my project requires making a SOAP call to access a web service over HTTPS. We are using WSAD 5.0 server with IIS web server. I am very new to this. Could anyone sort of guide me? I have the WSDL file & I generated Java Proxy clients using WSDL2Client. How do I go about ensuring that the SOAP goes over SSL/HTTPS? Are there any security changes required at the app server level? Should I have made any changes to WSDL document itself as it has http:// references in the soap binding. The service provider uses real certificates (veriSign). How do I handle exchange of certificates?
Any help is greatly appreciated. Thanks in advance.
posted 12 years ago
You can export a verisign certificate from IE (Tools->Internet Options->Content->Certificates...->Trusted Root Certificates (tab)) and export the one which shows Server Authentication in the description and export as DER encoding (a .cer file). Say you save this in a file named verisign.cer.
Then use keytool.exe to import this certificate as trusted root certificate store: keytool -import -trustcacerts -alias verisign -file verisign.cer –keystore %JAVA_HOME%/lib/security/cacerts -storepass changeit -storetype JKS
You may also store it in another keysotre file than the default cacerts. The password "changeit" is default password for cacerts keystore.
The client uses the imported certificate to trust the server that owns that certificate. When a client establishes a session, the server sends a server certificate to the client. If the certificate is a member of the certificates included in the client keystore, the client trusts the server and so proceeds to the session.
For the client, you must set up Java system properties that are required when invoking SSL. These are:
the keystore type (storetype),
keystore filename (keystore), and
keystore password (storepass)
Here's how you do this in your client code:
Note: If your wsdl does not specify the service endpoint location with https:// url then your service does not require ssl. Also, before you change the wsdl's service endpoint location to an https:// url you will first need to check if thats valid url (usually the service location url appended with ?WSDL should show the WSDL file for the service).
To add the verisign certificate (or any new certificate) as trusted root certificate to cacerts file, use the following command:
It will prompt for the password for the cacerts keystore which is "changeit" by default. It will also prompt if you want to trust this certificate .. answer yes. The keytool -list will list this certificate details: C:\>keytool -list Enter keystore password: changeit
Keystore type: jks Keystore provider: SUN
Your keystore contains 1 entry
verisign_new, Aug 3, 2006, trustedCertEntry, Certificate fingerprint (MD5): 26:XXXX60
To check if the certificate was installed:
where, verisign_new is the alias we used which added the certificate to keystore.
Even though the default cacerts should include the verisign class 2 ca certificate (as documented by JDK tools doc for keytool), it does not list it and so i think its better to install a verisign cert manually in the client side JVM keystore as shown above.
Thanks a lot. Our Web Admin helped us to import the certificate in cacert file. Should I still set the trustore, keystore properties in the code? Wouldn't webSphere server know where to find the certificate/public key information?
posted 12 years ago
You will need to set the system properties to let the JVM know which keystore to look into for trusted ca certificates when a server tries to authenticate itself with your client (running in the context of your JVM process). And also the password for the keystore to allow the JVM to be able to access the trusted ca certs stored in the keystore. Websphere is just an application which runs in the context of JVM and in turn manages the lifecycle of your client app.
This thread helped me a lot, in addition to I would like to add my issues faced, in process of applying these changes,
I have imported the Key as mentioned in the thread, but inspite of setting the correct password of cacerts.jks ,it throws me a error some thing like as shown below
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
... 54 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
... 66 more
I have used keytool in cmd(command promt) to set the password and I was trying to change it using -newpasswd flag, but still I used to get the same error,
After so much of googleing I found a software tool, which maintains these sort of SSL certificates, tool name is Keystore Explorer, home page link is http://www.lazgosoftware.com/kse/index.html,
Using this tool I have exported the keystore, and changed the default password to some 'abc123' and its worked for me, I have modified the code snippet as well, below is my updated code snippet to set the JAVA environment.