

 

At this moment, JBoss initates the communication with this endpoint creating a CXF client, but when sending the register message, fails throwing an SSL exception pasted at the end of this post.

 

I've configured the standalone-xts.xml with system properties and the corresponding certificates (both signing and trustore, paired with the MSTDC configuration so there is mutual trust between Jboss and .NET).

I've also tried by creating the cxf.xml configuration on WEB-INF/classes and setting it by parameter (on standalone.sh as -Dcxf.config.file) without success.

 

Finally, trying to detect where could be the problem, I've downloaded Apache CXF source (2.4.6 version, same as included on JBoss) and debugged it to see how the HttpConduit is being configured. To test it, I've setted the attribute "disableCNCheck="true", but on debug time, the HttpConduit used to send the message to MSDTC has that property setted to false.

 

At this point, it seems clear to me that CXF is ignoring my configuration for the dynamic client. ¿Any clues on what i could be doing wrong? ¿Could be that JBoss is ignoring the cxf configuration? I'm running out of ideas .

 

Thanks in advance!

 

Here is my cxf configuration file:

 

 

 <http:conduit name="*.http-conduit">


             <http:tlsClientParameters disableCNCheck="true">
                <sec:keyManagers keyPassword="123456">
                     <sec:keyStore type="JKS" password="123456"
                          file="C:\\wsat.keystore"/>
                </sec:keyManagers>
                <sec:trustManagers>
                    <sec:keyStore type="JKS" password="123456"
                         file="C:\\wsat.truststore"/>
                </sec:trustManagers>
                <sec:cipherSuitesFilter>
                  <!-- these filters ensure that a ciphersuite with
                    export-suitable or null encryption is used,
                    but exclude anonymous Diffie-Hellman key change as
                    this is vulnerable to man-in-the-middle attacks -->
                  <sec:include>.*_EXPORT_.*</sec:include>
                  <sec:include>.*_EXPORT1024_.*</sec:include>
                  <sec:include>.*_WITH_DES_.*</sec:include>
                <sec:include>.*_WITH_AES_.*</sec:include>
                  <sec:include>.*_WITH_NULL_.*</sec:include>
                  <sec:exclude>.*_DH_anon_.*</sec:exclude>
                </sec:cipherSuitesFilter>
            </http:tlsClientParameters>
      <http:client AutoRedirect="true" Connection="Keep-Alive"/>


   </http:conduit>

 

And finally the exception:

 

[org.apache.cxf.phase.PhaseInterceptorChain] (http--127.0.0.1-8080-1) Inter

ceptor for {http://docs.oasis-open.org/ws-tx/wscoor/2006/06}RegistrationService#{http://docs.oasis-o

pen.org/ws-tx/wscoor/2006/06}RegisterOperation has thrown exception, unwinding now: org.apache.cxf.i

nterceptor.Fault: Could not send Message.

        at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handle

Message(MessageSenderInterceptor.java:64)

        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)

        at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531)

        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:461)

        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:364)

        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:317)

        at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)

        at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)

        at $Proxy102.registerOperation(Unknown Source)  at com.arjuna.wsc11.RegistrationCoordinator.

register(RegistrationCoordinator.java:54) [jbossxts-4.16.2.Final.jar:]

        at com.arjuna.mwlabs.wst11.at.remote.TransactionManagerImple.registerParticipant(Transaction

ManagerImple.java:156) [jbossxts-4.16.2.Final.jar:]

        at com.arjuna.mwlabs.wst11.at.remote.TransactionManagerImple.enlistForDurableTwoPhase(Transa

ctionManagerImple.java:41) [jbossxts-4.16.2.Final.jar:]

        at org.jboss.jbossts.txbridge.inbound.InboundBridgeManager.createMapping(InboundBridgeManage

r.java:140) [jbosstxbridge-4.16.2.Final.jar:]

        at org.jboss.jbossts.txbridge.inbound.InboundBridgeManager.getInboundBridge(InboundBridgeMan

ager.java:77) [jbosstxbridge-4.16.2.Final.jar:]

        at org.jboss.jbossts.txbridge.inbound.JaxWSTxInboundBridgeHandler.handleInbound(JaxWSTxInbou

ndBridgeHandler.java:93) [jbosstxbridge-4.16.2.Final.jar:]

        at org.jboss.jbossts.txbridge.inbound.JaxWSTxInboundBridgeHandler.handleMessage(JaxWSTxInbou

ndBridgeHandler.java:59) [jbosstxbridge-4.16.2.Final.jar:]

        at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeHandleMessage(HandlerChainInvoker.

java:335)

        at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeHandlerChain(HandlerChainInvoker.j

ava:253)

        at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeProtocolHandlers(HandlerChainInvok

er.java:131)

        at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessageInternal(SOAPHandle

rInterceptor.java:168)

        at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterce

ptor.java:123)

        at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterce

ptor.java:70)

        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)

        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:1

21)

        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java

:207)

        at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:91)

        at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:169

)

        at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.ja

va:185)

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:108)

 

 

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-

1.0.0.Final.jar:1.0.0.Final]

        at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135)

        at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi-2.0.3.G

A.jar:2.0.3.GA]

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-

1.0.0.Final.jar:1.0.0.Final]

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j

ava:329) [jbossweb-7.0.13.Final.jar:]

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)

[jbossweb-7.0.13.Final.jar:]

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbos

sweb-7.0.13.Final.jar:]

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbos

sweb-7.0.13.Final.jar:]

        at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)

[jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]

        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociati

onValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7

.0.13.Final.jar:]

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7

.0.13.Final.jar:]

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossw

eb-7.0.13.Final.jar:]

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0

.13.Final.jar:]

        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.

13.Final.jar:]

        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.ja

va:671) [jbossweb-7.0.13.Final.jar:]

        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.

Final.jar:]

        at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_29]

Caused by: javax.net.ssl.SSLException: SSLException invoking https://localhost/WsatService/

Registration/Coordinator11/: Unrecognized SSL message, plaintext connection?

        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) [rt.jar:1.6.0_29]

        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:

39) [rt.jar:1.6.0_29]

        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorIm

pl.java:27) [rt.jar:1.6.0_29]

        at java.lang.reflect.Constructor.newInstance(Constructor.java:513) [rt.jar:1.6.0_29]

        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.ja

va:1430)

        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1415

)

        at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)

        at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:648)

        at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handle

Message(MessageSenderInterceptor.java:62)

        ... 47 more

Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

        at com.sun.net.ssl.internal.ssl.InputRecord.handleUnknownRecord(InputRecord.java:523) [jsse.

jar:1.6]

        at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:355) [jsse.jar:1.6]

        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:830) [jsse.jar:1

.6]

        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:117

0) [jsse.jar:1.6]

        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1197) [jsse.

jar:1.6]

        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1181) [jsse.

jar:1.6]

        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434) [jsse.jar:1.6]

        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHtt

psURLConnection.java:166) [jsse.jar:1.6]

        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1014)

[rt.jar:1.6.0_29]

        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.

java:230) [jsse.jar:1.6]

        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(H

TTPConduit.java:1367)

        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.ja

va:1309)

        at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)

        at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:

69)

        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1387

)

        ... 50 more

 

 

09:56:07,506 ERROR [org.jboss.jbossts.txbridge] (http--127.0.0.1-8080-1) com.arjuna.wst.SystemExcept

ion: javax.xml.ws.WebServiceException: Could not send Message.

 

 

  • 1. Re: CXF SSL Client to Register an WS-T participant
    grunchitog Newbie

    Sorry guys,

     

    This is the right exception:

     

    [org.apache.cxf.phase.PhaseInterceptorChain] (http-127.0.0.1-127.0.0.1-8080

    -1) Interceptor for {http://docs.oasis-open.org/ws-tx/wscoor/2006/06}RegistrationService#{http://doc

    s.oasis-open.org/ws-tx/wscoor/2006/06}RegisterOperation has thrown exception, unwinding now: org.apa

    che.cxf.interceptor.Fault: Could not send Message.

            at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handle

    Message(MessageSenderInterceptor.java:64)

            at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)

            at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531)

            at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:461)

            at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:364)

            at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:317)

            at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)

            at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)

            at $Proxy102.registerOperation(Unknown Source)  at com.arjuna.wsc11.RegistrationCoordinator.

    register(RegistrationCoordinator.java:54) [jbossxts-4.16.2.Final.jar:]

            at com.arjuna.mwlabs.wst11.at.remote.TransactionManagerImple.registerParticipant(Transaction

    ManagerImple.java:156) [jbossxts-4.16.2.Final.jar:]

            at com.arjuna.mwlabs.wst11.at.remote.TransactionManagerImple.enlistForDurableTwoPhase(Transa

    ctionManagerImple.java:41) [jbossxts-4.16.2.Final.jar:]

            at org.jboss.jbossts.txbridge.inbound.InboundBridgeManager.createMapping(InboundBridgeManage

    r.java:140) [jbosstxbridge-4.16.2.Final.jar:]

            at org.jboss.jbossts.txbridge.inbound.InboundBridgeManager.getInboundBridge(InboundBridgeMan

    ager.java:77) [jbosstxbridge-4.16.2.Final.jar:]

            at org.jboss.jbossts.txbridge.inbound.JaxWSTxInboundBridgeHandler.handleInbound(JaxWSTxInbou

    ndBridgeHandler.java:93) [jbosstxbridge-4.16.2.Final.jar:]

            at org.jboss.jbossts.txbridge.inbound.JaxWSTxInboundBridgeHandler.handleMessage(JaxWSTxInbou

    ndBridgeHandler.java:59) [jbosstxbridge-4.16.2.Final.jar:]

            at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeHandleMessage(HandlerChainInvoker.

    java:335)

            at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeHandlerChain(HandlerChainInvoker.j

    ava:253)

            at org.apache.cxf.jaxws.handler.HandlerChainInvoker.invokeProtocolHandlers(HandlerChainInvok

    er.java:131)

            at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessageInternal(SOAPHandle

    rInterceptor.java:168)

            at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterce

    ptor.java:123)

            at org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterce

    ptor.java:70)

            at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)

            at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:1

    21)

            at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java

    :207)

            at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:91)

            at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:169

    )

            at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)

            at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.ja

    va:185)

            at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:108)

     

     

            at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-

    1.0.0.Final.jar:1.0.0.Final]

            at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135)

            at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi-2.0.3.G

    A.jar:2.0.3.GA]

            at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-

    1.0.0.Final.jar:1.0.0.Final]

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j

    ava:329) [jbossweb-7.0.13.Final.jar:]

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)

    [jbossweb-7.0.13.Final.jar:]

            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbos

    sweb-7.0.13.Final.jar:]

            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbos

    sweb-7.0.13.Final.jar:]

            at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)

    [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]

            at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociati

    onValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7

    .0.13.Final.jar:]

            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7

    .0.13.Final.jar:]

            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossw

    eb-7.0.13.Final.jar:]

            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0

    .13.Final.jar:]

            at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.

    13.Final.jar:]

            at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.ja

    va:671) [jbossweb-7.0.13.Final.jar:]

            at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.

    Final.jar:]

            at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_29]

    Caused by: org.apache.cxf.transport.http.HTTPException: HTTP response '403: Forbidden' when communic

    ating with https://localhost/WsatService/Registration/Coordinator11/

            at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTP

    Conduit.java:1554)

            at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.

    java:1493)

            at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1401

    )

            at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)

            at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:648)

            at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handle

    Message(MessageSenderInterceptor.java:62)

            ... 47 more

     

     

    11:43:17,289 ERROR [org.jboss.jbossts.txbridge] (http-127.0.0.1-127.0.0.1-8080-1) com.arjuna.wst.Sys

    temException: javax.xml.ws.WebServiceException: Could not send Message.

  • 2. Re: CXF SSL Client to Register an WS-T participant
    Alessio Soldano Master

    Unless the current thread bus is explicitely configured with a specific httpconduit, the JBossWS-CXF integration stack has the CXF 'useHttpsURLConnectionDefaultSslSocketFactory' flag set to true, to have a neutral SSL client behavior as per HttpsURLConnection defaults. So you should be able to rely on the usual javax.net.ssl.* system properties. Moreover, you can use the org.jboss.security.ignoreHttpsHost system property to set 'disableCNCheck' flag to true.

     

    Besides setting a given thread bus for your client, you can also programmatically configure the conduit for the proxy, using Apache CXF ClientProxy.getClient().getConduit() ...