axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "KUMAR,PANKAJ (HP-Cupertino,ex1)" <pankaj_ku...@hp.com>
Subject RE: SSL and Axis
Date Mon, 06 May 2002 23:08:37 GMT
Hi Andre,

I think property javax.net.ssl.trustStore is to be set to a local pathname
and not a URL and it is for a good reason -- The owner of the client program
should be able to control which CAs are trusted !! If it would be otherwise,
there is a security hole !!

For applets, the default trust store should be used which happens if you do
not set the property javax.net.ssl.trustStore. If you want a CA that is not
there, you should just import the appropriate certificate chain there.

My 2 cents.

/Pankaj.

-----Original Message-----
From: Andre Piwoni
To: axis-user@xml.apache.org
Sent: 5/6/02 12:24 PM
Subject: SSL and Axis
Importance: High

Instructions for setting up Apache SOAP Client for SSL communication at
http://xml.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html
<http://xml.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html>  are
fine, however, the following line in the SOAP client,
 
System.setProperty("javax.net.ssl.trustStore","C:\\jdk1.3\\bin\\client.k
eystore")
 
make it unusable when deployed with Java Web Start or as an applet as
far as I know.
 
One solution, I thought, would be to send client.keystore in .jar file
along with application and to point javax.net.ssl.trustStore to location
in .jar file which I couldn't accomplish successfully. Whathever reads
this property apparently does not know how to read .jar files.
 
Second solution that came to my mind was to load client.keystore into
instance of KeyStore class and initialize SSLContext with it as shown
below:
 
      TrustManagerFactory tmf =
TrustManagerFactory.getInstance("SunX509", "SunJSSE");
      tmf.init(keyStore);
 
      SSLContext context = SSLContext.getInstance("TLS");
 
      context.init(null, tmf.getTrustManagers(), null);
 
HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory()
);
 
However, designers of SSLUtilities class that builds SSLSocket in
ApacheSOAP use SSLSocketFactory factory =
(SSLSocketFactory)SSLSocketFactory.getDefault(). This method creates new
SSLContext  which uses default keystore so my second idea didn't work
out.
 
Why do we are required to have client authentication in Apache SOAP at
all? Why not allow more control over SSLContext?
 
Any help with getting around any of these limitations is very welcome.
 
Thanks!
 
Andre
apiwoni@acm.org
 
 
 
 

Mime
View raw message