|
When doing normal SSL communications, without authorization, i.e.
you have a webserver with ssl turned on and it has the /bla/bla/rpcrouter
servlet there, and you want to allow anyone to send it messages, then the
situation is like this:
1. the webserver has a digital certificate, a private key and public
key pair, and that cert was signed by someone. the someone that signed
it was probably verisign if you bought the cert from them.
2. the java program client, when it starts doing the ssl handshake,
which happens before it actually sends any xml post to the rpcrouter servlet,
will get the webserver's public key credentials and ONLY believe them
if it has the same trusted public key in its TRUSTSTORE as the guy who
signed the website's cert. so if you bought the cert from verisign
for your webserver, then you would have to get from verisign their root
CA (certificate authority) 's public key and put it in your truststore.
HOWEVER, there already are a bunch of these in the default truststore in
jsse. so if you dont set any properties relating to TrustStore, then
the default will be used and if your website has a normal purchased-from-someone-like-verisign
SSL certificate, then you're fine.
3. in this case, you dont even need the keystore settings, because
that is for YOUR certificate that identifies you to a webserver.
if your webserver is letting anyone talk to it, you dont need one.
in my code, I am issuing my own certificates using iplanet's certificate
management system. (which is great, btw).
so my jsse doesnt already have a rootca for the signer of my webserver's
certificate, because its from ME, not verisign. so i have to take
that rootca and specifically put it into a truststore (which i did using
keytool into #HOME/.keystore and then renamed .keystore to the truststore
file. It only has this one rootca in it.
and I AM doing client authentication, i.e. my webserver wouldnt
let you send it a message, you'd have to have a certificate issued by MY installed
in your keystore.
I dont know how close my situation is to yours, but that's all I know
about what I am doing... :)
D
pop m wrote:
First
of all , I would thank you for your answer. I've
tried to configure my soap client as you have written in your
example as you see below:
...... ...... ...... ...... ...... ...... ...... ......
// settings for client-authentication via certificates.
// for trustStore we need client.keystore ??? I think
System.setProperty("javax.net.ssl.trustStore","C:\java_sources\jsse\key\client.keystore");
System.setProperty("javax.net.ssl.trustStorePassword","XXXXXXXX");
// Keystore
// I don't understand what I need to put here. M yserver.keystore ? It
is imlemented in my Orion app.
// server,
//System.setProperty("javax.net.ssl.keyStore","/home/atrieger/workspaces/xmlclient4.p12");
//System.setProperty("javax.net.ssl.keyStoreType","PKCS12");
//System.setProperty("javax.net.ssl.keyStorePassword","XXXXXXXX");
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
m_https = "https://" + m_host + ":" + m_port + "/regens_app/servlet/rpcrouter";
URL url = new URL (m_https); ...... ...... ...... ......
...... ...... ...... ...... but,
I haven't enjoyed, I always get an Exception : Caught
SOAPException (SOAP-ENV:Client): Error opening socket: null
Any ideas
! Regards
Pop Marius L.
----- Original Message -----
Sent: Friday, April 19, 2002 2:16
PM
Subject: Re: SOAP and SSL HELP
I did this:
// settings for client-auth
via certs.
// Truststore
System.setProperty("javax.net.ssl.trustStore","/home/atrieger/workspaces/trieger_rootca_truststore.jks");
// missing type-setting here because
default type is jks
System.setProperty("javax.net.ssl.trustStorePassword","XXXXXXXXX");
// Keystore
System.setProperty("javax.net.ssl.keyStore","/home/atrieger/workspaces/xmlclient4.p12");
System.setProperty("javax.net.ssl.keyStoreType","PKCS12");
System.setProperty("javax.net.ssl.keyStorePassword","XXXXXXXXXX");
// use Sun's reference implementation
of a URL handler for the "https" URL protocol type.
// debugtrieger, note this is what
the jsse docs say to do either here or command line
// when this is run with -Dblablabla=this.thing.below
//System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
// dynamically register sun's ssl provider
// debugtrieger, also note:
just like above, this can also be done in the
// security/java.policy
or something file according to jsse install docs.
//Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
try {
soapRouterURL= new URL("https://"
+ host + ":" + port + "/soap/servlet/rpcrouter") ;
resp = call.invoke(soapRouterURL,"");
if (resp.generatedFault()
== false) {
System.out.println("no
faults generated.");
// dangerous, check to make sure its a string first.
answer = (String)(resp.getReturnValue().getValue());
//h = (Hashtable)(resp.getReturnValue().getValue());
} else {
// there was
a fault.
System.out.println("A
fault was generated: "+resp.getFault().toString());
}
} catch (SOAPException e) {
System.out.println("Soap
Exception raised in authenticate: ["+e.getMessage()+"]");
} catch (java.net.MalformedURLException
e ) {
System.out.println("Malformed
URL exception caught in authenticate: "+e.getMessage());
}
System.out.println("answer is: "+answer);
System.out.println("hashtable is:
"+h);
//return auth;
}
}
Which is a soap rpc-style client that not only talks over SSL to the soap
server, but also has a local certificate that authenticates itself, the
server requires clients to prove their identity with certificates. (its
an iplanet 6.0 server).
I had a hard time getting this to work, but finally realized that my
truststore should have the trusted root CA in it, and I was having problems
with my java $HOME/.keystore file with keys made using keytool, so i finally
had a browser with a key in it that was the identity i wanted to use, I
exported that key into a pkcs12 file and i use that file as my keystore,
referenced in the code above.
the basic idea here is that because the URL is "https..." instead of
http, it will use the providers associated with https set in the System
properties above it. you dont need the truststore/keystore jazz if
you're not doing client authentication, and just talking to some ssl server.
hope this helps...
Drew
pop m wrote:
Hi
! I
have the client.keystore and server.keystore files.Can anyone send me a
part of a soap client code example where SSl is being integrated with the
code.My soap client looks like :................... try {
Call call = new Call();
call.setTargetObjectURI("urn:" + m_service);
call.setMethodName("select_vegreh");
call.setEncodingStyleURI(Constants.NS_URI_SOAP_ENC);
// where should I implement SSL and how can I test it , if it data is encoded
indeed !
URL url = new URL (m_http);..............................................Üdv.
Pop Marius L.
--
---
--
---
|
