Fuse 6 is no longer supported
As of February 2025, Red Hat Fuse 6 is no longer supported. If you are using Fuse 6, please upgrade to Red Hat build of Apache Camel.Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 6. Securing the Camel Jetty Component
Abstract
6.1. Enabling SSL/TLS Security
Link kopierenLink in die Zwischenablage kopiert!
Overview
Link kopierenLink in die Zwischenablage kopiert!
				This section explains how to enable SSL/TLS security on the Apache Camel Jetty component, which is used to create a HTTPS Web server. The key step is to customize the Jetty component by setting the 
sslSocketConnectorProperties property, which configures SSL/TLS. You must also change the protocol scheme on the Jetty URI from http to https.
			Tutorial steps
Link kopierenLink in die Zwischenablage kopiert!
				To configure SSL/TLS security for a Camel Jetty endpoint deployed in the OSGi container, perform the following steps:
			
Generate a Maven project
Link kopierenLink in die Zwischenablage kopiert!
				The 
maven-archetype-quickstart archetype creates a generic Maven project, which you can then customize for whatever purpose you like. To generate a Maven project with the coordinates, org.jbossfuse.example:jetty-security, enter the following command:
			mvn archetype:create -DarchetypeArtifactId=maven-archetype-quickstart -DgroupId=org.jbossfuse.example -DartifactId=jetty-security
mvn archetype:create
-DarchetypeArtifactId=maven-archetype-quickstart
-DgroupId=org.jbossfuse.example
-DartifactId=jetty-security
				The result of this command is a directory, 
ProjectDir/jetty-security, containing the files for the generated project.
			Note
					Be careful not to choose a group ID for your artifact that clashes with the group ID of an existing product! This could lead to clashes between your project's packages and the packages from the existing product (because the group ID is typically used as the root of a project's Java package names).
				
Customize the POM file
Link kopierenLink in die Zwischenablage kopiert!
				You must customize the POM file in order to generate an OSGi bundle. Follow the POM customization steps described in section "Generating a Bundle Project" in "Deploying into the Container".
			
Install sample keystore files
Link kopierenLink in die Zwischenablage kopiert!
				The certificates used in this demonstration are taken from a sample in the Apache CXF 2.6.0.redhat-60024 distribution, which is included in the 
InstallDir/extras directory. Using a standard archive utility, expand the CXF archive file and extract the contents to a convenient location on your filesystem. You will find the sample certificates in the CXFInstallDir/samples/wsdl_first_https/certs directory.
			
				The Camel CXF proxy demonstration is available only from the standalone distribution of Apache Camel, which is included in the 
InstallDir/extras directory. Using a standard archive utility, expand the Camel archive file and extract the contents to a convenient location on your filesystem.
			
				Copy the 
certs directory from CXFInstallDir/samples/wsdl_first_https/ to the EsbInstallDir/etc/ directory. After copying, you should have the following directory structure under EsbInstallDir/etc/:
			
				Where 
cherry.jks, wibble.jks, and truststore.jks are the keystores that are used in this demonstration.
			Warning
Configure Jetty with SSL/TLS
Link kopierenLink in die Zwischenablage kopiert!
				The Jetty Web server is created by defining a Jetty endpoint at the start of an Apache Camel route. The route is then responsible for processing the incoming HTTP request and generating a reply. The current example simply sends back a small HTML page in the reply. For a more realistic application, you would typically process the incoming message using a bean, which accesses the message through the Java servlet API.
			
				Create the following directory to hold the Spring configuration files:
			
ProjectDir/jetty-security/src/main/resources/META-INF/spring
ProjectDir/jetty-security/src/main/resources/META-INF/spring
				In the 
spring directory that you just created, use your favorite text editor to create the file, jetty-spring.xml, containing the following XML configuration:
			
				The 
jetty bean defines a new instance of the Apache Camel Jetty component, overriding the default component defined in the camel-jetty JAR file. This Jetty component is configured with SSL/TLS properties as follows:
			-  keystore
- The location of the Java keystore file (in JKS format) containing the Jetty server's own X.509 certificate and private key. This location is specified on the filesystem (not on the classpath), relative to the directory where the OSGi container is started.
-  password
- The keystore password that unlocks thekeystorekeystore.
-  keyPassword
- The password that decrypts the private key stored in thekeystorekeystore (usually having the same value aspassword).
-  truststore
- The location of the Java keystore file containing one or more trusted certificates (that is, the CA certificates that have been used to sign X.509 certificates from trusted clients). This location is specified on the filesystem (not on the classpath), relative to the directory where the OSGi container is started.Strictly speaking, this property is not needed, if clients do not send certificates to the Jetty service.
-  trustPassword
- The keystore password that unlocks thetruststoretrust store.
-  needClientAuth
- Whentrue, clients must send an X.509 certificate to the server side or the SSL/TLS handshake will fail; whenfalse, clients are not required to send an X.509 certificate, but they may do so.
Note
					The preceding configuration shows how to enable SSL/TLS security for all IP port values. To enable SSL/TLS security for specific IP ports only.
				
				You must also modify the URI at the start of the route (the 
uri attribute of the from element). Make sure that the scheme of the URI matches the secure Jetty component, jetty, that you have just created. You must also change the protocol scheme from http to https.
			Note
					Always double-check you have changed the protocol scheme to 
https! This is such a small change, it is easy to forget.
				Build the bundle
Link kopierenLink in die Zwischenablage kopiert!
				Use Maven to build the bundle. Open a command prompt, switch the current directory to 
ProjectDir/jetty-security, and enter the following command:
			mvn install
mvn install
				This command builds the bundle and installs it in your local Maven repository.
			
Install the camel-jetty feature
Link kopierenLink in die Zwischenablage kopiert!
				If you have not already done so, start up the Apache ServiceMix console (and container instance) by entering the following command in a new command prompt:
			
servicemix
servicemix
				The 
camel-jetty feature, which defines the bundles required for the Camel/Jetty component, is not installed by default. To install the camel-jetty feature, enter the following console command:
			JBossFuse:karaf@root> features:install camel-jetty
JBossFuse:karaf@root> features:install camel-jettyDeploy the bundle
Link kopierenLink in die Zwischenablage kopiert!
				To deploy and activate the bundle, enter the following console command:
			
JBossFuse:karaf@root> osgi:install -s mvn:org.jbossfuse.example/jetty-security
JBossFuse:karaf@root> osgi:install -s mvn:org.jbossfuse.example/jetty-security
				The preceding command loads the bundle from your local Maven repository. You might need to configure the Mvn URL handler with the location of your local Maven repository, if the bundle cannot be found (see section "Mvn URL Handler" in "Deploying into the Container").
			
Test the bundle
Link kopierenLink in die Zwischenablage kopiert!
				To test the Jetty service, open your favorite Web browser and navigate to the following URL:
			
https://localhost:8282/services
https://localhost:8282/servicesNote
					Don't forget to use 
https: instead of http: in the URL!
				
				Because the Jetty service uses an untrusted certificate, your browser will initially present you with a warning about the untrusted certificate. For example, the Firefox browser displays the following warning screen:
			
Figure 6.1. Untrusted Certificate Warning
				To proceed with contacting the Jetty service, click I Understand the Risks and then click Add Exception, which brings up the Add Security Exception dialog. In the Add Security Exception dialog, make sure that the Permanently store this exception option is unchecked and click Confirm Security Exception.
			
				The browser window should now display the following text:
			
Hello from Fuse ESB server
Hello from Fuse ESB serverUninstall the bundle
Link kopierenLink in die Zwischenablage kopiert!
				To uninstall the broker bundle, you need to know its bundle ID, BundleID, in which case you can uninstall it by entering the following console command:
			
JBossFuse:karaf@root> osgi:uninstall BundleID
JBossFuse:karaf@root> osgi:uninstall BundleID