Using SSL with Axis Client
The out-of-the-box configuration of SSL in Axis client accepts any ssl cerficate issued by 'well known' certification authorities (e.g. Verisign, ...).
This implementation is called JSSESocketFactory and it relies on Java Secure Socket Extension (aka JSSE).
If you need to use a 'non-trusted' server certificate (self-signed, ...), you can configure the JSSESocketFactory or use another SSL implementation called SunFakeTrustSocketFactory
JSSESocketFactory
JSSESocketFactory configuration relies on JSSE configuration. By default, it uses the JDK built-in keystore file <jre-home>/lib/security/cacerts with its default password changeit.
The JSSE configuration parameters are described here. Major properties are javax.net.ssl.keyStore (location of the keystore) and javax.net.ssl.keyStorePassword (password of the keystore).
To import a server certificate in your keystore, use jdk's built-in keytool as described here or use a WYSIWYG tool like KeyMan.
SunJSSE!SocketFactory
Using the SunJSSE!SocketFactory allows more flexible configuration from Axis. Use this when using client certificates for authentication.
To use multiple different client certificates within the same client, some trickery is necessary. See FrontPage/Axis/DynamicSSLConfig for more information on how to set this up.
SunFakeTrustSocketFactory
The SunFakeTrustSocketFactory is intended for development environements and will accept any ssl certificate. To use it, you just have to create in your classpath, under META-INF/services/ a file called org.apache.axis.components.net.SecureSocketFactory (download here) with the content :
org.apache.axis.components.net.SunFakeTrustSocketFactory
This mechanism to select the SecureSocketFactory implementation relies on the Axis pluggable API described here
Notes and Resources
Related wiki page : FrontPage/Axis/SslUnsignedCertificate
JSSE has been bundled in JVMs since JDK 1.4 . For older JVMs, JSSE is downloadable at http://java.sun.com/products/jsse/downloads/index.html
JSSE Reference : http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html
If you get an exception message "SunCertPathBuilderException: unable to find valid certification path to requested target", it means that the server's certificate is not trusted. To fix this, you need to import the server's certificate in the client's keystore (see JSSE guide : http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#CreateKeystore ).
KeyMan is a nice WYSIWYG alternative to keytool to manage certificates and keystores
Interesting tutorial "How to use webservices with SSL?" : http://www.artima.com/forums/flat.jsp?forum=46&thread=106915