Using SSL with Axis Client

The out-of-the-box configuration of SSL in Axis client accepts any ssl cerficate issued by 'well known' certification authorities (e.g. Verisign, ...).

This implementation is called JSSESocketFactory and it relies on Java Secure Socket Extension (aka JSSE).

If you need to use a 'non-trusted' server certificate (self-signed, ...), you can configure the JSSESocketFactory or use another SSL implementation called SunFakeTrustSocketFactory

JSSESocketFactory

JSSESocketFactory configuration relies on JSSE configuration. By default, it uses the JDK built-in keystore file <jre-home>/lib/security/cacerts with its default password changeit.

The JSSE configuration parameters are described here. Major properties are javax.net.ssl.keyStore (location of the keystore) and javax.net.ssl.keyStorePassword (password of the keystore).

To import a server certificate in your keystore, use jdk's built-in keytool as described here or use a WYSIWYG tool like KeyMan.

SunJSSE!SocketFactory

Using the SunJSSE!SocketFactory allows more flexible configuration from Axis. Use this when using client certificates for authentication.

To use multiple different client certificates within the same client, some trickery is necessary. See FrontPage/Axis/DynamicSSLConfig for more information on how to set this up.

SunFakeTrustSocketFactory

The SunFakeTrustSocketFactory is intended for development environements and will accept any ssl certificate. To use it, you just have to create in your classpath, under META-INF/services/ a file called org.apache.axis.components.net.SecureSocketFactory (download here) with the content :

org.apache.axis.components.net.SunFakeTrustSocketFactory

(!) This mechanism to select the SecureSocketFactory implementation relies on the Axis pluggable API described here

Notes and Resources

FrontPage/Axis/AxisClientConfiguration/Ssl (last edited 2009-09-20 22:49:08 by localhost)