axis-c-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dumindu Pallewela <dumi...@wso2.com>
Subject Re: [Axis2] SSL and certificate support
Date Tue, 20 Nov 2007 01:47:49 GMT
Subra A Narayanan wrote:
> Hey Dumindu,
> 
> Just want to make sure I understand this correctly. So if I just want
> to run my axis2 webserices in SSL mode, I dont need rampart. I can
> just use apache for that, right? 

YES, Absolutely!

> But when I was reading rampart
> documentation, it talks about soap body encryption using SSL certs.
> How is that different from using apache for SSL?
> 

SSL/TLS only concerns about the *transport* security. That is "Eve"
in the middle of the channel cannot eavesdrop Bob's private
conversation with Alice. :) However if you need more, like message
level security, you need WS-Sec. Say you need to store your SOAP
message and later consume it. WS-Sec can provide security while it
is being stored, whereas SSL/TLS fails to provide that.

You can find some more insight to it from "Alternatives" section of [1]

> My second question is, lets assume I want to use client authentication
> for my webservice. I have to set the following 2 variables in the
> httpd.conf file
> 
> SSLVerifyClient require
> SSLVerifyDepth 1
> 
> I understand that this will force the client to send a cert with every
> request. But after receives the client cert, what does it do with it?
> does it check against a list of certs thats allowed to access the
> service? Is this feature built-in to axis2 or do we hv to implement it
> ourselves?

Axis2/C does nothing with the client's certificate at the server
side. It is up to the user to configure their Apache2 server to
accept/reject the clients based on the certificates provided _if_
they need such functionality. Note that Apache2 works as yet another
transport and hence we shouldn't be messing around with the
transport implementation details at the Axis2/C module level.

If for some reason you need to do it in Axis2 code, my guess is that
you need a really ugly hack, making it better left with Apache2
(Assuming that you are not considering the situation where you would
write the SSL transport support for the server code, i.e., for
simple_axis_server).

HTH,
Dumindu.

[1] http://en.wikipedia.org/wiki/Web_Services_Security

-- 
Dumindu Pallewela
http://blog.dumindu.com
GPG ID: 0x9E131672

WSO2 | http://wso2.com | "Oxygenating the Web Service Platform"


Mime
View raw message