I am new to JAX-WS SOAP Web Service, Can any one help me how to consume soap web service over https.
Publisher has shared a ssl certificate(.cer) with me, imported this in a TrustStore using a keytool command.
Now to call saop webservice over a https secure layer I need the .jks file to set it as System Environment Variable.
I followed many resources How can i create keystore from an existing certificate (abc.crt) and abc.key files?
but it is expecting serverprivatekey.key file.
I do not have private key with me, please help how to proceed.
am I on the right way? or Something wrong in my approach?
You do not need the private key of the server. You only need to import the public key certificate.cer in a truststore. (Really you only need the root certificate). If you have already done on a JKS, configure to use it through
System.setProperty("javax.net.ssl.trustStore",path/to/your/truststore);
System.setProperty("javax.net.ssl.trustStorePassword",password;
Note: The trustmanager of the HTTPS connection will verify the identity of the server during the handshake checking that the signature perfomed by server corresponds to the public key. So the private key must be private and you should not access to it.
Related
I've got an Apache server set up with 2-way SSL, and I am trying to access it via a Java application using Apache HttpClient. I was given a certificate to install in the Java keystore (crt file) which is signed by a CA trusted by the server.
My question is: Isn't the private key (the .key file) also needed in order for this to work? If the client and server are both authenticating each other, and both give the other the public key when asked, don't both send each other an encrypted message using the other's public key before the connection is established? Or am I missing something?
I built a Web-Service application in Jdeveloper 11.1.1.7 and deployed it on weblogic 10.3.6 with all Key-store and SSL configuration.
SSl Configuration:
Use Server Certs : Checked
Two Way Client Cert Behavior: Client Certs Not Requested. [That is means it is one-way ssl.
Correct me if that wrong]
SSL Listen Port Enabled: Checked
Key-store Configuration:
Custom Identity and Custom Trust. The file path has been specified for those custom key store
A sample client application has been created and everything seems to be fine; I mean the client can not access the server application without specifying the trust store file location where the server certificate is stored and it is trusted at the client end.
By the server certificate I mean the same certificate that has been configured in server Key-store Configuration
for your information the client application referring to trust store as follow:
System.setProperty("javax.net.ssl.trustStore",[Trust-store location goes here]);
System.setProperty("javax.net.ssl.trustStorePassword", [password goes here]);
Till now nothing wrong. Next is the problem details:
For the purpose of testing I tried to access the deployed web-service application using the SoapUI (open source software). What is confusing is the request has been sent, accepted at the server and proceed without specifying any thing for server certificate nor trust store location in SoapUI project configuration !!
Why the SOAP request has been accepted from SoapUI without referring to server certificate? The request should be rejected in this case.
My experience with SoapUI is that it is quite lenient. For example, if it doesn't check if the CN of server certificate matches the fully qualified domain name in the URL. In your case, your server most likely uses a CA signed certificate. Most of the root and intermediate certificates of well known CA's (e.g. VeriSign/Symantec) are already included in the default truststores for most systems. If your server had used a self-signed certificate, then SoapUI would have incurred SSL error unless you import the self-signed certificates into the truststore of the host where SoapUI is running.
There is a wsdl which I wanted to access, the point here is I cannot access this WSDL as it is giving SSL Error. I wanted to know what all is needed here?
What I have done from my side :
Lets say Server A wants to access a WSDL which is implemented in Server B, now there has to be exchange of certificates between these two servers right? What all exchanges it should happen?
I have created a certificate request using "Create certificate Request" from IIS and shared this certificate request with Server B, from Server B We have got a p7b file. Now what exactly we have to do from here? Is the approach what we followed correct or we are deviating from the actual problem?
I got the clarification finally. Thanks for the support whatever you have given.
As conveyed above here was the problem,
Server A wants to access WSDL from Server B, and We are created a "Certificate request File" (P10b) file and shared with Server B, Now they have provided us with (P7b) file. Here was my doubt as to how to proceed.
Explanation :
P10b : "Certificate request" created by Server A in this case. This is a certificate request which means "This is my domain and I wanted to open a request for secured access" . Now this is what we share with Server B (Where wsdl is being implemented). Now since we want to access something from Server B over secured layer, Server B has to sign this request (signing here means approving any request which comes from Server A since this request holds the server name from where it is originating), Now this signing will be done by Server B which is when the certificate will be transformed from p10b to p7b which is what Server B will do and it will send this information to Server A.
Now at Server A we have this certificate called p7b, Server A will now have to convert this P7b to p12b which is the final version of the certificate. This conversion is a kind of decrypting technique which will be done by only the private key of Server A (which means only Server A can decrypt this) Once Server A converts this p7b to p12b which is the final version of certificate, now the server A can have access to the secured resources of Server B by using this certificate. If Server A want's to access WSDL from browser then the browser should have this certificate imported which can be done from the settings on the browser. If the wsdl has to be accessed from a soap UI then this can be done by SSL settings on SOAP UI.
I hope I have made clear. Please let me know if it's not clear anywhere.
I had faced the same issue with my remote spring service when I had converted it from normal http to https.All you need to do is generated certificate for requested application your application and register it with trust store of ServerB from where you want to access application. You can check following links to achieve that
Digital Certificate: How to import .cer file in to .truststore file using?
How to import a jks certificate in java trust store
http://singztechmusings.wordpress.com/2011/05/08/https-communication-how-it-works/
Hope this will give you very good insight.
I am attempting to construct a Glassfish hosted web service that impersonates (for development testing) a WCF hosted web service. I have the WSDL from the WCF hosted service, and I can construct the Java service and Java client from the WCF-hosted WSDL with no issues. The WSDL uses Mutual Certificate Security for data exchange.
The WSDL has an embedded X509 certificate that matches the WCF server's host certificate.
When I try to connect my Java client to the Glassfish-hosted Java service I get - of course - certificate errors.
So what steps do I take to get this to work? I am assuming that:
A) I need to replace the X509 certificate string in the WSDL with the contents of the self-signed Glassfish certificate 's1as' created when I installed Glassfish.
B) Set the Glassfish server SSL parameters for the server Network config to use the default cacerts.jks and keystore.jks certificate stores supplied with the Glassfish installation. Even though I am not using SSL here, I am assuming the server needs to know where its truststore and keystore is to perform mutual certificate security across HTTP.
C) Add the 's1as' server certificate to the truststore for the Java client.
D) Add whatever certificate I was previously using for the original WCF connecting client to the keystore for the Glassfish server. (I am not sure on this one?)
Is there something I am missing here? Any assistance would be much appreciated.
Apparently, you're using message layer security, not SSL. So the communication layer is not encrypted, just the messages themselves.
This is done in Glassfish using the WSIT features. I suggest looking at the Mutual Certificate Security example in the WSIT Tutorial: http://docs.oracle.com/cd/E19316-01/820-1072/ahiem/index.html.
Basically, WSIT uses the keystores in as-install/domains/domain1/config, and you need to specify them by alias name in your WSIT descriptor.
Greets, Geert.
I am implementing a VB.NET desktop application which consumes a web service.
The web service implemented in Java and I currently using Tomcat on my localhost to host the web service.
The web service requires secure communication with the client and so I have followed instructions that outlined how to use Java's keytool.exe to create two .jks keystores (one for the client and one for the server) and then create two .cer certificates (one for the client and one for the server)
I have placed the keystores and certificates generate into the directory where the web service is expecting them (according to the instructions)
I have installed the certificates into TrustedPeople and have attempted to use the certificate by setting the ClientCredentials.ClientCertificates property like this:
myServiceProxy.ClientCredentials.ClientCertificate.SetCertificate(storeLocation.CurrentUser, StoreName.TrustedPeople, X509FindType.FindByIssuerName, "name")
I keep getting the following error message when I try to call any method:
An error was discovered processing the <wsse:Security> header
My problem is that I don't know how to use this in the VB.NET client application that is consuming the web service. I could be doing this completely wrong. Any guidance on this topic would be greatly appreciated.
Thank you,
-Frinny
While I haven't coded VB for 10 years, this should get you started: http://www.example-code.com/vbdotnet/ssl_client_certificate.asp
especially this looks like it is loading the file containing the certificate:
certStore.LoadPfxFile("chilkat_secret.pfx","secret")
and this extracts the certificate and uses it for the connection:
Dim cert As Chilkat.Cert
cert = certStore.FindCertBySubjectCN("Chilkat Software, Inc.")
If (cert Is Nothing ) Then
MsgBox(certStore.LastErrorText)
Exit Sub
End If
socket.SetSslClientCert(cert)
When I had to work with certificates and WS, I had lots of issues with the them too. Use the certificates MMC and verify:
That you placed the certificate in the correct place. Note that there is a CurrentUser store, Machine Store etc. Make sure you put the certificate in the correct one according to your code.
Which user is running your application? Is the certificate located in it's store? The certificate must be visible to the user.
Open the certificate and make sure it is trusted (you will see a warning if not). You may need to put your CA's certificate in Trusted Certification Authorities store.
Make sure that the algorithms you use on each side are supported by the other side.
Note that you are looking for the certificate by issuer name X509FindType.FindByIssuerName, "name" open the certificate, make sure the issuer name matches (I guess not since it seems like copy&paste from example).
If all of this fails, try to experiment with the certificate location (I vaguely remember some issue with being able to use certificates from one location and not the other), and with the property you use to search for the certificates.
Plus, since you asked about certificates I answered about certificates. It's a good idea to check if there's an inner exception and see - it may be another problem.