Fuse 6 is no longer supported
As of February 2025, Red Hat Fuse 6 is no longer supported. If you are using Fuse 6, please upgrade to Red Hat build of Apache Camel.このコンテンツは選択した言語では利用できません。
Chapter 1. Security for HTTP-Compatible Bindings
Abstract
					This chapter describes the security features supported by the Apache CXF HTTP transport. These security features are available to any Apache CXF binding that can be layered on top of the HTTP transport.
				
Overview
リンクのコピーリンクがクリップボードにコピーされました!
			This section describes how to configure the HTTP transport to use SSL/TLS security, a combination usually referred to as HTTPS. In Apache CXF, HTTPS security is configured by specifying settings in XML configuration files.
		
Warning
				If you are using SSL/TLS security, you must ensure that you have applied the latest security patches for JBoss Fuse, in order to disable the SSLv3 protocol (see Poodle vulnerability (CVE-2014-3566)). For more details, see Disabling SSLv3 in JBoss Fuse 6.x and JBoss A-MQ 6.x.
			
			The following topics are discussed in this chapter:
		
Generating X.509 certificates
リンクのコピーリンクがクリップボードにコピーされました!
			A basic prerequisite for using SSL/TLS security is to have a collection of X.509 certificates available to identify your server applications and, optionally, to identify your client applications. You can generate X.509 certificates in one of the following ways:
		
- Use a commercial third-party to tool to generate and manage your X.509 certificates.
- Use the free openssl utility (which can be downloaded from http://www.openssl.org) and the Java keystore utility to generate certificates (see Section 2.5.3, “Use the CA to Create Signed Certificates in a Java Keystore”).
Note
				The HTTPS protocol mandates a URL integrity check, which requires a certificate’s identity to match the hostname on which the server is deployed. See Section 2.4, “Special Requirements on HTTPS Certificates” for details.
			
Certificate format
リンクのコピーリンクがクリップボードにコピーされました!
			In the Java runtime, you must deploy X.509 certificate chains and trusted CA certificates in the form of Java keystores. See Chapter 3, Configuring HTTPS for details.
		
Enabling HTTPS
リンクのコピーリンクがクリップボードにコピーされました!
			A prerequisite for enabling HTTPS on a WSDL endpoint is that the endpoint address must be specified as a HTTPS URL. There are two different locations where the endpoint address is set and both must be modified to use a HTTPS URL:
		
- HTTPS specified in the WSDL contract—you must specify the endpoint address in the WSDL contract to be a URL with the https: prefix, as shown in Example 1.1, “Specifying HTTPS in the WSDL”.Example 1.1. Specifying HTTPS in the WSDL Copy to Clipboard Copied! Toggle word wrap Toggle overflow Where thelocationattribute of thesoap:addresselement is configured to use a HTTPS URL. For bindings other than SOAP, you edit the URL appearing in thelocationattribute of thehttp:addresselement.
- HTTPS specified in the server code—you must ensure that the URL published in the server code by callingEndpoint.publish()is defined with a https: prefix, as shown in Example 1.2, “Specifying HTTPS in the Server Code”.Example 1.2. Specifying HTTPS in the Server Code Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
HTTPS client with no certificate
リンクのコピーリンクがクリップボードにコピーされました!
			For example, consider the configuration for a secure HTTPS client with no certificate, as shown in Example 1.3, “Sample HTTPS Client with No Certificate”.
		
Example 1.3. Sample HTTPS Client with No Certificate
			The preceding client configuration is described as follows:
		
- 1
- The TLS security settings are defined on a specific WSDL port. In this example, the WSDL port being configured has the QName,{http://apache.org/hello_world_soap_http}SoapPort.
- 2
- Thehttp:tlsClientParameterselement contains all of the client’s TLS configuration details.
- 3
- Thesec:trustManagerselement is used to specify a list of trusted CA certificates (the client uses this list to decide whether or not to trust certificates received from the server side).Thefileattribute of thesec:keyStoreelement specifies a Java keystore file,truststore.jks, containing one or more trusted CA certificates. Thepasswordattribute specifies the password required to access the keystore,truststore.jks. See Section 3.2.2, “Specifying Trusted CA Certificates for HTTPS”.NoteInstead of thefileattribute, you can specify the location of the keystore using either theresourceattribute (where the keystore file is provided on the classpath) or theurlattribute. In particular, theresourceattribute must be used with applications that are deployed into an OSGi container. You must be extremely careful not to load the truststore from an untrustworthy source.
- 4
- Thesec:cipherSuitesFilterelement can be used to narrow the choice of cipher suites that the client is willing to use for a TLS connection. See Chapter 4, Configuring HTTPS Cipher Suites for details.
HTTPS client with certificate
リンクのコピーリンクがクリップボードにコピーされました!
			Consider a secure HTTPS client that is configured to have its own certificate. Example 1.4, “Sample HTTPS Client with Certificate” shows how to configure such a sample client.
		
Example 1.4. Sample HTTPS Client with Certificate
			The preceding client configuration is described as follows:
		
- 1
- Thesec:keyManagerselement is used to attach an X.509 certificate and a private key to the client. The password specified by thekeyPasswodattribute is used to decrypt the certificate’s private key.
- 2
- Thesec:keyStoreelement is used to specify an X.509 certificate and a private key that are stored in a Java keystore. This sample declares that the keystore is in Java Keystore format (JKS).Thefileattribute specifies the location of the keystore file,wibble.jks, that contains the client’s X.509 certificate chain and private key in a key entry. Thepasswordattribute specifies the keystore password which is required to access the contents of the keystore.It is expected that the keystore file contains just one key entry, so it is not necessary to specify a key alias to identify the entry. If you are deploying a keystore file with multiple key entries, however, it is possible to specify the key in this case by adding thesec:certAliaselement as a child of thehttp:tlsClientParameterselement, as follows:<http:tlsClientParameters> ... <sec:certAlias>CertAlias</sec:certAlias> ... </http:tlsClientParameters><http:tlsClientParameters> ... <sec:certAlias>CertAlias</sec:certAlias> ... </http:tlsClientParameters>Copy to Clipboard Copied! Toggle word wrap Toggle overflow For details of how to create a keystore file, see Section 2.5.3, “Use the CA to Create Signed Certificates in a Java Keystore”.NoteInstead of thefileattribute, you can specify the location of the keystore using either theresourceattribute (where the keystore file is provided on the classpath) or theurlattribute. In particular, theresourceattribute must be used with applications that are deployed into an OSGi container. You must be extremely careful not to load the truststore from an untrustworthy source.
HTTPS server configuration
リンクのコピーリンクがクリップボードにコピーされました!
			Consider a secure HTTPS server that requires clients to present an X.509 certificate. Example 1.5, “Sample HTTPS Server Configuration” shows how to configure such a server.
		
Example 1.5. Sample HTTPS Server Configuration
			The preceding server configuration is described as follows:
		
- 1
- Thebusattribute references the relevant CXF Bus instance. By default, a CXF Bus instance with the ID,cxf, is automatically created by the Apache CXF runtime.
- 2
- On the server side, TLS is not configured for each WSDL port. Instead of configuring each WSDL port, the TLS security settings are applied to a specific IP port, which is9001in this example. All of the WSDL ports that share this IP port are therefore configured with the same TLS security settings.
- 3
- Thehttp:tlsServerParameterselement contains all of the server’s TLS configuration details.ImportantTo protect against the Poodle vulnerability (CVE-2014-3566), you must have the latest security patches installed (JBoss Fuse 6.1 Rollup 1 Patch 2, or later). SettingsecureSocketProtocoltoTLSv1on the server side does not prevent the server from using the SSLv3 protocol: it merely sets the server's preferred protocol.
- 4
- Thesec:keyManagerselement is used to attach an X.509 certificate and a private key to the server. The password specified by thekeyPasswodattribute is used to decrypt the certificate’s private key.
- 5
- Thesec:keyStoreelement is used to specify an X.509 certificate and a private key that are stored in a Java keystore. This sample declares that the keystore is in Java Keystore format (JKS).Thefileattribute specifies the location of the keystore file,cherry.jks, that contains the client’s X.509 certificate chain and private key in a key entry. Thepasswordattribute specifies the keystore password, which is needed to access the contents of the keystore.It is expected that the keystore file contains just one key entry, so it is not necessary to specify a key alias to identify the entry. If you are deploying a keystore file with multiple key entries, however, it is possible to specify the key in this case by adding thesec:certAliaselement as a child of thehttp:tlsClientParameterselement, as follows:<http:tlsClientParameters> ... <sec:certAlias>CertAlias</sec:certAlias> ... </http:tlsClientParameters><http:tlsClientParameters> ... <sec:certAlias>CertAlias</sec:certAlias> ... </http:tlsClientParameters>Copy to Clipboard Copied! Toggle word wrap Toggle overflow NoteInstead of thefileattribute, you can specify the location of the keystore using either theresourceattribute or theurlattribute. You must be extremely careful not to load the truststore from an untrustworthy source.For details of how to create such a keystore file, see Section 2.5.3, “Use the CA to Create Signed Certificates in a Java Keystore”.
- 6
- Thesec:trustManagerselement is used to specify a list of trusted CA certificates (the server uses this list to decide whether or not to trust certificates presented by clients).Thefileattribute of thesec:keyStoreelement specifies a Java keystore file,truststore.jks, containing one or more trusted CA certificates. Thepasswordattribute specifies the password required to access the keystore,truststore.jks. See Section 3.2.2, “Specifying Trusted CA Certificates for HTTPS”.NoteInstead of thefileattribute, you can specify the location of the keystore using either theresourceattribute or theurlattribute.
- 7
- Thesec:cipherSuitesFilterelement can be used to narrow the choice of cipher suites that the server is willing to use for a TLS connection. See Chapter 4, Configuring HTTPS Cipher Suites for details.
- 8
- Thesec:clientAuthenticationelement determines the server’s disposition towards the presentation of client certificates. The element has the following attributes:- wantattribute—If- true(the default), the server requests the client to present an X.509 certificate during the TLS handshake; if- false, the server does not request the client to present an X.509 certificate.
- requiredattribute—If- true, the server raises an exception if a client fails to present an X.509 certificate during the TLS handshake; if- false(the default), the server does not raise an exception if the client fails to present an X.509 certificate.