You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by "Ockleford Paul (NHS CONNECTING FOR HEALTH)" <pa...@nhs.net> on 2012/12/21 18:28:06 UTC
Mutual SSL with Axis2
Hi,
I have one way SSL working fine as I have my web services exposed over https and I am able to consume them with a client built from the wsdl using wsdl2java. I would now like to set up mutual SSL so that I can allow only clients I choose to connect to my service.
I have tried getting this set up by creating a self signed certificate at my client and then exporting the public portion which I have added to cacerts on my server. I then amended the tomcat config for the url /applications so that it requires a client certificate. This means when I now browse to the wsdl address with my browser I get the following error: The request sent by the client was syntactically incorrect (No client certificate chain in this request).
I then made a slight change to my client code:
SecureProtocolSocketFactory spsf = new AuthSSLProtocolSocketFactory(new File("N:/Workspaces/Webservices/HelloWorld/client-keystore").toURI().toURL(), "changeit", new File("N:/Workspaces/Webservices/HelloWorld/client-keystore").toURI().toURL(), "changeit");
Protocol authhttps = new Protocol ("https", spsf, 443);
Protocol.registerProtocol("https", authhttps);
I then assumed that making a call from my client that everything would work but it seems like my client also get the same html page returned from tomcat now to say that there is no client certificate chain in the request.
Is there something else that I need to do?
Again any help is appreciated.
********************************************************************************************************************
This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents:
to do so is strictly prohibited and may be unlawful.
Thank you for your co-operation.
NHSmail is the secure email and directory service available for all NHS staff in England and Scotland
NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and GSi recipients
NHSmail provides an email address for your career in the NHS and can be accessed anywhere
********************************************************************************************************************
RE: Mutual SSL with Axis2
Posted by Martin Gainty <mg...@hotmail.com>.
Rampart has a slightly different implementation for Mutual Authentication pom.xml has maven-antrun-plugin copya prebuilt services-14.xml to META-INF/services.xmland a prebuilt SecureService14.aar pom.xml: <plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-antrun-plugin</artifactId>
<version>1.1</version> <tasks>
<java classname="org.apache.axis2.wsdl.WSDL2Java" fork="true">
<arg line="-uri src/main/resources/ping/ping.wsdl -ss -o target/generated-code -p org.apache.axis2.oasis.ping -d xmlbeans -g"/>
<classpath refid="maven.dependency.classpath"/>
<classpath refid="maven.compile.classpath"/>
<classpath refid="maven.runtime.classpath"/>
</java>
<executions>
<execution> <copy overwrite="yes"
file="src/test/resources/rampart/services-14.xml"
tofile="target/temp-ramp/META-INF/services.xml"/>
<jar jarfile="target/test-resources/rampart_service_repo/services/SecureService14.aar"
basedir="target/temp-ramp"/>
mutual-authentication is enforced in the policy as defined by services-14.xml contents of services-14.xml:
<service name="SecureService14"> <module ref="addressing"/>
<module ref="rampart"/> <parameter locked="false" name="ServiceClass">org.apache.rampart.Service</parameter> <operation name="echo">
<messageReceiver class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/>
<actionMapping>urn:echo</actionMapping>
</operation> <wsp:Policy wsu:Id="MutualCertificate11Sign_IPingService_policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
<sp:Header Name="To" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
<sp:Header Name="From" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
<sp:Header Name="FaultTo" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
<sp:Header Name="ReplyTo" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
<sp:Header Name="MessageID" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
<sp:Header Name="RelatesTo" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
<sp:Header Name="Action" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
</sp:SignedParts>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>alice</ramp:user>
<ramp:encryptionUser>bob</ramp:encryptionUser>
<ramp:passwordCallbackClass>org.apache.rampart.PWCallback</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy></service>
Martin
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
From: BOKKEN@CERNER.COM
To: java-user@axis.apache.org; axis-user@ws.apache.org
Subject: RE: Mutual SSL with Axis2
Date: Fri, 21 Dec 2012 21:39:46 +0000
I have done the following:
if (sslProtocol !=
null &&
"https".equals(endPoint.getProtocol()))
{
serviceClient.getOptions().setProperty(HTTPConstants.CUSTOM_PROTOCOL_HANDLER, sslProtocol);
//if the endpoint is https, the port is 443 by default
final
int urlPort = endPoint.getPort();
final
int port = urlPort == -1 ? 443 : urlPort;
httpClient.getHostConfiguration().setHost(endPoint.getHost(), port, sslProtocol);
}
serviceClient.getOptions().setSoapVersionURI(SOAP12Constants.SOAP_ENVELOPE_NAMESPACE_URI);
serviceClient.getOptions().setProperty(HTTPConstants.REUSE_HTTP_CLIENT, Boolean.TRUE);
serviceClient.getOptions().setProperty(HTTPConstants.CACHED_HTTP_CLIENT, httpClient);
Where sslProtocol is a org.apache.commons.httpclient.protocol.Protocol instance that I only create if I have a custom SSLSocketFactory (for use with mutual TLS).
httpClient is a org.apache.commons.httpclient.HttpClient instance I create with a MultiThreadedHttpConnectionManager with some custom configuration of the connection properties (number of connections, timeouts,
etc.).
Brett Okken
| CAMM Platform Services | Lead Architect | 816.201.6112 |
www.cerner.com |
bokken@cerner.com
From: Ockleford Paul (NHS CONNECTING FOR HEALTH) [mailto:paul.ockleford@nhs.net]
Sent: Friday, December 21, 2012 11:28 AM
To: axis-user@ws.apache.org
Subject: Mutual SSL with Axis2
Hi,
I have one way SSL working fine as I have my web services exposed over https and I am able to consume them with a client built from the wsdl using wsdl2java. I would now like to set up mutual SSL so that I can allow only
clients I choose to connect to my service.
I have tried getting this set up by creating a self signed certificate at my client and then exporting the public portion which I have added to cacerts on my server. I then amended the tomcat config for the url /applications
so that it requires a client certificate. This means when I now browse to the wsdl address with my browser I get the following error:
The request sent by the client was syntactically incorrect (No client certificate chain in this request).
I then made a slight change to my client code:
SecureProtocolSocketFactory spsf =
new AuthSSLProtocolSocketFactory(new
File("N:/Workspaces/Webservices/HelloWorld/client-keystore").toURI().toURL(),
"changeit",
new File("N:/Workspaces/Webservices/HelloWorld/client-keystore").toURI().toURL(),
"changeit");
Protocol authhttps =
new
Protocol ("https", spsf, 443);
Protocol.registerProtocol("https",
authhttps);
I then assumed that making a call from my client that everything would work but it seems like my client also get the same html page returned from tomcat now to say that there is no client certificate chain in the request.
Is there something else that I need to do?
Again any help is appreciated.
********************************************************************************************************************
This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents:
to do so is strictly prohibited and may be unlawful.
Thank you for your co-operation.
NHSmail is the secure email and directory service available for all NHS staff in England and Scotland
NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and GSi recipients
NHSmail provides an email address for your career in the NHS and can be accessed anywhere
********************************************************************************************************************
CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non-public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221-1024.
RE: Mutual SSL with Axis2
Posted by "Okken,Brett" <BO...@CERNER.COM>.
I have done the following:
if (sslProtocol != null && "https".equals(endPoint.getProtocol()))
{
serviceClient.getOptions().setProperty(HTTPConstants.CUSTOM_PROTOCOL_HANDLER, sslProtocol);
//if the endpoint is https, the port is 443 by default
final int urlPort = endPoint.getPort();
final int port = urlPort == -1 ? 443 : urlPort;
httpClient.getHostConfiguration().setHost(endPoint.getHost(), port, sslProtocol);
}
serviceClient.getOptions().setSoapVersionURI(SOAP12Constants.SOAP_ENVELOPE_NAMESPACE_URI);
serviceClient.getOptions().setProperty(HTTPConstants.REUSE_HTTP_CLIENT, Boolean.TRUE);
serviceClient.getOptions().setProperty(HTTPConstants.CACHED_HTTP_CLIENT, httpClient);
Where sslProtocol is a org.apache.commons.httpclient.protocol.Protocol instance that I only create if I have a custom SSLSocketFactory (for use with mutual TLS).
httpClient is a org.apache.commons.httpclient.HttpClient instance I create with a MultiThreadedHttpConnectionManager with some custom configuration of the connection properties (number of connections, timeouts, etc.).
Brett Okken | CAMM Platform Services | Lead Architect | 816.201.6112 | www.cerner.com<http://www.cerner.com/> | bokken@cerner.com<ma...@cerner.com>
From: Ockleford Paul (NHS CONNECTING FOR HEALTH) [mailto:paul.ockleford@nhs.net]
Sent: Friday, December 21, 2012 11:28 AM
To: axis-user@ws.apache.org
Subject: Mutual SSL with Axis2
Hi,
I have one way SSL working fine as I have my web services exposed over https and I am able to consume them with a client built from the wsdl using wsdl2java. I would now like to set up mutual SSL so that I can allow only clients I choose to connect to my service.
I have tried getting this set up by creating a self signed certificate at my client and then exporting the public portion which I have added to cacerts on my server. I then amended the tomcat config for the url /applications so that it requires a client certificate. This means when I now browse to the wsdl address with my browser I get the following error: The request sent by the client was syntactically incorrect (No client certificate chain in this request).
I then made a slight change to my client code:
SecureProtocolSocketFactory spsf = new AuthSSLProtocolSocketFactory(new File("N:/Workspaces/Webservices/HelloWorld/client-keystore").toURI().toURL(), "changeit", new File("N:/Workspaces/Webservices/HelloWorld/client-keystore").toURI().toURL(), "changeit");
Protocol authhttps = new Protocol ("https", spsf, 443);
Protocol.registerProtocol("https", authhttps);
I then assumed that making a call from my client that everything would work but it seems like my client also get the same html page returned from tomcat now to say that there is no client certificate chain in the request.
Is there something else that I need to do?
Again any help is appreciated.
********************************************************************************************************************
This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents:
to do so is strictly prohibited and may be unlawful.
Thank you for your co-operation.
NHSmail is the secure email and directory service available for all NHS staff in England and Scotland
NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and GSi recipients
NHSmail provides an email address for your career in the NHS and can be accessed anywhere
********************************************************************************************************************
CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non-public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221-1024.