ÅäÖÃapache cxf ¿Í»§¶ËÖ§³Öhttps

°üÀ¨CXF¹ÙÍøÔÚÄڵĵÄÍøÉÏËùÓÐʾÀýÅäÖÃÖÐ，¶¼°ÑCAÖ¤ÊéÅäÖÃΪjks»òÕßp12¸ñʽµÄ，ÓÉÓÚÕâÁ½ÖÖ¸ñʽ¶¼ÊÇͬʱ°üº¬Á˹«Ô¿ºÍ˽ԿµÄkeyStore，ËùÒÔÕâôÅäÖÃÏ൱ÓÚÏò¿Í»§¶Ë±©Â¶ÁËCAµÄ˽Կ¡£¡£¡£Ë²¼äÈÃhttpsµÄ´æÔÚʧȥÁËÒâÒå，»¹Í½ÔöÒ»²ã¼Ó½âÃܺÄʱ²Ù×÷¡£¡£

½â¾ö·½°¸¼òµ¥µ½¿Þ（ºöÂÔ°¾Ò¹Ò»ÍíÉϳ¢ÊÔkeyStoreȥ˽ԿµÈ²Ù×÷），¾ÍÊÇÅäÖÃtrustManagers½Úµã(Ò²¼´CA½Úµã)µÄʱºò²»ÓÃkeyStore，¸ÄÓÃcertStore，¶øcertStore½ö½ö´æ·Å¹«Ô¿，±£Ö¤ÁËCAÐÅÏ¢µÄ°²È«

ÏÂÃ渽ÉÏcxf clientÍêÕûÅäÖÃ：

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://cxf.apache.org/configuration/security"
    xmlns:http="http://cxf.apache.org/transports/http/configuration"
    xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"
    xsi:schemaLocation="
      http://cxf.apache.org/configuration/security
      http://cxf.apache.org/schemas/configuration/security.xsd
      http://cxf.apache.org/transports/http/configuration
      http://cxf.apache.org/schemas/configuration/http-conf.xsd
      http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">

    <http:conduit name="*.http-conduit">

        <http:tlsClientParameters>
            <sec:keyManagers>
                <sec:keyStore type="PKCS12" password="" file="/my/certs/path/client.p12" />
            </sec:keyManagers>
            <sec:trustManagers>
                <!-- 
                <sec:keyStore type="PKCS12" password="" file="/my/certs/path/ca.p12" />
                     -->
                <sec:certStore file="/my/certs/path/ca.cer" />
            </sec:trustManagers>
            <sec:cipherSuitesFilter>
                <!-- these filters ensure that a ciphersuite with export-suitable 
                    or null encryption is used, but exclude anonymous Diffie-Hellman key change 
                    as this is vulnerable to man-in-the-middle attacks -->
                <sec:include>.*_EXPORT_.*</sec:include>
                <sec:include>.*_EXPORT1024_.*</sec:include>
                <sec:include>.*_WITH_DES_.*</sec:include>
                <sec:include>.*_WITH_AES_.*</sec:include>
                <sec:include>.*_WITH_NULL_.*</sec:include>
                <sec:exclude>.*_DH_anon_.*</sec:exclude>
            </sec:cipherSuitesFilter>
        </http:tlsClientParameters>
        <!-- 
        <http:authorization>
            <sec:UserName>Betty</sec:UserName>
            <sec:Password>password</sec:Password>
        </http:authorization>
         -->
         <!-- 
        <http:client AutoRedirect="true" Connection="Keep-Alive" />
         -->

    </http:conduit>

</beans>

²¹³ä：

×î½ü¸øtomcat²¿ÊðhttpsË«ÏòÑéÖ¤µÄʱºò，·¢ÏÖjks¸ñʽ֧³Ö½öÌí¼ÓcaÖ¤Êé（pkcs12¸ñʽ½öÌí¼ÓcaÖ¤Êéºókeystore²»Ö§³Ö），ËùÒÔÉÏÃæÔÚÅäÖÃtrustManagersµÄʱºòÒ²¿ÉÒÔÓÃkeystoreÅäÖÃjks¸ñʽµÄÖ¤Êé，ÀïÃæ½ö°üº¬caÖ¤Êé，ʾÀýÈçÏÂ：

<sec:trustManagers>
    <sec:keyStore type="JKS" password="defaultpwd" file="/my/certs/path/ca_only.jks" />
</sec:trustManagers>

¸½ÉÏca.crtתjks·½·¨：

keytool -import -v -trustcacerts -storepass defaultpwd -keypass defaultpwd -file ca.crt -keystore ca_only.jks