rest - Can't get SSL configured for Apache CXF and JAX-RS -

i'm having trouble getting configuration right cxf rest client talk cxf server. dreaded javax.net.ssl.sslhandshakeexception: received fatal alert: handshake_failure. strange thing is, configuration worked when using cxf soap. hints appreciated.

here server-side configuration:

<httpj:engine-factory bus="cxf"> <httpj:engine port="443"> <httpj:tlsserverparameters>     <sec:keymanagers keypassword="password">         <sec:keystore type="jks" password="password" file="cxf.jks"/>     </sec:keymanagers>     <sec:trustmanagers>         <sec:keystore type="jks" password="password" file="cxf.jks"/>     </sec:trustmanagers>     <sec:ciphersuitesfilter>         <sec:include>.*_export_.*</sec:include>         <sec:include>.*_export1024_.*</sec:include>         <sec:include>.*_with_des_.*</sec:include>         <sec:include>.*_with_null_.*</sec:include>         <sec:exclude>.*_dh_anon_.*</sec:exclude>     </sec:ciphersuitesfilter> </httpj:tlsserverparameters> <httpj:sessionsupport>true</httpj:sessionsupport> </httpj:engine> </httpj:engine-factory>   <jaxrs:server id="restcontainer" bus="cxf" address="/" > <jaxrs:servicebeans>     <ref bean="policyservice"/> </jaxrs:servicebeans> </jaxrs:server> 

and here client configuration:

<http:conduit name="*.http-conduit">     <http:tlsclientparameters>         <sec:keymanagers             keypassword="password">             <sec:keystore type="jks"                 password="password"                 file="cxf.jks" />         </sec:keymanagers>         <sec:trustmanagers>             <sec:keystore type="jks"                 password="password"                 file="cxf.jks" />         </sec:trustmanagers>         <sec:ciphersuitesfilter>             <sec:include>.*_export_.*</sec:include>             <sec:include>.*_export1024_.*</sec:include>             <sec:include>.*_with_des_.*</sec:include>             <sec:include>.*_with_null_.*</sec:include>             <sec:exclude>.*_dh_anon_.*</sec:exclude>         </sec:ciphersuitesfilter>     </http:tlsclientparameters>     <http:client autoredirect="true" receivetimeout="0"  connection="keep-alive" /> </http:conduit> 

this flavor of client i'm using:

myrestapi api = jaxrsclientfactory.create(myresturi, myrestapi.class); 

this works fine in clear, it's ssl that's problem.

to make sure have right settings can hardcode (temp.) this:

    system.setproperty("javax.net.ssl.keystore", "/usr/lib/jvm/java-7-oracle/jre/lib/security/cacerts");     system.setproperty("javax.net.ssl.keystorepassword", "changeit");     system.setproperty("javax.net.ssl.truststore", "/usr/lib/jvm/java-7-oracle/jre/lib/security/cacerts");     system.setproperty("javax.net.ssl.truststorepassword", "changeit");     system.setproperty("javax.net.debug", "all"); 

then output check can debug more...