Deprecate the keystore and trustore client options in favor of tls-co…

…nfiguration-name

docs/modules/ROOT/examples/ws-security-policy/application.properties

@@ -130,14 +130,16 @@ quarkus.cxf.endpoint."/helloSaml2".security.saml-callback-handler = #saml2Callba
 # Clients
 
 # tag::client-trust-store[]
-# Client side SSL
+# Define a TLS configuration with name "hello-tls" <1>
+quarkus.tls.hello-tls.trust-store.p12.path = client-truststore.pkcs12
+quarkus.tls.hello-tls.trust-store.p12.password = client-truststore-password
+
+# Basic client settings
 quarkus.cxf.client.hello.client-endpoint-url = https://localhost:${quarkus.http.test-ssl-port}/services/hello
 quarkus.cxf.client.hello.service-interface = io.quarkiverse.cxf.it.security.policy.HelloService
-# <1>
-quarkus.cxf.client.hello.trust-store-type = pkcs12
-# <2>
-quarkus.cxf.client.hello.trust-store = client-truststore.pkcs12
-quarkus.cxf.client.hello.trust-store-password = client-truststore-password
+
+# Use "hello-tls" defined above for this client
+quarkus.cxf.client.hello.tls-configuration-name = hello-tls
 # end::client-trust-store[]
 
 quarkus.cxf.client.helloAllowAll.client-endpoint-url = https://127.0.0.1:${quarkus.http.test-ssl-port}/services/hello

docs/modules/ROOT/pages/reference/extensions/quarkus-cxf.adoc

@@ -1893,7 +1893,7 @@ underlying HTTP client.
 .<| 
 
 3+a|The name of the TLS configuration to use for setting up trust store and keystore for this SOAP client.
-<p>
+
 If not set and `.trust-store` or `.key-store` is configured then that the configuration from `.trust-store*`
 and `.key-store*` family of options will be used.
 If a name is configured, it uses the configuration from `quarkus.tls.<name>.*`
@@ -1903,66 +1903,94 @@ Setting `.tls-configuration-name` and any of `.trust-store` or `.key-store` lead
 *Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENT_NAME__TLS_CONFIGURATION_NAME+++` +
 *Since Quarkus CXF*: 3.15.0
 
-.<| [[quarkus-cxf_quarkus-cxf-client-client-name-key-store]]`link:#quarkus-cxf_quarkus-cxf-client-client-name-key-store[quarkus.cxf.client."client-name".key-store]`
+.<| [[quarkus-cxf_quarkus-cxf-client-client-name-key-store]][line-through]##`link:#quarkus-cxf_quarkus-cxf-client-client-name-key-store[quarkus.cxf.client."client-name".key-store]`##
 .<| `string`
 .<| 
 
 3+a|The key store location for this client. The resource is first looked up in the classpath, then in the file system.
 
+*Deprecated* - use
+`xref:reference/extensions/quarkus-cxf.adoc#quarkus-cxf_quarkus-cxf-client-client-name-tls-configuration-name[quarkus.cxf.client."client-name".tls-configuration-name]`
+instead.
+
 *Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENT_NAME__KEY_STORE+++` +
 *Since Quarkus CXF*: 3.8.1
 
-.<| [[quarkus-cxf_quarkus-cxf-client-client-name-key-store-password]]`link:#quarkus-cxf_quarkus-cxf-client-client-name-key-store-password[quarkus.cxf.client."client-name".key-store-password]`
+.<| [[quarkus-cxf_quarkus-cxf-client-client-name-key-store-password]][line-through]##`link:#quarkus-cxf_quarkus-cxf-client-client-name-key-store-password[quarkus.cxf.client."client-name".key-store-password]`##
 .<| `string`
 .<| 
 
-3+a|The key store password
+3+a|The key store password.
+
+*Deprecated* - use
+`xref:reference/extensions/quarkus-cxf.adoc#quarkus-cxf_quarkus-cxf-client-client-name-tls-configuration-name[quarkus.cxf.client."client-name".tls-configuration-name]`
+instead.
 
 *Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENT_NAME__KEY_STORE_PASSWORD+++` +
 *Since Quarkus CXF*: 3.8.1
 
-.<| [[quarkus-cxf_quarkus-cxf-client-client-name-key-store-type]]`link:#quarkus-cxf_quarkus-cxf-client-client-name-key-store-type[quarkus.cxf.client."client-name".key-store-type]`
+.<| [[quarkus-cxf_quarkus-cxf-client-client-name-key-store-type]][line-through]##`link:#quarkus-cxf_quarkus-cxf-client-client-name-key-store-type[quarkus.cxf.client."client-name".key-store-type]`##
 .<| `string`
 .<| `JKS`
 
 3+a|The type of the key store.
 
+*Deprecated* - use
+`xref:reference/extensions/quarkus-cxf.adoc#quarkus-cxf_quarkus-cxf-client-client-name-tls-configuration-name[quarkus.cxf.client."client-name".tls-configuration-name]`
+instead.
+
 *Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENT_NAME__KEY_STORE_TYPE+++` +
 *Since Quarkus CXF*: 3.8.1
 
-.<| [[quarkus-cxf_quarkus-cxf-client-client-name-key-password]]`link:#quarkus-cxf_quarkus-cxf-client-client-name-key-password[quarkus.cxf.client."client-name".key-password]`
+.<| [[quarkus-cxf_quarkus-cxf-client-client-name-key-password]][line-through]##`link:#quarkus-cxf_quarkus-cxf-client-client-name-key-password[quarkus.cxf.client."client-name".key-password]`##
 .<| `string`
 .<| 
 
 3+a|The key password.
 
+*Deprecated* - use
+`xref:reference/extensions/quarkus-cxf.adoc#quarkus-cxf_quarkus-cxf-client-client-name-tls-configuration-name[quarkus.cxf.client."client-name".tls-configuration-name]`
+instead.
+
 *Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENT_NAME__KEY_PASSWORD+++` +
 *Since Quarkus CXF*: 3.8.1
 
-.<| [[quarkus-cxf_quarkus-cxf-client-client-name-trust-store]]`link:#quarkus-cxf_quarkus-cxf-client-client-name-trust-store[quarkus.cxf.client."client-name".trust-store]`
+.<| [[quarkus-cxf_quarkus-cxf-client-client-name-trust-store]][line-through]##`link:#quarkus-cxf_quarkus-cxf-client-client-name-trust-store[quarkus.cxf.client."client-name".trust-store]`##
 .<| `string`
 .<| 
 
 3+a|The trust store location for this client. The resource is first looked up in the classpath, then in the file system.
 
+*Deprecated* - use
+`xref:reference/extensions/quarkus-cxf.adoc#quarkus-cxf_quarkus-cxf-client-client-name-tls-configuration-name[quarkus.cxf.client."client-name".tls-configuration-name]`
+instead.
+
 *Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENT_NAME__TRUST_STORE+++` +
 *Since Quarkus CXF*: 2.5.0
 
-.<| [[quarkus-cxf_quarkus-cxf-client-client-name-trust-store-password]]`link:#quarkus-cxf_quarkus-cxf-client-client-name-trust-store-password[quarkus.cxf.client."client-name".trust-store-password]`
+.<| [[quarkus-cxf_quarkus-cxf-client-client-name-trust-store-password]][line-through]##`link:#quarkus-cxf_quarkus-cxf-client-client-name-trust-store-password[quarkus.cxf.client."client-name".trust-store-password]`##
 .<| `string`
 .<| 
 
 3+a|The trust store password.
 
+*Deprecated* - use
+`xref:reference/extensions/quarkus-cxf.adoc#quarkus-cxf_quarkus-cxf-client-client-name-tls-configuration-name[quarkus.cxf.client."client-name".tls-configuration-name]`
+instead.
+
 *Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENT_NAME__TRUST_STORE_PASSWORD+++` +
 *Since Quarkus CXF*: 2.5.0
 
-.<| [[quarkus-cxf_quarkus-cxf-client-client-name-trust-store-type]]`link:#quarkus-cxf_quarkus-cxf-client-client-name-trust-store-type[quarkus.cxf.client."client-name".trust-store-type]`
+.<| [[quarkus-cxf_quarkus-cxf-client-client-name-trust-store-type]][line-through]##`link:#quarkus-cxf_quarkus-cxf-client-client-name-trust-store-type[quarkus.cxf.client."client-name".trust-store-type]`##
 .<| `string`
 .<| `JKS`
 
 3+a|The type of the trust store.
 
+*Deprecated* - use
+`xref:reference/extensions/quarkus-cxf.adoc#quarkus-cxf_quarkus-cxf-client-client-name-tls-configuration-name[quarkus.cxf.client."client-name".tls-configuration-name]`
+instead.
+
 *Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENT_NAME__TRUST_STORE_TYPE+++` +
 *Since Quarkus CXF*: 2.5.0
 

docs/modules/ROOT/pages/user-guide/ssl.adoc

@@ -20,19 +20,24 @@ Tools like `openssl` or Java `keytool` are commonly used for creating and mainta
 
 We have examples for both tools in the {quarkus-cxf-project-name} source tree:
 
-* {link-quarkus-cxf-source-tree-base}/integration-tests/ws-security-policy/pom.xml#L185-L520[Create truststore with Java 'keytool' (wrapped by a Maven plugin)]
-* {link-quarkus-cxf-source-tree-base}/integration-tests/ws-security-policy/generate-certs.sh[Create truststore with `openssl`]
+* https:/quarkiverse/quarkus-cxf/blob/3.15/integration-tests/ws-security-policy/pom.xml#L185-L520[Create truststore with Java 'keytool' (wrapped by a Maven plugin)]
+* https:/quarkiverse/quarkus-cxf/blob/3.15/integration-tests/ws-security-policy/generate-certs.sh[Create truststore with `openssl`]
 
 Once you have prepared the trust store, you need to configure your client to use it.
 
 === Set the client trust store in `application.properties`
 
 This is the easiest way to set the client trust store.
-The key role is played by the following properties:
+The key role is played by named TLS configurations delivered by {link-quarkus-docs-base}/tls-registry-reference[Quarkus TLS registry]
+an by the `xref:reference/extensions/quarkus-cxf.adoc#quarkus-cxf_quarkus-cxf-client-client-name-tls-configuration-name[quarkus.cxf.client."client-name".tls-configuration-name]` property.
 
-* `xref:reference/extensions/quarkus-cxf.adoc#quarkus-cxf_quarkus-cxf-client-client-name-trust-store[quarkus.cxf.client."client-name".trust-store]`
-* `xref:reference/extensions/quarkus-cxf.adoc#quarkus-cxf_quarkus-cxf-client-client-name-trust-store-type[quarkus.cxf.client."client-name".trust-store-type]`
-* `xref:reference/extensions/quarkus-cxf.adoc#quarkus-cxf_quarkus-cxf-client-client-name-trust-store-password[quarkus.cxf.client."client-name".trust-store-password]`
+[NOTE]
+====
+{link-quarkus-docs-base}/tls-registry-reference[Quarkus TLS registry] is an extension that centralizes TLS configuration,
+making it easier to manage and maintain secure connections across your application.
+`io.quarkus:quarkus-tls-registry` is a transitive dependency of `io.quarkiverse.cxf:quarkus-cxf` since {quarkus-cxf-project-name} 3.15.0,
+so you do not have to add it manually.
+====
 
 Here is an example:
 
@@ -42,18 +47,29 @@ Here is an example:
 include::example$ws-security-policy/application.properties[tag=client-trust-store]
 ----
 
-<1> `pkcs12` and `jks` are two commonly used keystore formats.
- PKCS12 is the https://openjdk.org/jeps/229[default Java keystore format] since Java 9.
- We recommend using PKCS12 rather than JKS, because it offers stronger cryptographic algorithms,
- it is extensible, standardized, language-neutral and widely supported.
-<2> The referenced `client-truststore.pkcs12` file has to be available either in the classpath
+<1> The referenced `client-truststore.pkcs12` file has to be available either in the classpath
  or in the file system.
 
+[NOTE]
+====
+The xref:reference/extensions/quarkus-cxf.adoc#quarkus-cxf_quarkus-cxf-client-client-name-trust-store[older way] of configuring the client trust store is still supported, but deprecated since {quarkus-cxf-project-name} 3.16.0:
+
+.application.properties
+[source,properties]
+----
+# Deprecated way of setting the client trust store
+quarkus.cxf.client.hello.trust-store-type = pkcs12
+quarkus.cxf.client.hello.trust-store = client-truststore.pkcs12
+quarkus.cxf.client.hello.trust-store-password = client-truststore-password
+----
+====
+
 == Server SSL configuration
 
 To make your services available over the HTTPS protocol, you need to set up server keystore in the first place.
 The server SSL configuration is driven by Vert.x, the HTTP layer of Quarkus.
-{link-quarkus-docs-base}/http-reference#ssl[Quarkus HTTP guide] provides the information about the configuration options.
+{link-quarkus-docs-base}/http-reference#ssl[Quarkus HTTP guide] and {link-quarkus-docs-base}/tls-registry-reference[Quarkus TLS registry reference]
+provide the information about the configuration options.
 
 Here is a basic example:
 
@@ -82,9 +98,9 @@ and the configuration properties to use are pretty much analogous to the ones us
 The {link-quarkus-cxf-source-tree-base}/integration-tests/mtls[mTLS integration test]
 in the {quarkus-cxf-project-name} source tree can serve as a good starting point.
 
-The keystores and truststores are created with
-`{link-quarkus-cxf-source-tree-base}/integration-tests/mtls/generate-certs.sh[openssl]`
-(or alternatively with Java {link-quarkus-cxf-source-tree-base}/integration-tests/mtls/pom.xml#L140-L408[Java `keytool`])
+The keystores and truststores can be created with
+`https:/quarkiverse/quarkus-cxf/blob/3.15/integration-tests/ws-security-policy/generate-certs.sh[openssl]`
+(or alternatively with Java https:/quarkiverse/quarkus-cxf/blob/3.15/integration-tests/ws-security-policy/pom.xml#L185-L520[Java `keytool`])
 
 Here is the `application.properties` file:
 

extensions/core/runtime/src/main/java/io/quarkiverse/cxf/CxfClientConfig.java

@@ -415,7 +415,7 @@ public interface CxfClientConfig {
 
  /**
  * The name of the TLS configuration to use for setting up trust store and keystore for this SOAP client.
- * <p>
+ *
  * If not set and `.trust-store` or `.key-store` is configured then that the configuration from `.trust-store*`
  * and `.key-store*` family of options will be used.
  * If a name is configured, it uses the configuration from `quarkus.tls.<name>.*`
@@ -430,59 +430,101 @@ public interface CxfClientConfig {
  /**
  * The key store location for this client. The resource is first looked up in the classpath, then in the file system.
  *
+ * *Deprecated* - use
+ * `xref:reference/extensions/quarkus-cxf.adoc#quarkus-cxf_quarkus-cxf-client-client-name-tls-configuration-name[quarkus.cxf.client."client-name".tls-configuration-name]`
+ * instead.
+ *
  * @asciidoclet
  * @since 3.8.1
+ * @deprecated Use {@link #tlsConfigurationName()}
  */
+ @Deprecated
  public Optional<String> keyStore();
 
  /**
- * The key store password
+ * The key store password.
+ *
+ * *Deprecated* - use
+ * `xref:reference/extensions/quarkus-cxf.adoc#quarkus-cxf_quarkus-cxf-client-client-name-tls-configuration-name[quarkus.cxf.client."client-name".tls-configuration-name]`
+ * instead.
  *
  * @asciidoclet
  * @since 3.8.1
+ * @deprecated Use {@link #tlsConfigurationName()}
  */
+ @Deprecated
  public Optional<String> keyStorePassword();
 
  /**
  * The type of the key store.
  *
+ * *Deprecated* - use
+ * `xref:reference/extensions/quarkus-cxf.adoc#quarkus-cxf_quarkus-cxf-client-client-name-tls-configuration-name[quarkus.cxf.client."client-name".tls-configuration-name]`
+ * instead.
+ *
  * @asciidoclet
  * @since 3.8.1
+ * @deprecated Use {@link #tlsConfigurationName()}
  */
  @WithDefault("JKS")
+ @Deprecated
  public String keyStoreType();
 
  /**
  * The key password.
  *
+ * *Deprecated* - use
+ * `xref:reference/extensions/quarkus-cxf.adoc#quarkus-cxf_quarkus-cxf-client-client-name-tls-configuration-name[quarkus.cxf.client."client-name".tls-configuration-name]`
+ * instead.
+ *
  * @asciidoclet
  * @since 3.8.1
+ * @deprecated Use {@link #tlsConfigurationName()}
  */
+ @Deprecated
  public Optional<String> keyPassword();
 
  /**
  * The trust store location for this client. The resource is first looked up in the classpath, then in the file system.
  *
+ * *Deprecated* - use
+ * `xref:reference/extensions/quarkus-cxf.adoc#quarkus-cxf_quarkus-cxf-client-client-name-tls-configuration-name[quarkus.cxf.client."client-name".tls-configuration-name]`
+ * instead.
+ *
  * @asciidoclet
  * @since 2.5.0
+ * @deprecated Use {@link #tlsConfigurationName()}
  */
+ @Deprecated
  public Optional<String> trustStore();
 
  /**
  * The trust store password.
  *
+ * *Deprecated* - use
+ * `xref:reference/extensions/quarkus-cxf.adoc#quarkus-cxf_quarkus-cxf-client-client-name-tls-configuration-name[quarkus.cxf.client."client-name".tls-configuration-name]`
+ * instead.
+ *
  * @asciidoclet
  * @since 2.5.0
+ * @deprecated Use {@link #tlsConfigurationName()}
  */
+ @Deprecated
  public Optional<String> trustStorePassword();
 
  /**
  * The type of the trust store.
  *
+ * *Deprecated* - use
+ * `xref:reference/extensions/quarkus-cxf.adoc#quarkus-cxf_quarkus-cxf-client-client-name-tls-configuration-name[quarkus.cxf.client."client-name".tls-configuration-name]`
+ * instead.
+ *
  * @asciidoclet
  * @since 2.5.0
+ * @deprecated Use {@link #tlsConfigurationName()}
  */
  @WithDefault("JKS")
+ @Deprecated
  public String trustStoreType();
 
  /**

integration-tests/ws-security-policy/src/main/resources/application.properties

@@ -130,14 +130,16 @@ quarkus.cxf.endpoint."/helloSaml2".security.saml-callback-handler = #saml2Callba
 # Clients
 
 # tag::client-trust-store[]
-# Client side SSL
+# Define a TLS configuration with name "hello-tls" <1>
+quarkus.tls.hello-tls.trust-store.${keystore.type.short}.path = client-truststore.${keystore.type}
+quarkus.tls.hello-tls.trust-store.${keystore.type.short}.password = client-truststore-password
+
+# Basic client settings
 quarkus.cxf.client.hello.client-endpoint-url = https://localhost:${quarkus.http.test-ssl-port}/services/hello
 quarkus.cxf.client.hello.service-interface = io.quarkiverse.cxf.it.security.policy.HelloService
-# <1>
-quarkus.cxf.client.hello.trust-store-type = ${keystore.type}
-# <2>
-quarkus.cxf.client.hello.trust-store = client-truststore.${keystore.type}
-quarkus.cxf.client.hello.trust-store-password = client-truststore-password
+
+# Use "hello-tls" defined above for this client
+quarkus.cxf.client.hello.tls-configuration-name = hello-tls
 # end::client-trust-store[]
 
 quarkus.cxf.client.helloAllowAll.client-endpoint-url = https://127.0.0.1:${quarkus.http.test-ssl-port}/services/hello

pom.xml

@@ -76,7 +76,7 @@
 
  <supported-maven.versions>[3.6.2,)</supported-maven.versions>
 
- <cq-maven-plugin.version>4.12.0</cq-maven-plugin.version>
+ <cq-maven-plugin.version>4.13.0</cq-maven-plugin.version>
  <exec-maven-plugin.version>3.4.1</exec-maven-plugin.version>
  <groovy-maven-plugin.version>2.1.1</groovy-maven-plugin.version>
  <groovy.version>3.0.22</groovy.version>

src/build/doc-templates/extension-doc-page.adoc

@@ -82,7 +82,7 @@ icon:lock[title=Fixed at build time] Configuration property fixed at build time.
 
 [#list configOptions as configDocItem][#assign anchor = toAnchor(configDocItem.key)]
 
-.<|[=configDocItem.illustration] [[quarkus-cxf_[=anchor]]]`link:#quarkus-cxf_[=anchor][[=configDocItem.key]]`
+.<|[=configDocItem.illustration] [[quarkus-cxf_[=anchor]]][#if configDocItem.deprecated][line-through]##[/#if]`link:#quarkus-cxf_[=anchor][[=configDocItem.key]]`[#if configDocItem.deprecated]##[/#if]
 .<| [=configDocItem.type]
 .<| [#if configDocItem.defaultValue?has_content]`[=(configDocItem.defaultValue?starts_with("http:") || configDocItem.defaultValue?starts_with("https:"))?then("\\", "")][=configDocItem.defaultValue]`[#elseif ! configDocItem.optional ]required icon:exclamation-circle[title=Configuration property is required][/#if]