SonicConnect: Using SSL/HTTPS

Posted by cwiseman on 28-Mar-2011 14:21

Using Sonic v8.0.1.01 (v8.0 SP1 with Hotfix 01) on Windows

Following the document:  Progress Sonic 8.0 SP1, "Working with Web Services", September 2010

Chapter 4:  Web Service Security
Topic:  Configuring Web services to use HTTPS, pages 40-45 with associated, intermediate links.

Have created the .pem file with key combinations and stored it in a .pem file located here:  C:\outdir\sonicconnect.pem

Have created a self-signed certificate in pkcs12 format and stored it in a .p12 keystore file located here:  C:\outdir\sonicconnect.p12

SonicConnect project WSDL has the port udpated to utilize an http reference:  https://192.168.1.147:8488/MOARS/service

SonicConnect project property MOARS.MOARSSOAP.address has been updated to match the WSDL port for service startup:  https://192.168.1.147:8488/MOARS/service

SonicConnect spring.xml config file has been updated with the steps noted by the appropriate pages, 40-45 in the document above.

I have attached the spring.xml config file.  Of note, there are either some documentation typos or outright errors.

  • The documentation says to use "pks12" in the <csx:keystore> element's type attribute.  I believe it ought to be "pkcs12".
  • The documentation says to add a "depends" attribute to the <cxf:cxfEndpoint> element.  The <cxf:cxfEndpoint> element "depends" attribute value is supposed to reference/be equal to the <httpj:engine-factory> element "id" attribute value.  When the "depends" attribute is added to the <cxf:csfEndpoint> element and the SonicConnect project is uploaded and the container is restarted, the "depends" attribute is not recognized as valid for the <cxf:cxfEndpoint> element.

Lastly, I used OpenSSL to generate my self-signed cert with these commands:

C:\OpenSSL\bin>openssl req -x509 -nodes -days 7300 -newkey rsa:1024 -keyout C:\outdir\sonicconnect.pem -out C:\outdir\sonicconnect.pem

C:\OpenSSL\bin>openssl pkcs12 -export -out C:\outdir\sonicserver.p12 -in C:\outdir\sonicserver.pem -name "192.168.1.147-SonicConnect"

I get this error when starting up my dev_esbTest container with this  SonicConnect service deployed and attempting to enable the endpoint with  SSL.  The service deploys fine and handles requests without SSL no  problem.  Is there an issue perhaps with how the self-signed cert is being created?  Thanks in advance.

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'httpj:engine#127669d': Cannot create inner bean '(inner bean)' of type [org.apache.cxf.transport.http_jetty.spring.JettyHTTPServerEngineBeanDefinitionParser] while setting bean property 'tlsServerParameters'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#2': Instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public static org.apache.cxf.configuration.jsse.spring.TLSServerParametersConfig org.apache.cxf.transport.http_jetty.spring.JettyHTTPServerEngineBeanDefinitionParser.createTLSServerParametersConfig(java.lang.String) throws java.security.GeneralSecurityException,java.io.IOException] threw exception; nested exception is java.security.cert.CertificateParsingException: signed overrun, bytes = 464
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:281)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:125)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1317)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1076)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:517)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:270)
    ... 36 more
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#2': Instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public static org.apache.cxf.configuration.jsse.spring.TLSServerParametersConfig org.apache.cxf.transport.http_jetty.spring.JettyHTTPServerEngineBeanDefinitionParser.createTLSServerParametersConfig(java.lang.String) throws java.security.GeneralSecurityException,java.io.IOException] threw exception; nested exception is java.security.cert.CertificateParsingException: signed overrun, bytes = 464
    at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:568)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:973)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:879)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:270)
    ... 42 more
Caused by: org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public static org.apache.cxf.configuration.jsse.spring.TLSServerParametersConfig org.apache.cxf.transport.http_jetty.spring.JettyHTTPServerEngineBeanDefinitionParser.createTLSServerParametersConfig(java.lang.String) throws java.security.GeneralSecurityException,java.io.IOException] threw exception; nested exception is java.security.cert.CertificateParsingException: signed overrun, bytes = 464
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:158)
    at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:557)
    ... 47 more
Caused by: java.security.cert.CertificateParsingException: signed overrun, bytes = 464
    at sun.security.x509.X509CertImpl.parse(Unknown Source)
    at sun.security.x509.X509CertImpl.<init>(Unknown Source)
    at sun.security.provider.X509Factory.parseX509orPKCS7Cert(Unknown Source)
    at sun.security.provider.X509Factory.engineGenerateCertificates(Unknown Source)
    at java.security.cert.CertificateFactory.generateCertificates(Unknown Source)
    at org.apache.cxf.configuration.jsse.spring.TLSParameterJaxBUtils.loadCertificates(TLSParameterJaxBUtils.java:193)
    at org.apache.cxf.configuration.jsse.spring.TLSParameterJaxBUtils.createTrustStore(TLSParameterJaxBUtils.java:171)
    at org.apache.cxf.configuration.jsse.spring.TLSParameterJaxBUtils.getKeyStore(TLSParameterJaxBUtils.java:158)
    at org.apache.cxf.configuration.jsse.spring.TLSParameterJaxBUtils.getTrustManagers(TLSParameterJaxBUtils.java:236)
    at org.apache.cxf.configuration.jsse.spring.TLSServerParametersConfig.<init>(TLSServerParametersConfig.java:63)
    at org.apache.cxf.transport.http_jetty.spring.JettyHTTPServerEngineBeanDefinitionParser.createTLSServerParametersConfig(JettyHTTPServerEngineBeanDefinitionParser.java:211)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:146)
    ... 48 more

spring.xml.case.zip

Technology Partner - Forum

All Replies

Posted by wtam on 28-Mar-2011 17:22

Thanks Chris for spotting the errors.  We will have the document fixed.

* "pks12" should have been "pkcs12".

* "depends" should have been "depends-on".

Posted by cwiseman on 29-Mar-2011 12:11

Well, I didn't get an answer about why the .p12 file or the .pem file was not working properly, but playing with this a bit more we got this formula to work:

  • Used Portecle to create a Java keystore (.jks filetype) instead of the suggested PKCS12 type.
  • Modified the spring.xml file to specify "JKS" for the keyStore type.
  • Still had issues with a "CertificateParsingException and signed overrun, bytes = 464" problem.  On a hunch, I commented out the section and left the in.  That spun up just fine and allowed clients to hit my services with SSL (not using any client authentication, just straight SSL).  I wish the documentation on these things was a bit more complete.

    Here's the snipped of my spring.xml file (password redacted):

     
          
            
              
            
            
          
        
      

Posted by cwiseman on 30-Mar-2011 13:39

In my previous reply to William Tam's reply post, I noted that we got SSL to work without client certificate authentication by using a Java keystore format versus pkcs12 format and by commenting out the element section in the block as below:

 
   
     
        ********">
          ****************"/>
       
       
     
   
 

We then wanted to be able to do client authentication and handshake with clients who did not have CA signed certs, but maybe self-signed for development or other purposes.  The cxfsec supports using the same JKS in the trustManagers section such as:

 
    
      
         ********">
           ****************"/>
        
        
          ****************"/>
       
      
    
  

This allows clients to connect and present a self-signed certificate.  We are noodling through some elements of the spring security built into the Apache CXF and getting it to work with SonicConnect.  We want access to the certificate details presented to the service when the client makes the request.  Hope this helps someone.

Posted by wtam on 24-May-2011 14:12

In your configuration, "sonicserver.pem" should be the CA certificate that issued the client's certificate.

This thread is closed