axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nandana Mihindukulasooriya" <nandana....@gmail.com>
Subject Re: [Axis2] SSL server certificate
Date Wed, 05 Mar 2008 13:47:50 GMT
Hi Joe,

> Thanks for your comments. I'm wondering whether we should import
> certificates to the default Java trusted store
> (jre/lib/security/cacertificates) or to have a separate trusted key store
> file for our application and import certificate to it? Which one is a better
> solution from the security point of view?

I think if we maintain a key store for a application rather than
adding to the default java trust store , it will be easy to manage.
For example, if you have multiple applications with different trust
relationships then we will have to anyway maintain a key store for
each application.

> The other question how can we show certificate to the user and then import
> it programmatically the same way web-browsers do?

Right now, Axis2 + Rampart doesn't show certificate information in the
WSDL. At the moment, clients have to have the servers certificate and
they can use the java keytool import it to a key store. But we can use
XKMS to do the key management programaticaly. But right now Rampart
doesn't support XKMS either. Take a look at the XKMS sample - [1]
which comes with the WSO2 WSAS distribution.

thanks,
/nandana

[1] - http://www.ibm.com/developerworks/xml/library/x-seclay3/
[2] - http://wso2.org/project/wsas/java/2.2.1/docs/xkms_sample_guide.html

> Joe
>
>
>
> On Mon, Mar 3, 2008 at 10:09 AM, Nandana Mihindukulasooriya
> <nandana.cse@gmail.com> wrote:
> >
> >
> >
> > Hi Nuria,
> >       yes, you need to set a system property in the client side to
> > add that key store containing that cert as a trusted key store. This
> > can be simply done using
> >
> >        System.setProperty("javax.net.ssl.trustStore",
> "path/to/keystore.jks");
> >        System.setProperty("javax.net.ssl.trustStorePassword", "password");
> >
> > in the client side.
> >
> > thanks,
> > nandana
> >
> > On Mon, Mar 3, 2008 at 8:14 PM, Nuria Rodríguez García
> >
> > <nuria.rg1@gmail.com> wrote:
> > >
> > >
> >
> >
> >
> > > Hello:
> > >
> > >
> > >
> > > I'm using Axis2 and I need to use SSL to connect to a WS.
> > >
> > > In server side I do the following:
> > >
> > >
> > >
> > >             I configure the server.xml file in tomcat. I have:
> > >
> > >                         <Connector port="8443"
> > >
> > >                maxThreads="150" minSpareThreads="25"
> maxSpareThreads="75"
> > >
> > >                enableLookups="false" disableUploadTimeout="true"
> > >
> > >                acceptCount="100" debug="0" scheme="https" secure="true"
> > >
> > >                clientAuth="false" sslProtocol="TLS" />
> > >
> > >
> > >
> > >             Then I generate a server certificate doing the following:
> > >
> > >                         keytool -genkey -alias tomcat -keyalg RSA
> > >
> > >                         keytool -export -alias tomcat -storepass
> changeit
> > > -file server.cer
> > >
> > >                         keytool -import -v -trustcacerts -alias tomcat
> -file
> > > server.cer -keystore %JAVA_HOME%/jre/lib/security/cacerts -keypass
> changeit
> > > -storepass changeit
> > >
> > >
> > >
> > >             I start-up tomcat and when I call the service using the EPR
> > > "https://mymachine:8443/ ...." I receive the following exception:
> > >
> > >
> > >
> > >                         I/O exception (org.apache.axis2.AxisFault)
> caught
> > > when processing request: sun.security.validator.ValidatorException: PKIX
> > > path building failed:
> > > sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find
> > > valid certification path to requested target
> > >
> > >
> > >
> > > I don't know if I need to indicate something from the client side.
> > >
> > >
> > >
> > > Thanks,
> > >
> > > Nuria
> >
> > http://nandana83.blogspot.com/
> > http://nandanasm.wordpress.com/
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-user-help@ws.apache.org
> >
> >
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org


Mime
View raw message