SSL and Web Service - Need a bit of help

Hi,

I have a simple web service that I deployed to my websphere application server and I have a quick question regarding SSL. My WAS instance has what is called a default "SSL configuration repertoire".

What do I need to add to my web service to force it be used over an SSL connection? I deployed the web service, but I am a little bit confused over how to get it to run with SSL. Also, what role does the <web-resource-name> play in the web.xml? Is it supposed to match up with anything?

Here is my web.xml for the web service:
<?xml version="1.0" encoding="UTF-8"?> <web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <display-name> CustInfoWS</display-name> <servlet> <servlet-name>ws_GetCust</servlet-name> <servlet-class> ws.GetCust</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <welcome-file-list> <welcome-file>index.html</welcome-file> </welcome-file-list> <security-constraint> <display-name>Constraint1</display-name> <web-resource-collection> <web-resource-name> ws_GetCust </web-resource-name> <description/> <url-pattern>/*</url-pattern> <http-method>POST</http-method> </web-resource-collection> <user-data-constraint> <description/> <transport-guarantee> CONFIDENTIAL </transport-guarantee> </user-data-constraint> </security-constraint> </web-app>


Any help would be much appreciated.

Thanks.

"web-resource-name" doesn't need to match anything - it's just informational.

If SSL is all set up for that server (certificate installed, port configured etc.), you could simply try to have the WS client use an "https:" URL instead of an "http:" (assuming that the default SSL port -443- is what you have SSL set up for).

Cheers Ulf. Is there anything else that needs to be added to the web service?

Also, am I correct in thinking that SSL and WS-Security are two different things altogether? I am a little unclear on the latter since I thought it was something that had to be hand coded into the web service? Or does WAS take care of that for me?

Thanks again.

Is there anything else that needs to be added to the web service?

No, SSL should work transparently to the WS.

am I correct in thinking that SSL and WS-Security are two different things altogether?

Yes. WS-Security provides authentication, encryption and signature services, but not based on HTTP approaches like Basic Authentication and SSL. If at all feasible I'd prefer WS-Security over the older approaches these days (and it should be feasible, as WS-Security is supported by all major SOAP stacks).

I am a little unclear on the latter since I thought it was something that had to be hand coded into the web service? Or does WAS take care of that for me?

WS-Security is generally configured (either using config files or through a GUI), not coded. How exactly depends on the SOAP stack you're using. I'm not sure what WAS can do in that area, but given that it costs serious bucks, I'd assume that it has a GUI for this.

Thanks Ulf. Off to do a bit of reading. One last question. Do I need to update the wsdl:address portion of my WSDL to point to HTTPS port 443?

<wsdl:service name="GetCustService"> <wsdl:port binding="impl:GetCustSoapBinding" name="GetCust"> <wsdlsoap:address location="http://servername/CustInfoWS/services/GetCust"/> </wsdl:port> </wsdl:service>

It shouldn't be necessary. Just changing "http" to "https" should be sufficient.