Chapter 6.  Configuring Transport Security for Camel Components

Abstract

Camel provides the Java Secure Socket Extension (JSSE) Utility API as a common way to configure Camel components to use Transport Layer Security (TLS). The main JSSE utility class is org.apache.util.jsse.SSLContextParameters. To configure TLS settings, you pass an instance of this class to a Camel component. You can configure an SSLContextParameters object by using pure Java or by using Spring or Blueprint XML.
The following code is an example of using Spring XML to configure an SSLContextParameters object:
<sslContextParameters id="sslContextParameters" xmlns="http://camel.apache.org/schema/spring">
   <keyManagers keyPassword="secret1">
      <keyStore resource="./my_keystore.jks" password="secret2" />
   </keyManagers>
   <trustManagers>
      <keyStore resource="./my_truststore.jks" password="secret2" />
   </trustManagers>
</sslContextParameters>
This shows the toplevel sslContextParameters element with keyManagers and trustManagers child elements. The keyManagers element configures the key store while the trustManagers element configures the trust store. For details about key stores and trust stores, see the Apache Camel documentation for the JSSE utility.
With this in place, you can reference the sslContextParameters bean in your endpoint URI. The following route runs a netty4 HTTPS endpoint. The ssl option is required. For example:
<route>
   <from uri="netty4:https://localhost:8080/early?sslContextParametersRef=#sslContextParameters&ssl=true"/>
   <transform>
      <constant>Hi</constant>
   </transform>
</route>
The following code provides an example of how to configure transport security in Java:
@Override
protected JndiRegistry createRegistry() throws Exception {
   KeyStoreParameters ksp = new KeyStoreParameters();
      ksp.setResource("./my_keystore.jks");
      ksp.setPassword("secret1");
   KeyManagersParameters kmp = new KeyManagersParameters();
      kmp.setKeyPassword("secret2");
      kmp.setKeyStore(ksp);
   KeyStoreParameters tsp = new KeyStoreParameters();
      tsp.setResource("./my_truststore.jks");
      tsp.setPassword("secret2");
   TrustManagersParameters tmp = new TrustManagersParameters();
      tmp.setKeyStore(tsp);
   SSLContextParameters sslContextParameters = new SSLContextParameters();
   sslContextParameters.setKeyManagers(kmp);
   sslContextParameters.setTrustManagers(tmp);
   JndiRegistry registry = super.createRegistry();
   registry.bind("sslContextParameters", sslContextParameters);

   return registry;
}
The Java route for a netty4 HTTPS endpoint looks like the following. The ssl option is required.
from("netty4:https://localhost:8080/early?sslContextParametersRef=
   #sslContextParameters&ssl=true").transform().constant("Hi");
In Camel, to call these HTTPS endpoints, also provide the sslContextParameters object that contains a trusted certificate. The following example reuses the server sslContextParameters object. In this example, the URI syntax is the same for the producer. For example:
String reply =       
      template.requestBody(
         "netty4:https://localhost:8080/early?ssl=true&sslContextParametersRef=
            sslContextParameters", "Hi Camel!", String.class);
If you do not provide an sslContextParameters object that contains a valid trust store then the server does not allow a connection and Camel throws an execution exception - CamelExecutionException.