The following describes a setup for dynamically choosing the client certificate used for SSL Authentication from an Axis Client.

This method has been tested using Axis 1.4 and Java 1.5 under Tomcat 5.5.20 and WebSphere 6.1.

The Motivation

Generally, a client will use one client certificate to identify itself to services it is accessing. Depending on the application, the client certificate will belong to the user of the application, or will be part of the installation of the application client itself.

Sometimes this model is insufficient:

Whatever the reason, sometimes the "one client, one certificate" model is not applicable. In this case, the client has to work, dynamically at run-time, with more than one certificate at a time.

The Problem

In its current implementation, the SSL Transport for Axis has several shortcomings:

So, it seems we are in a bind if we want to enable dynamic runtime selection of the client certificate.

The Solution

The solution depends on a few modified classes for Apache Axis. In particular the solution consists of:

Together, use of these components allows the desired dynamic configuration.

Usage / Configuration

To set up dynamic certificates for your axis client, proceed as follows:

  1. Replace the SocketFactoryFactory class with your new version. This can be done in one of three ways (method 1 is safest):

    1. Find the original class file within axis.jar (it lives in org/apache/axis/components/net) and delete it, replace it with the modified class file
    2. Place the modified class file in a new JAR, and make sure this JAR loads before axis.jar (eg call it _axis.jar)
    3. For webapps, place the modified class file within your WEB-INF/classes folder. It seems tomcat loads these before axis.jar
  2. Add the remaining classes to your application
  3. Use the SSL!ClientAxisConfig class to initialize your Axis client before making a call (see example below)

  4. When you want to use a different certificate, create a new SSL!ClientAxisConfig, with updated paramters, and use it to create a new Axis client. This client will use the new certificate.

Example usage of the SSL!ClientAxisConfig:

   1 // create config
   2 boolean logging = false; // no logging
   3 SSLClientAxisEngineConfig axisConfig = new SSLClientAxisEngineConfig();
   4 axisConfig.setKeystore("/path/to/clientkey.p12");
   5 axisConfig.setKeystoreType("PKCS12");
   6 axisConfig.setKeystorePassword("changeit");
   7 axisConfig.setTruststore("/path/to/truststore.jks");
   8 axisConfig.setTruststoreType("JKS");
   9 axisConfig.setTruststorePassword("changeit");
  10 if (logging)
  11     axisConfig.setDebugBaseDir("/path/to/logs");
  12 axisConfig.initialize(logging);
  13 // initialize service
  14 URL soapURL = new URL("https://myserver.com/myapp/services/mywebserviceport");
  15 MyWebServiceServiceLocator locator = new MyServiceLocator(axisConfig);
  16 MyWebServicePort port = locator.getMyWebServicePort(soapURL);
  17 MyWebServiceBindingStub stub = (MyWebServiceBindingStub) port;
  18 // make a call to the webservice (assume no params for this operation)
  19 MyResultType result = stub.myoperation1();

Note: In the example above it is assumed that you have created the client stubs for the web service "MyWebService" using the Axis WSD!L2Java tool.

Note: For an explanation of the logging features, please see FrontPage/Axis/Logging/Logging_with_SSL and FrontPage/Axis/Logging/In_Memory_Logging

/!\ Note: Don't use the logging features in production setups, they are aides for development, and not implemented in sufficient quality to use in production.

Getting the code

Note that both JARs contain all the classes described above, as well as the classes needed for the logging features.

Note that the SocketFactoryFactory replacement class is also included in the JARs, but may need to be moved elsewhere depending on your setup (see above) to ensure it loads before the original class in axis.jar.

Shortcomings

Comments, Feedback, Support

This code is supplied back to the apache foundation, without any support or warranty. Use at your own risk. The author and his employer assume no responsibility for damages resulting in the use of this code or these instructions.

Feel free to use the code in any way you want but do not expect support.

Should you have questions about the code, please feel free to contact me (the Author) at: runger --AT-- aon.at

FrontPage/Axis/DynamicSSLConfig (last edited 2012-03-13 11:46:12 by Mike Murphy)