You are viewing a plain text version of this content. The canonical link for it is here.
Posted to soap-user@xml.apache.org by "Michael D. Spence" <sp...@panix.com> on 2003/01/03 03:38:42 UTC
Tomcat, Axis and SSL (was: Using SOAP + HTTP as a client within tomcat.)
> -----Original Message-----
> From: Scott Nichol [mailto:snicholnews@scottnichol.com]
> Sent: Thursday, January 02, 2003 12:06 PM
> To: soap-user@xml.apache.org
> Subject: Re: Using SOAP + HTTP as a client within tomcat.
>
>
> Good luck, and when you resolve this, it would be great if you could
> post the resolution to this list so the next poor soul in
> your situation
> can benefit from your pain.
>
I just spent a (painful) day or two getting SSL to work. Here's what
worked for me. Remember, this isn't necessarily the appropriate
setup for production use -- I just wanted the SSL stuff to work so
I could proceed with development. You might want real certificates
issued by a real CA for production.
1) Using keytool, create a self-signed certificate:
keytool -genkey -alias server -keyalg RSA –keystore servercerts.ks
Answer the question appropriately. (Hint: use the same password
for the key and the keystore.)
2) Copy servercerts.ks (which was generated into your working
directory above) to %CATALINA_HOME%
3) Modify %CATALINA_HOME%\conf\serve.xml to enable a secure port.
Locate the Connecter element for port 8443 and uncomment it. Embedded
in the Connecter is a <Factory> element. Add two new attributes:
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
keystoreFile="servercerts.ks" <-- (Add this line)
keystorePass="<pasword you used>" <-- (Add this line)
clientAuth="false" protocol="TLS" />
This will be effective the next time you restart Tomcat.
4) Export the server certificate:
keytool -export -rfc -alias server -keystore foo.ks -file server.cert
Enter keystore password: <your password here>
Certificate stored in file <server.cert>
5) Using any precautions that you think are appropriate, move server.cert
to the system where the client will run (in other words, if you're just
setting this up for development, like I was, then copying it to another
system over your LAN is probably ok. If, on the other hand, you're really
going to rely on this authentication then you should take steps to make
sure that server.cert isn't compromised or viewed by others.
6) Import the certificate into the client's keystore:
keytool -import -file sever.cert -keystore client.ks
Enter keystore password: <your password here>
keytool will show you the issuer and owner data, and also some hashes.
You could use this opportunity to reach out to the sender over
the phone and compare the hashes to make sure the file wasn't tampered with.
Or not.
keytool can create a keystore if you don't have one. In your client,
set the following system properties:
System.setProperty("javax.net.ssl.trustStore","<path to your client
keystore");
System.setProperty("javax.net.ssl.trustStorePassword","<your password>");
Set these if you want to have the server authenticate the client.
System.setProperty("javax.net.ssl.keyStore","<path to your client
keystore");
System.setProperty("javax.net.ssl.keyStorePassword","<your password>");
If you do this you'll have to set clientAuth="true" in the <Factory> element
in server.xml. And you'll also have to export the client's certificate
from the client's keystore and import it into the server's truststore.
Finally, this is useful for debugging, although it can produce a ton of
output:
System.setProperty("javax.net.debug","ssl:handshake");
You can set it on the Tomcat side by using -Djavax.net.debug="ssl:handshake"
on the
command line you use to start Tomcat.
--
To unsubscribe, e-mail: <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>