This section explains how to enable SSL/TLS security on the Fuse Mediation Router Jetty
component, which is used to create a HTTPS Web server. The key step is to customize
the Jetty component by setting the sslSocketConnectorProperties
property, which configures SSL/TLS. You must also change the protocol scheme on the
Jetty URI from http to https.
To configure SSL/TLS security for a Camel Jetty endpoint deployed in the OSGi container, perform the following steps:
The maven-archetype-quickstart archetype creates a generic Maven
project, which you can then customize for whatever purpose you like. To generate a
Maven project with the coordinates,
org.fusesource.example:jetty-security, enter the following
command:
mvn archetype:create -DarchetypeArtifactId=maven-archetype-quickstart -DgroupId=org.fusesource.example -DartifactId=jetty-security
The result of this command is a directory,
ProjectDir/jetty-security
![[Note]](imagesdb/note.gif) | Note |
|---|---|
Be careful not to choose a group ID for your artifact that clashes with the group ID of an existing product! This could lead to clashes between your project's packages and the packages from the existing product (because the group ID is typically used as the root of a project's Java package names). |
You must customize the POM file in order to generate an OSGi bundle. Follow the POM customization steps described in Modifying an Existing Maven Project in Deploying into the OSGi Container.
The certificates used in this demonstration are taken from a sample in the
Fuse Service Framework 2.4.2-fuse-00-08 product. If you download and install the
standalone version of Fuse Service Framework, you will find the sample certificates in the
CXFInstallDir/samples/wsdl_first_https/certs
Copy the certs directory from
CXFInstallDir/samples/wsdl_first_https/EsbInstallDir/etc/EsbInstallDir/etc/
EsbInstallDir/etc/
|
\--certs/
|
\--cherry.jks
wibble.jks
truststore.jks
...Where cherry.jks, wibble.jks, and
truststore.jks are the keystores that are used in this
demonstration.
![[Warning]](imagesdb/warning.gif) | Warning |
|---|---|
The demonstration key store and trust sture are provided for testing purposes only. Do not deploy these certificates in a production system. To set up a genuinely secure SSL/TLS system, you must generate custom certificates, as described in Managing Certificates in Fuse Message Broker Security Guide. |
The Jetty Web server is created by defining a Jetty endpoint at the start of an Fuse Mediation Router route. The route is then responsible for processing the incoming HTTP request and generating a reply. The current example simply sends back a small HTML page in the reply. For a more realistic application, you would typically process the incoming message using a bean, which accesses the message through the Java servlet API.
Create the following directory to hold the Spring configuration files:
ProjectDir/jetty-security/src/main/resources/META-INF/springIn the spring directory that you just created, use your favorite text
editor to create the file, jetty-spring.xml, containing the following
XML configuration:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core-5.4.0.xsd
http://camel.apache.org/schema/spring http://camel.apache.org/schema/spring/camel-spring.xsd">
<bean id="jetty" class="org.apache.camel.component.jetty.JettyHttpComponent">
<property name="sslSocketConnectorProperties">
<map>
<entry key="password" value="password"/>
<entry key="keyPassword" value="password"/>
<entry key="keystore" value="etc/certs/cherry.jks"/>
<entry key="truststore" value="etc/certs/truststore.jks"/>
<entry key="trustPassword" value="password"/>
<entry key="needClientAuth" value="false"/>
</map>
</property>
</bean>
<camelContext trace="true" xmlns="http://camel.apache.org/schema/spring">
<route>
<from uri="jetty:https://0.0.0.0:8282/services?matchOnUriPrefix=true"/>
<transform>
<constant><html><body>Hello from Fuse ESB server</body></html></constant>
</transform>
</route>
</camelContext>
</beans>The jetty bean defines a new instance of the Fuse Mediation Router Jetty
component, overriding the default component defined in the camel-jetty
JAR file. This Jetty component is configured with SSL/TLS properties as
follows:
keystoreThe location of the Java keystore file (in JKS format) containing the Jetty server's own X.509 certificate and private key. This location is specified on the filesystem (not on the classpath), relative to the directory where the OSGi container is started.
passwordThe keystore password that unlocks the
keystorekeystore.keyPasswordThe password that decrypts the private key stored in the
keystorekeystore (usually having the same value aspassword).truststoreThe location of the Java keystore file containing one or more trusted certificates (that is, the CA certificates that have been used to sign X.509 certificates from trusted clients). This location is specified on the filesystem (not on the classpath), relative to the directory where the OSGi container is started.
Strictly speaking, this property is not needed, if clients do not send certificates to the Jetty service.
trustPasswordThe keystore password that unlocks the
truststoretrust store.needClientAuthWhen
true, clients must send an X.509 certificate to the server side or the SSL/TLS handshake will fail; whenfalse, clients are not required to send an X.509 certificate, but they may do so.
| Note |
|---|---|
The preceding configuration shows how to enable SSL/TLS security for all IP port values. To enable SSL/TLS security for specific IP ports only, see SSL Support (HTTPS) in EIP Component Reference. |
You must also modify the URI at the start of the route (the uri
attribute of the from element). Make sure that the scheme of the URI
matches the secure Jetty component, jetty, that you have just created.
You must also change the protocol scheme from http to
https.
![[Tip]](imagesdb/tip.gif) | Tip |
|---|---|
Always double-check you have changed the protocol scheme to
|
Use Maven to build the bundle. Open a command prompt, switch the current directory
to ProjectDir/jetty-security
mvn install
This command builds the bundle and installs it in your local Maven repository.
If you have not already done so, start up the Apache ServiceMix console (and container instance) by entering the following command in a new command prompt:
servicemix
The camel-jetty feature, which defines the bundles required for the
Camel/Jetty component, is not installed by default. To install
the camel-jetty feature, enter the following console command:
karaf@root> features:install camel-jetty
To deploy and activate the bundle, enter the following console command:
karaf@root> osgi:install -s mvn:org.fusesource.example/jetty-security
The preceding command loads the bundle from your local Maven repository. You might need to configure the Mvn URL handler with the location of your local Maven repository, if the bundle cannot be found (see Mvn URL Handler in Deploying into the OSGi Container).
To test the Jetty service, open your favorite Web browser and navigate to the following URL:
https://localhost:8282/services
| Tip |
|---|---|
Don't forget to use |
Because the Jetty service uses an untrusted certificate, your browser will initially present you with a warning about the untrusted certificate. For example, the Firefox browser displays the following warning screen:
To proceed with contacting the Jetty service, click I Understand the Risks and then click Add Exception, which brings up the Add Security Exception dialog. In the Add Security Exception dialog, make sure that the Permanently store this exception option is unchecked and click Confirm Security Exception.
The browser window should now display the following text:
Hello from Fuse ESB server
 |  |  |
 |
