You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by StrongSteve <st...@starkeweb.org> on 2008/08/27 14:38:32 UTC
Axis 2 - SSL with Client Authentication
Hi Everybody!
I am really stuck with the problem below, but I am looking forward that
someone can help me! ;)
(Or give me at least a useful hint on were to search for more
information...)
Basically I have a running webservice based on AXIS 2.
Now I have to make it secure. Be secure I mean the following to things:
- Transport via SSL (Https)
- Client Authentication using a Client Certificate
Basically all messages have to be transferred over https and only "trusted"
clients - whoses certificates reside in the server's .truststore - shall be
worked with.
After one and a half day of browsing the internet, I have no really come
across a solution.
What I did till now is the following:
- Enable https in Tomcat 6 after generating a server key
- If I import this server key into the client's .truststore I can call me
webservice by passing a https in the existing endpointreference
The problem I am really stuck with is the part with the client certificates
and I have nearly no clue on which steps are to be performed... :(
I already tried uncommenting the following block in the Axis2.xml, as I
think that this is the part that I need, but I just results in a
NullPointerException when starting my tomcat.
<!-- the non blocking https transport based on HttpCore + SSL-NIO
extensions -->
<!--<transportReceiver name="https"
class="org.apache.axis2.transport.nhttp.HttpCoreNIOSSLListener">
<parameter name="port" locked="false">9002</parameter>
<parameter name="non-blocking" locked="false">true</parameter>
<parameter name="keystore" locked="false">
<KeyStore>
<Location>D:/Apache Tomcat 6.0.18/.keystore</Location>
<Type>JKS</Type>
<Password>password</Password>
<KeyPassword>password</KeyPassword>
</KeyStore>
</parameter>
<parameter name="truststore" locked="false">
<TrustStore>
<Location>trust.jks</Location>
<Type>JKS</Type>
<Password>password</Password>
</TrustStore>
</parameter>-->
<!-- <parameter name="SSLVerifyClient">require</parameter> -->
<!-- supports optional|require or defaults to none -->
<!--</transportReceiver> -->
[INFO]
java.lang.NullPointerException
at
org.apache.axis2.transport.nhttp.HttpCoreNIOSSLListener.getSSLContext(HttpCoreNIOSSLListener.java:9
6)
at
org.apache.axis2.transport.nhttp.HttpCoreNIOListener.init(HttpCoreNIOListener.java:151)
at
org.apache.axis2.engine.ListenerManager.start(ListenerManager.java:125)
at
org.apache.axis2.transport.http.AxisServlet.init(AxisServlet.java:442)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1172)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:992)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4058)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4371)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:926)
at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:889)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:492)
at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at
org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at
org.apache.catalina.core.StandardService.start(StandardService.java:516)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Thanks in Advance for both your time and your knowledge!
Greetings
Stefan
--
View this message in context: http://www.nabble.com/Axis-2---SSL-with-Client-Authentication-tp19180080p19180080.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Axis 2 - SSL with Client Authentication
Posted by StrongSteve <st...@starkeweb.org>.
SSL is set up correctly, but it is also set up to "clientAuth=true".
Therefore I need to import my client certificate in the browser, in order to
be able to complete the SSL Handshake with the Server.
Any ideas on how to do this?
Thanks!
Stefan
SGruverman wrote:
>
> StrongSteve <st...@starkeweb.org> wrote on 08/27/2008 10:06:57 AM:
>>
>> 1.) When browsing to the WSDL-File with Firefox, I can not see anything,
> as
>> I do not have a valid client certificate. I tried to import a
> certificate,
>> that I exported with the keytool from the client's .keystore, but it is
>> rejected as it is not a valid PK-12. Any hints?
>
> If SSL is set up correctly, then browsing to the WSDL should prompt you to
> trust the SSL cert the first time you go to that server.
> I have only worked with JKS stores, but I don't think the type of store
> would affect this behavior.
>
> ______________________________________________
> Steve Gruverman, Programmer
> IntelliCare, Inc. | A Medco Health Solutions Company
>
> 500 Southborough Drive | South Portland ME 04106
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Axis-2---SSL-with-Client-Authentication-tp19180080p19194607.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Axis 2 - SSL with Client Authentication
Posted by SG...@intellicare.com.
StrongSteve <st...@starkeweb.org> wrote on 08/27/2008 10:06:57 AM:
>
> 1.) When browsing to the WSDL-File with Firefox, I can not see anything,
as
> I do not have a valid client certificate. I tried to import a
certificate,
> that I exported with the keytool from the client's .keystore, but it is
> rejected as it is not a valid PK-12. Any hints?
If SSL is set up correctly, then browsing to the WSDL should prompt you to
trust the SSL cert the first time you go to that server.
I have only worked with JKS stores, but I don't think the type of store
would affect this behavior.
______________________________________________
Steve Gruverman, Programmer
IntelliCare, Inc. | A Medco Health Solutions Company
500 Southborough Drive | South Portland ME 04106
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Axis 2 - SSL with Client Authentication
Posted by StrongSteve <st...@starkeweb.org>.
I kinda seem to have solved problem 2.) by removing the part
<transport>http</transport> from the services.xml.
Is this the right way to do?
StrongSteve wrote:
>
> Hi Everyone!
>
> First of all, thanks for the quick answers.
>
> I think now I am a step further, but I haven't quite reached the goal.
>
> Thanks for the introduction on the client side, this is exactly what I am
> doing! ;)
>
> On the server side I have two file:
>
> - The .keystore contains my server certificate (key)
> - The .truststore contains the certificate (key) [This key comes from
> the client's .keystore]
>
> I was missing the entry "clientAuth=true" in the Tomcat's server.xml.
> Thanks for the tip!
>
> After changing this and restarting the Tomcat I have come accross two
> problems:
>
> 1.) When browsing to the WSDL-File with Firefox, I can not see anything,
> as I do not have a valid client certificate. I tried to import a
> certificate, that I exported with the keytool from the client's .keystore,
> but it is rejected as it is not a valid PK-12. Any hints?
>
> 2.) My client can connect to the server, and I think that everything is
> working - at least from the view of SSL. But the problem is that I get the
> following error message: "Exception in thread "main"
> org.apache.axis2.AxisFault: The service cannot be found for the endpoint
> reference (EPR) https://XXXX:8443/axis2/services/RepositoryService"
>
> How can I configure this EPR in the services.xml?
>
> Thanks in Advance!
> Stefan
>
>
> SGruverman wrote:
>>
>> First, I haven't used any of the Axis2 HTTPS support you mentioned. I
>> don't
>> know if this is typical of Axis2 web services, but most references I've
>> seen to SSL use the facilities of the app server and javax.net.
>>
>> Couple of questions to get started:
>> Is the "standard" SSL working (other than the client authentication)?
>> Does your Tomcat config include clientAuth="true"?
>> Does your Tomcat config include settings for keystorefile and
>> keystorepass as well as truststorefile and truststorepass?
>> On the server, the keystore contains the SSL certificate and the
>> truststore contains the certificate *of the Certificate Authority that
>> signed the certificate that the client is using for client
>> authentication.*
>> (I find this confusing - to keep it simple, I use the same keystore
>> for
>> both. Not a "best practice", I think).
>>
>> Does your client System.setProperty() for javax.net.ssl.trustStore,
>> trustStorePassword, keyStore and keyStorePassword?
>> Here. the keystore contains the SSL client authentication certificate
>> and the truststore contains the certificate *of the Certificate
>> Authority that signed the server SSL certificate*.
>>
>> Another useful property to set is javax.net.debug - set it to "ssl" to
>> get
>> a bunch of SSL diagnostics.
>>
>> I'm still pretty new to this stuff, so I'm not certain of this
>> information
>> (but it seems to work for us). Please jump in and correct me if I'm
>> wrong!
>>
>> Anyway, I hope this helps.
>>
>> - Steve
>>
>> ______________________________________________
>> Steve Gruverman, Programmer
>> IntelliCare, Inc. | A Medco Health Solutions Company
>>
>> 500 Southborough Drive | South Portland ME 04106
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
>> For additional commands, e-mail: axis-user-help@ws.apache.org
>>
>>
>>
>
>
--
View this message in context: http://www.nabble.com/Axis-2---SSL-with-Client-Authentication-tp19180080p19182082.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Axis 2 - SSL with Client Authentication
Posted by StrongSteve <st...@starkeweb.org>.
Hi Everyone!
First of all, thanks for the quick answers.
I think now I am a step further, but I haven't quite reached the goal.
Thanks for the introduction on the client side, this is exactly what I am
doing! ;)
On the server side I have two file:
- The .keystore contains my server certificate (key)
- The .truststore contains the certificate (key) [This key comes from the
client's .keystore]
I was missing the entry "clientAuth=true" in the Tomcat's server.xml. Thanks
for the tip!
After changing this and restarting the Tomcat I have come accross two
problems:
1.) When browsing to the WSDL-File with Firefox, I can not see anything, as
I do not have a valid client certificate. I tried to import a certificate,
that I exported with the keytool from the client's .keystore, but it is
rejected as it is not a valid PK-12. Any hints?
2.) My client can connect to the server, and I think that everything is
working - at least from the view of SSL. But the problem is that I get the
following error message: "Exception in thread "main"
org.apache.axis2.AxisFault: The service cannot be found for the endpoint
reference (EPR) https://XXXX:8443/axis2/services/RepositoryService"
How can I configure this EPR in the services.xml?
Thanks in Advance!
Stefan
SGruverman wrote:
>
> First, I haven't used any of the Axis2 HTTPS support you mentioned. I
> don't
> know if this is typical of Axis2 web services, but most references I've
> seen to SSL use the facilities of the app server and javax.net.
>
> Couple of questions to get started:
> Is the "standard" SSL working (other than the client authentication)?
> Does your Tomcat config include clientAuth="true"?
> Does your Tomcat config include settings for keystorefile and
> keystorepass as well as truststorefile and truststorepass?
> On the server, the keystore contains the SSL certificate and the
> truststore contains the certificate *of the Certificate Authority that
> signed the certificate that the client is using for client
> authentication.*
> (I find this confusing - to keep it simple, I use the same keystore for
> both. Not a "best practice", I think).
>
> Does your client System.setProperty() for javax.net.ssl.trustStore,
> trustStorePassword, keyStore and keyStorePassword?
> Here. the keystore contains the SSL client authentication certificate
> and the truststore contains the certificate *of the Certificate
> Authority that signed the server SSL certificate*.
>
> Another useful property to set is javax.net.debug - set it to "ssl" to get
> a bunch of SSL diagnostics.
>
> I'm still pretty new to this stuff, so I'm not certain of this information
> (but it seems to work for us). Please jump in and correct me if I'm wrong!
>
> Anyway, I hope this helps.
>
> - Steve
>
> ______________________________________________
> Steve Gruverman, Programmer
> IntelliCare, Inc. | A Medco Health Solutions Company
>
> 500 Southborough Drive | South Portland ME 04106
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-user-help@ws.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Axis-2---SSL-with-Client-Authentication-tp19180080p19181697.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
Re: Axis 2 - SSL with Client Authentication
Posted by SG...@intellicare.com.
First, I haven't used any of the Axis2 HTTPS support you mentioned. I don't
know if this is typical of Axis2 web services, but most references I've
seen to SSL use the facilities of the app server and javax.net.
Couple of questions to get started:
Is the "standard" SSL working (other than the client authentication)?
Does your Tomcat config include clientAuth="true"?
Does your Tomcat config include settings for keystorefile and
keystorepass as well as truststorefile and truststorepass?
On the server, the keystore contains the SSL certificate and the
truststore contains the certificate *of the Certificate Authority that
signed the certificate that the client is using for client
authentication.*
(I find this confusing - to keep it simple, I use the same keystore for
both. Not a "best practice", I think).
Does your client System.setProperty() for javax.net.ssl.trustStore,
trustStorePassword, keyStore and keyStorePassword?
Here. the keystore contains the SSL client authentication certificate
and the truststore contains the certificate *of the Certificate
Authority that signed the server SSL certificate*.
Another useful property to set is javax.net.debug - set it to "ssl" to get
a bunch of SSL diagnostics.
I'm still pretty new to this stuff, so I'm not certain of this information
(but it seems to work for us). Please jump in and correct me if I'm wrong!
Anyway, I hope this helps.
- Steve
______________________________________________
Steve Gruverman, Programmer
IntelliCare, Inc. | A Medco Health Solutions Company
500 Southborough Drive | South Portland ME 04106
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
RES: Axis 2 - SSL with Client Authentication
Posted by Fernando Cesar Silva <fs...@synchro.com.br>.
Hi Stefan,
I will assume that your server configuration is OK (that I don't know very
well) and I will focus on the client part.
Here, I had to call a secure webservice from the Brazilian government that
requires client authentication.
Before I call the secure webservice, I only set in my client the necessary
system properties that JSSE will consider to do the SSL.
final Properties props = System.getProperties();
props.setProperty("javax.net.ssl.trustStore", "C:/Certificados
/sefazrssef.jks");
props.setProperty("javax.net.ssl.trustStorePassword", "xxxxxxx");
props.setProperty("javax.net.ssl.trustStoreType", "JKS");
props.setProperty("javax.net.ssl.keyStore",
"C:/Certificados/transpamericana.jks");
props.setProperty("javax.net.ssl.keyStorePassword", "xxxxxxx");
props.setProperty("javax.net.ssl.keyStoreType", "JKS");
System.setProperties(props);
Your truststore have to contain the server certificate (public key) and his
certificate chain.
Your keystore have to contain the client private key (issued by a trusted
CA).
You can work with another key and truststore's types as well, changing "JKS"
for another type (e.g. "PKCS12").
You can turn on the SSL debug passing the parameter:
props.setProperty("javax.net.debug", "ssl");
For more information take a look at:
http://wiki.apache.org/ws/FrontPage/Axis/AxisClientConfiguration/Ssl
http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html#Cu
stomization
Hope this helps.
Fernando Cesar
-----Mensagem original-----
De: StrongSteve [mailto:stefan@starkeweb.org]
Enviada em: quarta-feira, 27 de agosto de 2008 09:39
Para: axis-user@ws.apache.org
Assunto: Axis 2 - SSL with Client Authentication
Hi Everybody!
I am really stuck with the problem below, but I am looking forward that
someone can help me! ;)
(Or give me at least a useful hint on were to search for more
information...)
Basically I have a running webservice based on AXIS 2.
Now I have to make it secure. Be secure I mean the following to things:
- Transport via SSL (Https)
- Client Authentication using a Client Certificate
Basically all messages have to be transferred over https and only "trusted"
clients - whoses certificates reside in the server's .truststore - shall be
worked with.
After one and a half day of browsing the internet, I have no really come
across a solution.
What I did till now is the following:
- Enable https in Tomcat 6 after generating a server key
- If I import this server key into the client's .truststore I can call me
webservice by passing a https in the existing endpointreference
The problem I am really stuck with is the part with the client certificates
and I have nearly no clue on which steps are to be performed... :(
I already tried uncommenting the following block in the Axis2.xml, as I
think that this is the part that I need, but I just results in a
NullPointerException when starting my tomcat.
<!-- the non blocking https transport based on HttpCore + SSL-NIO
extensions -->
<!--<transportReceiver name="https"
class="org.apache.axis2.transport.nhttp.HttpCoreNIOSSLListener">
<parameter name="port" locked="false">9002</parameter>
<parameter name="non-blocking" locked="false">true</parameter>
<parameter name="keystore" locked="false">
<KeyStore>
<Location>D:/Apache Tomcat 6.0.18/.keystore</Location>
<Type>JKS</Type>
<Password>password</Password>
<KeyPassword>password</KeyPassword>
</KeyStore>
</parameter>
<parameter name="truststore" locked="false">
<TrustStore>
<Location>trust.jks</Location>
<Type>JKS</Type>
<Password>password</Password>
</TrustStore>
</parameter>-->
<!-- <parameter name="SSLVerifyClient">require</parameter> -->
<!-- supports optional|require or defaults to none -->
<!--</transportReceiver> -->
[INFO]
java.lang.NullPointerException
at
org.apache.axis2.transport.nhttp.HttpCoreNIOSSLListener.getSSLContext(HttpCo
reNIOSSLListener.java:9
6)
at
org.apache.axis2.transport.nhttp.HttpCoreNIOListener.init(HttpCoreNIOListene
r.java:151)
at
org.apache.axis2.engine.ListenerManager.start(ListenerManager.java:125)
at
org.apache.axis2.transport.http.AxisServlet.init(AxisServlet.java:442)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:11
72)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:992)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:
4058)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4371)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:7
91)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:926)
at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:889
)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:492)
at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSuppor
t.java:117)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at
org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at
org.apache.catalina.core.StandardService.start(StandardService.java:516)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39
)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl
.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Thanks in Advance for both your time and your knowledge!
Greetings
Stefan
--
View this message in context:
http://www.nabble.com/Axis-2---SSL-with-Client-Authentication-tp19180080p191
80080.html
Sent from the Axis - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org