I am new to web service. I have given a task to write a client code which will call a authentication web service which is exposed on https. I need to pass username and password from client code to check for valid user. I also have keystore and trustore file. I don't know how to use these files. Can anyone please guide me and provide a sample client code?
I am using Axis to generate client stub from wsdl.
Regards,
Vishal
When you say Webservice and Axis, I think you are talking about SOAP. You may want to check Java webservice (soap) client - use certificates.
SOAP is a protocol over HTTP. If you want it to be over SSL it would be on HTTPS.
If you are working on RESTful implementations of JSR-311 like CXF, jersey etc, you will find examples in their websites.
If you can access the URL then you need to add the certificate.
Access the URL and click on the lock icon to view the certificate.
Go to the details tab of the certificate and save certificate in Base64 .cer format
Install the certificates
Execute the following command
The command:
$ keytool -import -noprompt -trustcacerts -alias ALIASNAME -file FILENAME_OF_THE_INSTALLED_CERTIFICATE -keystore PATH_TO_CACERTS_FILE -storepass PASSWORD
Reference:
http://docs.oracle.com/javase/tutorial/security/toolsign/rstep2.html
axis1 or axis2?
anyway.. if it's just https, you need to import the certificate and depending on the policy of the server you are calling you might have to present yourself with a certificate too.....
look here https://axis.apache.org/axis2/java/rampart/samples.html for information and an example on basic auth..
As for adding a certificate to the outgoing request you need to do something along these lines:
System.setProperty("javax.net.ssl.trustStoreType", "JKS");
System.setProperty("javax.net.ssl.trustStore", "keystore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "password");
System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
System.setProperty("javax.net.ssl.keyStore", "client.p12");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
Take additional care if your communication is going through a proxy..
Related
I was given a SOAP WS to work with.
They gave me the wsdl file from which I was able to create client stub (I've used wsdl2java utility within cxf).
With that wsdl I was also give a .keystore file and the thing is I do know know how to add it to my keytool (is this is even the right way of putting it?).
I've built a junit test that I run to test my client but I constantly get
HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Where can I find an easy guide on what to do with this .keystore file?
Thanks
The error means that the server certificate could not be found in your truststore. Check the contents of the .keystore file to see whether it contains the server certificate (listed as trustedEntry in your truststore). If yes, set the following system properties (either using -D JVM parameter or System.setProperty()).
javax.net.ssl.trustStore=<<your .keystore>>
javax.net.ssl.trustStorePassword=<<keystore password>>
If these properties are not set, the default ones will be picked up from your the default location.[$JAVA_HOME/lib/security/jssecacerts, $JAVA_HOME/lib/security/cacerts]
To view the contents of keystore file, use
keytool -list -v -keystore file.keystore -storepass mypassword
To debug the ssl handshake process and view the certificates, set the VM parameter -Djavax.net.debug=all
If the web service requires 2 way SSL, the client needs to send its identity (picked up from your keystore). In this case, your .keystore will contain a privateKeyEntry which will be sent to the server during handshake process. To configure this, set the JVMM properties javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword to point to your keystore.
The next works for me:
Application server configuration. Apache Tomcat/7.0.52. server.xml: set clientAuth="true" in the https connector.
Application server configuration. Apache Tomcat/7.0.52. tomcat-users.xml: crate a user with the DN of the user as it appears in your certificate (subject)
Web service JAX-WS web service eclipse tutorial. Thanks Arpit! Add it a security constraint in the deployment descriptor (web.xml)
Client. Generated with apache-cxf maven plugin.
Main class:
HelloWorldImplService helloWorldImplService = new HelloWorldImplService();
HelloWorld helloWorld = helloWorldImplService.getHelloWorldImplPort();
SayHelloWorld parameters = new SayHelloWorld();
parameters.setArg0("World");
SayHelloWorldResponse helloWorldResponse = helloWorld.sayHelloWorld(parameters);
System.out.println(helloWorldResponse.getReturn());
Client JVM options:
-Djavax.net.ssl.trustStore=/xxxx/cacerts.jks -Djavax.net.ssl.trustStorePassword=xxxx -Djavax.net.ssl.keyStore=/xxx/user.jks -Djavax.net.ssl.keyStorePassword=xxxx
You can take a look here: Java SOAP client with certificate authentication
An excellent blog to help you understand the keystores and certificates imports required for HTTPS SSL handshake:
http://ruchirawageesha.blogspot.in/2010/07/how-to-create-clientserver-keystores.html
Hope it helps you to setup ur client keystore correctly in order to call the web services.
Good Luck!
I am obtaining this exception (client certificate not found) when trying to
connect to a secure Web Service that requires a client certificate. I am
using a web service client automatically generated by axis2, using the
Eclipse wizard.
This is the calling code, that causes the exception in the last line:
System.setProperty("javax.net.ssl.trustStore","C:\\Archivos de programa\\Java\\jre7\\lib\\security\\cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
System.setProperty("javax.net.ssl.keyStore","D:\\Perfil Usuario\\internet\\Escritorio\\workspace\\certificados\\clientes.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
ServicioBoletinStub lala = new ServicioBoletinStub();
ConsultaDeCatalogo cons = new ConsultaDeCatalogo();
cons.setArgs0("SECCIONES");
ConsultaDeCatalogoResponse conResp = lala.consultaDeCatalogo(cons);
The client certificate is imported in the "clientes.jks" keystore, and all the
other required certificates for the authentication path are in "cacerts".
The only weird thing I had to do was to convert the client certificate from
.p12 to .cer, because keytool was complaining that the .p12 file was not an
x509 certificate. The .p12 file was encrypted with a password, but the .cer
file is not, so I am afraid that something was missing during the
conversion. I am very new to handling certificates so I do not know what I
am missing.
I also used SSLPoke to test the connection, and no errors were given.
Thank you very much.
Ok, the problem was in the import process of the client certificate, as suspected. Keytool was not importing the private key into the "clientes.jks" keystore.
I deleted everything from this keystore and followed this post (http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html) to import the client certificate plus the private key.
Anyway, I think Axis2 should have specified that the exception message was taken from the SOAP response message: I thought it was generating it by itself.
I need to send a POST request to a server that uses some levels of security. Unfortunately I don't know much about self signed certificates, I never used or studied it.
In the developer guide of the service it sais that the server uses a "public 1024-bit self signed certificate".
What does it mean? I've to create a certificate or I've to ask for it?
If i've to create a certificate, then how I should use it?
I'm implementing the client in Java
You need to download the certificate e.g. with your internet browser. Click through the security information and export the certificate.
Then you need to import it into your local java keystore so that the JVM can find it. For import use the keytool which you find in your jre/bin directory. Documentation for the keytool: http://docs.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html
The default keystore is jre/lib/security/cacerts.
Then you can import the downloaded certificate:
jre/bin/keytool -import -keystore jre/lib/security/cacerts -alias mycertificate -file downloads/mycertificate.cer
Hope this helps.
P.S. If it is self signed or verified its not important at this point. Just you (your client) must trust it.
I am building a JAVA web service client in which i connect to a service.
This service has a ssl certificate verification.
How to call this service using ssl certificate verification.
I am using JAX-RPC implementation in client built using Eclipse.
An example would be appriciated.
I am able to do the web service connection...
I added the key store using the command:
keytool -import -trustcacerts -file <file path/filename.cer> -alias <aliasName> -keystore <JAVA_HOME/jre/lib/security/cacerts>
gave the password as "changeit" and added the certificate in keystore.
Now in code i added two lines:
System.setProperty("javax.net.ssl.trustStore", "<JAVA_HOME>/jre/lib/security/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
also added
_call.setUsername("username");
_call.setPassword("password");
where _call is the call object of Call Class.
And it worked!!!!!!
All you need to do is injecting the server root certificate to your JDK/JRE environments by using the following command line: -
keytool -importcerts -trustcacerts -file <path_to_root_cer_file> -alias <the_server_alias> -keystore <your_keystore>
The default [your_keystore] is
1. <JDK_HOME>/jre/lib/security/cacerts
2. <JRE_HOME>/lib/security/cacerts
The default password is changeit.
When you call the web service, just mention the
"https://<host>:<SSL_port>/Path/To/Services"
I hope this may help to achieve your requirement.
Regards,
Charlee Ch.
You mean your web service is protected with a "client certificate"? If yes, get the certificate in either a .p12 (PFX) or keystore format from the service provider and use the following System properties to set it before your call:
javax.net.ssl.keyStore - Path to the keystore on your server
javax.net.ssl.keyStorePassword - passphrase for that keystore
javax.net.ssl.keyStoreType - Set it to "pkcs12" is the client certificate provided to you is .p12
If you application is client to only one web service provider, set these properties as VM arguments, if not, you may need to create specific SSLConnectionFactory for each secured endpoint. Refer to my response on this post for details on creating custom SSL Socket Factories.
I want the last of these lines in a standalone application to pass with no exceptions thrown:
Properties props = new Properties();
props.setProperty("java.naming.factory.initial",
"weblogic.jndi.WLInitialContextFactory");
props.setProperty("java.naming.provider.url",
"t3s://localhost:9002");
props.setProperty("java.naming.security.principal",
"<username>");
props.setProperty("java.naming.security.credentials",
"<password>");
Context ctx = new InitialContext(props);
...but I get this information in an exception:
Warning Security BEA-090542 Certificate chain received from localhost - 127.0.0.1 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.
So, I created a keystore for the ca using this command:
keytool -keystore client.jks -importcert -file cacert.pem
...and referred to it using the property weblogic.security.TrustKeyStore=client.jks
This still doesn't work, most likely because I haven't supplied a password to the keystore. What have I missed? How can I supply this password? (or, how do I create the keystore without setting a password for it?)
Almost two months later, I returned to this issue. After finding this link, I found out that this works:
System.setProperty("weblogic.security.SSL.ignoreHostnameVerification","true");
System.setProperty("java.protocol.handler.pkgs", "weblogic.net");
System.setProperty("weblogic.security.TrustKeyStore","CustomTrust");
System.setProperty("weblogic.security.CustomTrustKeyStoreFileName", "<keystorelocation>");
System.setProperty("weblogic.security.CustomTrustKeyStorePassPhrase","<keystorepassword>");
System.setProperty("weblogic.security.CustomTrustKeyStoreType","JKS");
I only got it working using system properties.