Differences between revisions 5 and 6
Revision 5 as of 2007-07-10 14:49:18
Size: 3380
Editor: RichardUnger
Comment:
Revision 6 as of 2009-09-20 22:49:08
Size: 3393
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 13: Line 13:
The JSSE configuration parameters are described [http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#InstallationAndCustomization here]. Major properties are {{{javax.net.ssl.keyStore}}} (location of the keystore) and {{{javax.net.ssl.keyStorePassword}}} (password of the keystore). The JSSE configuration parameters are described [[http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#InstallationAndCustomization|here]]. Major properties are {{{javax.net.ssl.keyStore}}} (location of the keystore) and {{{javax.net.ssl.keyStorePassword}}} (password of the keystore).
Line 15: Line 15:
To import a server certificate in your keystore, use jdk's built-in keytool as described [http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html#importCmd here] or use a WYSIWYG tool like [http://alphaworks.ibm.com/tech/keyman KeyMan]. To import a server certificate in your keystore, use jdk's built-in keytool as described [[http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html#importCmd|here]] or use a WYSIWYG tool like [[http://alphaworks.ibm.com/tech/keyman|KeyMan]].
Line 21: Line 21:
To use multiple different client certificates within the same client, some trickery is necessary. See ["FrontPage/Axis/DynamicSSLConfig"] for more information on how to set this up. To use multiple different client certificates within the same client, some trickery is necessary. See [[FrontPage/Axis/DynamicSSLConfig]] for more information on how to set this up.
Line 25: Line 25:
The {{{SunFakeTrustSocketFactory}}} is intended for development environements and will accept any ssl certificate. To use it, you just have to create in your classpath, under {{{META-INF/services/}}} a file called {{{org.apache.axis.components.net.SecureSocketFactory}}} (download [attachment:org.apache.axis.components.net.SecureSocketFactory here]) with the content : The {{{SunFakeTrustSocketFactory}}} is intended for development environements and will accept any ssl certificate. To use it, you just have to create in your classpath, under {{{META-INF/services/}}} a file called {{{org.apache.axis.components.net.SecureSocketFactory}}} (download [[attachment:org.apache.axis.components.net.SecureSocketFactory|here]]) with the content :
Line 30: Line 30:
(!) This mechanism to select the {{{SecureSocketFactory}}} implementation relies on the Axis pluggable API described [http://ws.apache.org/axis/java/integration-guide.html#Components here] (!) This mechanism to select the {{{SecureSocketFactory}}} implementation relies on the Axis pluggable API described [[http://ws.apache.org/axis/java/integration-guide.html#Components|here]]
Line 35: Line 35:
 * Related wiki page : Self:FrontPage/Axis/SslUnsignedCertificate  * Related wiki page : [[FrontPage/Axis/SslUnsignedCertificate]]
Line 43: Line 43:
 * [http://alphaworks.ibm.com/tech/keyman KeyMan] is a nice WYSIWYG alternative to [http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html keytool] to manage certificates and keystores  * [[http://alphaworks.ibm.com/tech/keyman|KeyMan]] is a nice WYSIWYG alternative to [[http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html|keytool]] to manage certificates and keystores

Using SSL with Axis Client

The out-of-the-box configuration of SSL in Axis client accepts any ssl cerficate issued by 'well known' certification authorities (e.g. Verisign, ...).

This implementation is called JSSESocketFactory and it relies on Java Secure Socket Extension (aka JSSE).

If you need to use a 'non-trusted' server certificate (self-signed, ...), you can configure the JSSESocketFactory or use another SSL implementation called SunFakeTrustSocketFactory

JSSESocketFactory

JSSESocketFactory configuration relies on JSSE configuration. By default, it uses the JDK built-in keystore file <jre-home>/lib/security/cacerts with its default password changeit.

The JSSE configuration parameters are described here. Major properties are javax.net.ssl.keyStore (location of the keystore) and javax.net.ssl.keyStorePassword (password of the keystore).

To import a server certificate in your keystore, use jdk's built-in keytool as described here or use a WYSIWYG tool like KeyMan.

SunJSSE!SocketFactory

Using the SunJSSE!SocketFactory allows more flexible configuration from Axis. Use this when using client certificates for authentication.

To use multiple different client certificates within the same client, some trickery is necessary. See FrontPage/Axis/DynamicSSLConfig for more information on how to set this up.

SunFakeTrustSocketFactory

The SunFakeTrustSocketFactory is intended for development environements and will accept any ssl certificate. To use it, you just have to create in your classpath, under META-INF/services/ a file called org.apache.axis.components.net.SecureSocketFactory (download here) with the content :

org.apache.axis.components.net.SunFakeTrustSocketFactory

(!) This mechanism to select the SecureSocketFactory implementation relies on the Axis pluggable API described here

Notes and Resources

FrontPage/Axis/AxisClientConfiguration/Ssl (last edited 2009-09-20 22:49:08 by localhost)