• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Mutual authentication in Web Services

 
Sabya Sachi
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have already built my webservice and it is ready for use...

But I want to implement security into my service using SSL.

Let me first tell you I have used jwsdp-1.3 and the web container as Tomcat 5.0 to build my JAXPRC service.

I have followed the mutual authentication example provided in the jwstutorial but that does not seem to be too useful to me....cos that does not describe clearly how the authentication has to be done from various client sides.


I want to have a third party as the certifying authority for both the server as well as the client.

Kindly guide me how do I go about setting the properties in the server side as well as in the client-side....

I am now trying out my luck with SAML(Security Assertions MarkUp Language)....I have got certain pieces of code related to SAML but SAML Web Service integration is not described.Those just show how SAML works...Please help me out.It is very urgent for me.
Thanks in advance

Sabyasachi
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13071
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have just gone through the exercise of setting up SSL connections with client authentication in Tomcat5 and it was quite a pain. I found that not only do you have to configure a port in server.xml - something like this (with obvious obfusction of my real path):


BUT you also have to start Tomcat with system properties that match the parameter in server.xml AND also define trustSore location and password that match the client keys in the catalina.bat startup batch(that took a while to discover!!) (again obfuscated)


I actually used the same keystore and pass for both client and server.
On the client side, I ended up defining System parameters when the app starts by means of a propeties file. This code gets called very early in starup.

where the properties file has

Again, both pointed to the same keystore (selfsigned in my case)

This may in fact be more complicated than it needs to be, but it seems to be working. I never found a resource that covered all these points.
Bill
 
Sabya Sachi
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I had already done all the settings in server.xml earlier.But I am not getting one thing... how do you go about setting the client stores for various clients.The server needs to have the public keys of all the various clients.How does the server maintain this???

I am still in doubt...

Anyways your piece of information helped me to ceratin extent...

Sabyasachi
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13071
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I "cheated" by using the same certificate everywhere. With separate client certificates, I think you would have to import them into your "truststore" using the Java keytool.
Although I was able to get clientAuth="true" working between my local machines, when my customer tried it from elsewhere on the net, the connection was never created. No error message that we could find, it just didn't connect - very frustrating.
Bill
 
Sabya Sachi
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi

I have solved the mutual authentication problem.Now I can handle various clients and can maintain their lists in the server side.

The settings actually were quite simple....I found out the solution from jws 1.0 doc


For mutual authentication I had to follow these steps.



I created a keystore for the server side using keytool with the server details.Then exported the contents into a file which acted as the public key certificate for the server.I gave the path of the keystore file in ssl connector tag in server.xml.
Client also generates a certificate from his/her side and exports the contents into a file which acts as the public key holder for the client.

The server certificate is passed to the client which client imports into his/her keystore.

Same happens at the server side.
The server imports the client certificate into his/her keystore.

The client just needs to set his/her keystore location and the password to it.

That's it and bingo.......

Cheers.....

Sabyasachi
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic