yes my application server runs on https. Client is asking to change the soap address from http to https.
client is asking that whenever he want 2 see the wsdl through broswer the soap address should come as https
i already added this in axis2.xml...
<transportReceiver name="https" class="org.apache.axis2.transport.http.SimpleHTTPServer"> <parameter name="port">8443</parameter>
</transportReceiver>
I added the below in service.xml
<transports> <transport>HTTPS</transport> </transports>
after the closed tag, but it give me below error.
it gives me exception
org.apache.axis2.deployment.DeploymentException: Service [ RTAPDevService] is trying to expose in a transport : <transports> <transport>HTTPS</transport> </transports> and which is not available in Axis2 –
There is a typo in service.xml. It should be :
<transports><transport>https</transport></transports>
not HTTPS.
Your wsdl will look like this:
<wsdl:service name="SampleService">
<wsdl:port name="SampleServiceHttpsSoap11Endpoint" binding="ns:SampleServiceSoap11Binding">
<soap:address location="https://localhost:8443/Axis2HttpsProject/services/SampleService.SampleServiceHttpsSoap11Endpoint/"/>
</wsdl:port>
<wsdl:port name="SampleServiceHttpsSoap12Endpoint" binding="ns:SampleServiceSoap12Binding">
<soap12:address location="https://localhost:8443/Axis2HttpsProject/services/SampleService.SampleServiceHttpsSoap12Endpoint/"/>
</wsdl:port>
<wsdl:port name="SampleServiceHttpsEndpoint" binding="ns:SampleServiceHttpBinding">
<http:address location="https://localhost:8443/Axis2HttpsProject/services/SampleService.SampleServiceHttpsEndpoint/"/>
</wsdl:port>
</wsdl:service>
And one thing more,make sure you have added http-core jar.
This is what I did:
Create a certificate
keytool -genkey -alias localhost -keypass password -keystore /choose/a/path/localhost.bin -storepass password -keyalg RSA
Enabling SSL on server side for AXIS2 in tomcat
Add the following in Server.xml of tomcat:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/choose/a/path/localhost.bin"
keystorePass="password" keyAlias="localhost"/>
Change axis2.xml
(You can use both: http and https)
<transportReceiver name="http"
class="org.apache.axis2.transport.http.AxisServletListener">
<parameter name="port">8080</parameter>
</transportReceiver>
<transportReceiver name="https"
class="org.apache.axis2.transport.http.AxisServletListener">
<parameter name="port">8443</parameter>
</transportReceiver>
Hope it helps.
In the standalone.xml i did those changes:
<subsystem xmlns="urn:jboss:domain:webservices:1.2">
<modify-wsdl-address>true</modify-wsdl-address>
<wsdl-host>jbossws.undefined.host</wsdl-host>
<wsdl-port>443</wsdl-port>
<endpoint-config name="Standard-Endpoint-Config"/>
Related
Please look into my server.xml;
I am not able to redirect port 8019 to https (port 443). I tried various examples on the web but I still cannot get it working. Could anyone help me with what is wrong with my server.xml?
<Connector port="8019" protocol="HTTP/1.1"
connectionTimeout="100000"
redirectPort="443" />
<Connector port="443" maxHttpHeaderSize="8192" SSLEnabled="true"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true" clientAuth="false"
keystoreFile="C:\zenfortecertificate\3_zensar_com.pfx" keystorePass="[my password]" keystoreType="PKCS12"
sslEnabledProtocols="TLSv1.2"
ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"/>
<Connector port="8019" protocol="AJP/1.3" redirectPort="443" />
<Engine name="Catalina" defaultHost="zenforte-stg.zensar.com">
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
[...]
</Host>
<Host name="zenforte-stg.zensar.com" appBase="zen_webapps"
unpackWARs="true" autoDeploy="true"/>
</Engine>
There are a few problems with your server.xml. Some of them have to do with your actual question, others are just things you might want to think about.
First, you have two <Connector> elements on the same port (8019):
<Connector port="8019" protocol="HTTP/1.1" connectionTimeout="100000" redirectPort="443" />
and
<Connector port="8019" protocol="AJP/1.3" redirectPort="443" />
So the first thing to do is to pick a connector and remove the other one. If you want to use the AJP protocol with your reverse-proxy or load balancer, then keep the AJP one. Otherwise, use the HTTP one.
The key to redirecting HTTP -> HTTPS is the redirectPort in your non-secure <Connector> (on port 8019, whichever one AJP/HTTP you choose). But the redirect doesn't happen unless your application asks for it. In order to do that, you need this in your application's WEB-INF/web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This tells the container (Tomcat) that the application expects "confidential" communication and it will automatically redirect any non-confidential (i.e. insecure) requests to the confidential (i.e. encrypted) protocol on the other port (https/443).
Some other considerations:
Your connectionTimeout of 100 seconds is a long time. You probably want that to be much lower otherwise clients can tie-up your server without accomplishing any work.
Your <Connector> contains all of your secure configuration. Modern Tomcats use a <SSLHostConfig> for all that configuration. This suggests an old configuration with a new server or, worse, an old server. You should try to upgrade to the latest server and use the latest configuration style. The newer configuration style gives you greater control over the configuration and makes it clearer what is happening. (For example, if you want to use RSA + ECDSA, the configuration is more explicit using <SSLHostConfig> + <Certificate> than just specifying the keystore and hoping for the best.
If you aren't using the "localhost" <Host> in your configuration, remove it. Even better, if you don't have any other <Host>s defined, just allow the "localhost" one to cover everything. This makes your configuration less customized from the default, and therefore you have fewer changes to maintain from the stock server.xml.
Specifying disableUploadTimeout="true" doesn't have any effect unless you also specify connectionUploadTimeout
When ever I try to run my web application which was running fine before I keep getting the error
java.lang.IllegalArgumentException: C:\Users\user\.IntelliJIdea2019.2\system\tomcat\projectName\conf\localhost-rsa.jks (The system cannot find the file specified)
So I diged into the problem and found my server.xml
<Server port="8090" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks" type="RSA" />
</SSLHostConfig>
</Connector>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" />
</Realm>
<Host name="localhost" appBase="C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps" unpackWARs="true" autoDeploy="true" deployOnStartup="false" deployIgnore="^(?!(manager)|(tomee)$).*">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
Here I think the problem is there is a connector element with port 8443 which refers to the certificate , As I do not need https I remove the connector and restart the server from IntelliJ but the connector re appears and I have'nt specified any https port in run configuration too.
What Am I doing wrong ? How could I fix this ?
Remove redirectPort="8443", redirectPort used for handling https
<Connector port="8009" protocol="AJP/1.3" />
redirect port will come into picture when SSL request will come to the server and since http connector port cannot handle SSL requests it will redirect to the port defined.
Check your project application server settings.
Create new application server use that for running app.
https://www.jetbrains.com/help/idea/configuring-and-managing-application-server-integration.html
I think you got code from somewhere which has settings for httpd and you cant figure out how to remove it.
Check your project application server settings.
Create new application server use that for running app.
https://www.jetbrains.com/help/idea/configuring-and-managing-application-server-integration.html
I think you got code from somewhere which has settings for httpd and you cant figure out how to remove it.
Check for JKS file or create new.
JKS stands for Java KeyStore. It is a repository of certificates (signed public keys) and [private] keys. You can export a certificate stored in a JKS file into a separate file. You can use the "keytool" utility found in Java distributions to maintain your JKS trust and key repositories. Like other types of key repositories (e.g., PKCS12, CMS), a JKS repository is protected by a password because it may contain private keys, which must be protected because they are used to decrypt information encrypted by public keys. [Private] keys in repositories are also protected by a "key password," which may be the same as the key repository's password (not a good practice).
The following command would export the certificate associated with the alias/label "mycert" in the JKS file "mykeys.jks". The output file "mycert.cer" would contain the certificate (i.e., the signed public key) only.
keytool -exportcert -rfc -alias mycert -file mycert.cer -keystore mykeys.jks -storepass passw0rd
I am creating some proxy services to a Web-Services which have the restriction that all connection must be secured (over https).
After doing some configuration changes on the WSO2Server I could finally create sucessfully those proxy services. The connection between the client and the final Web-Service through WSO2Esb it is ok, but the connection is very slow.
To dischard network problems we allow requests over http with a very good performance. To sum up, the same client request over http lasts less than 1 second and if we do it over https lasts 20 seconds more or less.
Other test done to try to understand where is the problem: I did requests over https directly to the end Web Service without passing through WSO2ESB. In this case the https performace is very good to (quite similar as if the request has been done through http).
So the problem could be in some part of the WSO2ESB server configuration. Always the first https request lasts the same (20 seconds), and If I do more than one the following lasts less than 1.5 second. So the problem could be some kind of timeout doing something related to the ssl connection.
More useful information:
wso2server version: 4.8.1
Java versions tested: 1.7.0_45 and 1.8.0_60
Added parameter in CARBON_HOME/bin/wso2server.sh: -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
Tomcat connector configuration from CARBON_HOME/repository/conf/tomcat /catalina-server.xml:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8888"
bindOnInit="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
maxThreads="250"
minSpareThreads="50"
disableUploadTimeout="false"
enableLookups="false"
connectionUploadTimeout="120000"
maxKeepAliveRequests="200"
acceptCount="200"
server="WSO2 Carbon Server"
clientAuth="false"
compression="on"
scheme="https"
secure="true"
SSLEnabled="true"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="..."
URIEncoding="UTF-8" />
Maybe I missed something in axis2.xml configuration file ($CARBON_HOME/repository/conf/axis2/axis2.xml)?. Here is the part related to:
TransportReceiver (https part):
<transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener">
<parameter name="port" locked="false">8443</parameter>
<parameter name="non-blocking" locked="false">true</parameter>
<parameter name="bind-address" locked="false">XXX.XXX.XXX.XXX</parameter>
<parameter name="WSDLEPRPrefix" locked="false">https://XXX.XXX.XXX.XXX:8443</parameter>
<parameter name="httpGetProcessor" locked="false">org.wso2.carbon.transport.nhttp.api.PassThroughNHttpGetProcessor
<parameter name="SSLProtocol">TLSv1.2</parameter>
<parameter name="keystore" locked="false">
<KeyStore>
<Location>repository/resources/security/wso2carbon.jks</Location>
<Type>JKS</Type>
<Password>XXX</Password>
<KeyPassword>XXX</KeyPassword>
</KeyStore>
</parameter>
<parameter name="truststore" locked="false">
<TrustStore>
<Location>repository/resources/security/client-truststore.jks</Location>
<Type>JKS</Type>
<Password>XXX</Password>
</TrustStore>
</parameter>
</transportReceiver>
TransportSender (https part):
<transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender">
<parameter name="non-blocking" locked="false">true
<parameter name="SSLProtocol">TLSv1.2</parameter>
<parameter name="keystore" locked="false">
<KeyStore>
<Location>repository/resources/security/wso2carbon.jks</Location>
<Type>JKS</Type>
<Password>XXXX</Password>
<KeyPassword>XXXX</KeyPassword>
</KeyStore>
</parameter>
<parameter name="truststore" locked="false">
<TrustStore>
<Location>repository/resources/security/client-truststore.jks</Location>
<Type>JKS</Type>
<Password>XXXXX</Password>
</TrustStore>
</parameter>
<parameter name="HostnameVerifier">AllowAll</parameter>
</transportSender>
PROBLEM SOLVED.
The low performance SSL problem was caused by a restriction in the network firewall. The firewall was blocking the connections to the DNS server, so WSO2ESB couldn't validate properly the client certificate and the client hostname.
After having added a new rule in the firewall the SSL performance of the WSO2ESB is quite good.
Thank you.
I am trying to configure one way ssl self signed on jboss-as-7.1.1.Final.
i have created a keystore using java keytool
following is the command i have used to generate the keystore
keytool -genkey -alias foo -keyalg RSA -keystore foo.keystore -validity 10950
the keystore was generated. i have alos modified the standalone.xml file
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="8443"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="foo-ssl" key-alias="foo" password="password" certificate-key-file="D:\Projects\Fiserv\certificate\self signed\foo.keystore" protocol="TLSv1" verify-client="true"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
http wprks fine, but when i use https, i get the below error
Certificate-based authentication failed
Hide details
This server requires a certificate for authentication, and didn't accept the one sent by the browser. Your certificate may have expired, or the server may not trust its issuer. You can try again with a different certificate, if you have one, or you may have to obtain a valid certificate from elsewhere.
Error code: ERR_BAD_SSL_CLIENT_AUTH_CERT
You need to set verify-client="true" to false. You have now specified that the client must also present a certificate (ie. mutual authentication). Thats also what the error code says: ERR_BAD_SSL_CLIENT_AUTH_CERT
We want to redirect all traffic that comes to the http url of our application to https, in order to do that we set the following values in the web.xml in the deploy/jboss-web.deployer/conf directory.
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This does successfully redirect the user to the https location HOWEVER they use a different port as to what was configured in the server.xml in the deploy/jboss-web.deployer path
<Connector port="8381" address="${jboss.bind.address}"
maxThreads="350" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
enableLookups="false" redirectPort="8543" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" compression="on" />
<!-- Define a SSL HTTP/1.1 Connector on port 8643
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<!---->
<Connector port="8543" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${jboss.server.home.dir}/conf/localhost.keystore"
keystorePass="changeit"
/>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" address="${jboss.bind.address}" protocol="AJP/1.3"
emptySessionPath="true" enableLookups="false" redirectPort="8543" />
<Engine name="jboss.web" defaultHost="localhost" jvmRoute="data1">
We had the https port set to 8543 which did then work however the https port that did redirect the user to when the user went to the http url was 8744 (when we set 8744 in the server.xml it worked successfully), however we could not find where the 8744 port was taken, does anyone know how to configure which port the first mentioned code placed in the web.xml redirects to
Another query is that when we put this configuration in to production the https port will be "443", we need to know where to set 443 for the "security-constraint" entry to redirect to. Accessing http://www.data.com will have to redirect to https://www.data.com then
Regards,
Milinda
Well, the good news is that in production it will work fine. The security constraint is doing its job, but it is designed to work only between http (80) and https(443).
Pay attention that 8744 - 8381 = 363 = 443 - 80
I am using JBoss-4.2.3.GA and have observed the same behavior, not sure if it is still doing this on Wildfly.