You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by Apache Wiki <wi...@apache.org> on 2007/07/10 13:50:07 UTC

[Ws Wiki] Update of "FrontPage/Axis/DynamicSSLConfig" by RichardUnger

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Ws Wiki" for change notification.

The following page has been changed by RichardUnger:
http://wiki.apache.org/ws/FrontPage/Axis/DynamicSSLConfig

New page:

The following describes a setup for dynamically choosing the client certificate used for SSL Authentication from an Axis Client.

This method has been tested using Axis 1.4 and Java 1.5 under Tomcat 5.5.20 and WebSphere 6.1.

=== The Motivation ===

Generally, a client will use one client certificate to identify itself to services it is accessing. Depending on the application, the client certificate will belong to the user of the application, or will be part of the installation of the application client itself.

Sometimes this model is insufficient:

* Perhaps more than one service needs to be accessed by the client, and the client is not free to choose the certificates used for access. In this case the client will need to work with the (multiple) certificates provided.
* In some cases the client will be acting "on behalf" of more than one user, and will want to employ the different user's different certificates to authenticate against backend systems.

Whatever the reason, sometimes the "one client, one certificate" model is not applicable. In this case, the client has to work, dynamically at run-time, with more than one certificate at a time.

=== The Problem ===

In its current implementation, the SSL Transport for Axis has several shortcomings:

* The base SecureSocketFactory cannot be configured dynamically. It is configured using environment variables, which is not suitable if it is desired to change the client certificate at run-time.
* The SunJSSESecureSocketFactory is more configurable, accepting a keyfile parameter from the Axis configuration at run-time. However, this 


=== The Solution ===


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@ws.apache.org
For additional commands, e-mail: general-help@ws.apache.org