[Ws Wiki] Update of "FrontPage/Axis/AxisClientConfiguration/Ssl" by CyrilleLeClerc

[Apache Wiki <wi...@apache.org>]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Ws Wiki" for change notification.

The following page has been changed by CyrilleLeClerc:
http://wiki.apache.org/ws/FrontPage/Axis/AxisClientConfiguration/Ssl

New page:
'''Using SSL with Axis Client'''

The out-of-the-box configuration of SSL in Axis client accepts any ssl cerficate issued by 'well known' certification authorities (e.g. Verisign, ...).

This implementation is called {{{JSSESocketFactory}}} and it relies on Java Secure Socket Extension (aka JSSE).

If you need to use a 'non-trusted' server certificate (self-signed, ...), you can configure the {{{JSSESocketFactory}}} or use another SSL implementation called {{{SunFakeTrustSocketFactory}}} 

'''JSSE``Socket``Factory'''

{{{JSSESocketFactory}}} configuration relies on JSSE configuration. By default, it uses the JDK built-in keystore file {{{<jre-home>/lib/security/cacerts}}} with its default password {{{changeit}}}.

The JSSE configuration parameters are described [http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#InstallationAndCustomization here]. Major properties are {{{javax.net.ssl.keyStore}}} (location of the keystore) and {{{javax.net.ssl.keyStorePassword}}} (password of the keystore).

To import a server certificate in your keystore, use jdk's built-in keytool as described [http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html#importCmd here] or use a WYSIWYG tool like [http://alphaworks.ibm.com/tech/keyman KeyMan].

'''Sun``Fake``Trust``Socket``Factory'''

The {{{SunFakeTrustSocketFactory}}} is intended for development environements and will accept any ssl certificate. To use it, you just have to create in your classpath, under {{{META-INF/services/}}} a file called {{{org.apache.axis.components.net.SecureSocketFactory}}} (download [attachment:org.apache.axis.components.net.SecureSocketFactory here]) with the content :
{{{
org.apache.axis.components.net.SunFakeTrustSocketFactory
}}} 

(!) This mechanism to select the {{{SecureSocketFactory}}} implementation relies on the Axis pluggable API described [http://ws.apache.org/axis/java/integration-guide.html#Components here]


'''Notes and Resources'''

 * Related wiki page : FrontPage/Axis/SslUnsignedCertificate

 * JSSE has been bundled in JVMs since JDK 1.4 . For older JVMs, JSSE is downloadable at http://java.sun.com/products/jsse/downloads/index.html

 * JSSE Reference : http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html

 * If you get an exception message "SunCertPathBuilderException: unable to find valid certification path to requested target", it means that the server's certificate is not trusted. To fix this, you need to import the server's certificate in the client's keystore (see JSSE guide : http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#CreateKeystore ).

 * [http://alphaworks.ibm.com/tech/keyman KeyMan] is a nice WYSIWYG alternative to [http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html keytool] to manage certificates and keystores 

 * Interesting tutorial "How to use webservices with SSL?" : http://www.artima.com/forums/flat.jsp?forum=46&thread=106915