Skip to content

Instantly share code, notes, and snippets.

@bulain
Created August 14, 2011 06:03
Show Gist options
  • Save bulain/1144630 to your computer and use it in GitHub Desktop.
Save bulain/1144630 to your computer and use it in GitHub Desktop.
CXF configuration using SSL/HTTPS with tomcat
#generate server and client keystore
keytool -genkeypair -alias server -keyalg RSA -dname "CN=Server,OU=Development,O=Test,L=Shanghai,S=SH,C=CN" -keystore server.keystore
keytool -genkeypair -alias client -keyalg RSA -dname "CN=Client,OU=Development,O=Test,L=Shanghai,S=SH,C=CN" -keystore client.keystore
keytool -list -keystore server.keystore
#copy server certificate into client.keystore
keytool -exportcert -alias server -file server-pub.cer -keystore server.keystore
keytool -importcert -alias server -file server-pub.cer -keystore client.keystore
keytool -list -keystore client.keystore
#copy client certificate into server.keystore
keytool -exportcert -alias client -file client-pub.cer -keystore client.keystore
keytool -importcert -alias client -file client-pub.cer -keystore server.keystore
keytool -list -keystore server.keystore
<!-- tomcat server.xml -->
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="${user.home}/server.keystore" keystoreType="JKS" keystorePass="123456"
truststoreFile="${user.home}/server.keystore" truststoreType="JKS" truststorePass="123456"
/>
<!-- cxf config.xml -->
<http:conduit name="*.http-conduit">
<http:tlsClientParameters disableCNCheck="true">
<sec:trustManagers>
<sec:keyStore type="JKS" file="src/test/resources/certs/client.keystore" password="123456" />
</sec:trustManagers>
<sec:keyManagers keyPassword="123456">
<sec:keyStore type="JKS" file="src/test/resources/certs/client.keystore" password="123456" />
</sec:keyManagers>
<sec:cipherSuitesFilter>
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<http:client AutoRedirect="true" Connection="Keep-Alive" />
</http:conduit>
<!-- jetty config.xml -->
<httpj:engine-factory bus="cxf">
<httpj:identifiedTLSServerParameters id="secure">
<httpj:tlsServerParameters>
<sec:trustManagers>
<sec:keyStore type="JKS" password="123456" file="src/test/resources/certs/server.keystore"/>
</sec:trustManagers>
<sec:keyManagers keyPassword="123456">
<sec:keyStore type="JKS" password="123456" file="src/test/resources/certs/server.keystore" />
</sec:keyManagers>
<sec:cipherSuitesFilter>
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
<sec:clientAuthentication want="true" required="true" />
</httpj:tlsServerParameters>
</httpj:identifiedTLSServerParameters>
<httpj:engine port="8443">
<httpj:tlsServerParametersRef id="secure"/>
</httpj:engine>
</httpj:engine-factory>
@GonchuB
Copy link

GonchuB commented Feb 14, 2013

Please add the required resource inputs in the config.xml and the needed xmlns and xsi. Thank you very much

@samir-lab
Copy link

Hi,大神,cxf怎么同时支持https和http?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment