• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

SOAP over HTTPS / SSL

 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello everyone,

need help -

my project requires making a SOAP call to access a web service over HTTPS. We are using WSAD 5.0 server with IIS web server. I am very new to this. Could anyone sort of guide me?
I have the WSDL file & I generated Java Proxy clients using WSDL2Client. How do I go about ensuring that the SOAP goes over SSL/HTTPS? Are there any security changes required at the app server level? Should I have made any changes to WSDL document itself as it has http:// references in the soap binding.
The service provider uses real certificates (veriSign). How do I handle exchange of certificates?

Any help is greatly appreciated. Thanks in advance.
 
Ranch Hand
Posts: 111
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can export a verisign certificate from IE (Tools->Internet Options->Content->Certificates...->Trusted Root Certificates (tab)) and export the one which shows Server Authentication in the description and export as DER encoding (a .cer file). Say you save this in a file named verisign.cer.

Then use keytool.exe to import this certificate as trusted root certificate store:
keytool -import -trustcacerts -alias verisign -file verisign.cer –keystore %JAVA_HOME%/lib/security/cacerts -storepass changeit -storetype JKS

You may also store it in another keysotre file than the default cacerts. The password "changeit" is default password for cacerts keystore.

The client uses the imported certificate to trust the server that owns that certificate. When a client establishes a session, the server sends a server certificate to the client. If the certificate is a member of the certificates included in the client keystore, the client trusts the server and so proceeds to the session.

For the client, you must set up Java system properties that are required when invoking SSL. These are:
  • the keystore type (storetype),
  • keystore filename (keystore), and
  • keystore password (storepass)

  • Here's how you do this in your client code:


    Note: If your wsdl does not specify the service endpoint location with https:// url then your service does not require ssl. Also, before you change the wsdl's service endpoint location to an https:// url you will first need to check if thats valid url (usually the service location url appended with ?WSDL should show the WSDL file for the service).
     
    Watsh Rajneesh
    Ranch Hand
    Posts: 111
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    A correction:

    To add the verisign certificate (or any new certificate) as trusted root certificate to cacerts file, use the following command:


    It will prompt for the password for the cacerts keystore which is "changeit" by default. It will also prompt if you want to trust this certificate .. answer yes. The keytool -list will list this certificate details:
    C:\>keytool -list
    Enter keystore password: changeit

    Keystore type: jks
    Keystore provider: SUN

    Your keystore contains 1 entry

    verisign_new, Aug 3, 2006, trustedCertEntry,
    Certificate fingerprint (MD5): 26:XXXX60

    To check if the certificate was installed:

    where, verisign_new is the alias we used which added the certificate to keystore.

    Even though the default cacerts should include the verisign class 2 ca certificate (as documented by JDK tools doc for keytool), it does not list it and so i think its better to install a verisign cert manually in the client side JVM keystore as shown above.
     
    Ramamurthy Sudhi
    Greenhorn
    Posts: 6
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Thanks a lot.
    Our Web Admin helped us to import the certificate in cacert file. Should I still set the trustore, keystore properties in the code? Wouldn't webSphere server know where to find the certificate/public key information?

    Thanks
     
    Watsh Rajneesh
    Ranch Hand
    Posts: 111
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    You will need to set the system properties to let the JVM know which keystore to look into for trusted ca certificates when a server tries to authenticate itself with your client (running in the context of your JVM process). And also the password for the keystore to allow the JVM to be able to access the trusted ca certs stored in the keystore. Websphere is just an application which runs in the context of JVM and in turn manages the lifecycle of your client app.
     
    Greenhorn
    Posts: 2
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    This thread helped me a lot, in addition to I would like to add my issues faced, in process of applying these changes,

    I have imported the Key as mentioned in the thread, but inspite of setting the correct password of cacerts.jks ,it throws me a error some thing like as shown below

    Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
    at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
    at java.security.KeyStore.load(KeyStore.java:1185)
    at com.sun.net.ssl.internal.ssl.TrustManagerFactoryImpl.getCacertsKeyStore(TrustManagerFactoryImpl.java:202)
    at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.getDefaultTrustManager(DefaultSSLContextImpl.java:70)
    at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.<init>(DefaultSSLContextImpl.java:40)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
    at java.lang.Class.newInstance0(Class.java:355)
    at java.lang.Class.newInstance(Class.java:308)
    at java.security.Provider$Service.newInstance(Provider.java:1221)
    ... 54 more
    Caused by: java.security.UnrecoverableKeyException: Password verification failed
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
    ... 66 more

    ....

    I have used keytool in cmd(command promt) to set the password and I was trying to change it using -newpasswd flag, but still I used to get the same error,

    After so much of googleing I found a software tool, which maintains these sort of SSL certificates, tool name is Keystore Explorer, home page link is http://www.lazgosoftware.com/kse/index.html,
    Using this tool I have exported the keystore, and changed the default password to some 'abc123' and its worked for me, I have modified the code snippet as well, below is my updated code snippet to set the JAVA environment.

    String javaHomePath = System.getProperty("JAVA_HOME");
    String keystore = "C:\\Program Files\\Java\\jre1.6.0_06\\lib\\security\\cacerts.jks";
    String keystorepass= "abc123";
    String storetype= "JKS";
    String truststorepass = "abc123";

    String[][] props = {
    { "javax.net.ssl.trustStore", keystore, },
    { "javax.net.ssl.trustStorePassword", truststorepass, },
    { "javax.net.ssl.keyStore", keystore, },
    { "javax.net.ssl.keyStorePassword", keystorepass, },
    { "javax.net.ssl.keyStoreType", storetype, },
    };

    Hope this will help some one.

    Thanks for the thread, Handsof to coderanch .........!!!
    Happy coding.

     
    Saloon Keeper
    Posts: 7645
    178
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    This won't help you with your current problem, but a much better way to achieve encrypted SOAP communication is to use the WS-Security standard that is supported by all major SOAP implementations.
     
    Have you no shame? Have you no decency? Have you no tiny ad?
    Gift giving made easy with the permaculture playing cards
    https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
    reply
      Bookmark Topic Watch Topic
    • New Topic