Consuming Webservice over HTTPS
We have a webservice that we are consuming from our end.
Webservice can run both on HTTP and HTTPS protocol.
With HTTP no issues, but how to access with HTTPS.
Can anybody tell me the java code for the same. I need to do this at the application level.
Keystores and truststores will be required but how to use in java code and and trust them.
Any help will be appreciated.
The server authentication part should be easy. Just stick the required cert(s) in the provided cacerts truststore.. see this documentation for some info on using keytool to work with the cacerts truststore.
As far as the client authentication part, I'd look at some other questions here on Stack Overflow for your answer or at least some code to get you started. Here are some questions you should look at:
Creating SSL Client with Axis2/JAVa, and
Choosing SSL client certificate in Java should be a couple for you to look at.
Last, I'm going to submit another edit to add the 'axis2' tag to your question. That should get some more people looking at this that have the appropriate experience.
Related
Since I am new to this SSL I am asking this question. I googled and got this below mentioned HTTPS server python script. May I please know if its one way SSL or Two way SSL? And also how do I take dump to see the communication between client and server?
My requirement is to have one way SSL.
import BaseHTTPServer, SimpleHTTPServer
import ssl
httpd = BaseHTTPServer.HTTPServer(('localhost', 4443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='path/to/localhost.pem', server_side=True)
httpd.serve_forever()
May I please know if its one way SSL or Two way SSL
This is one-way, i.e. the server is sending its certificate but not requesting a certificate from the client. The server could request a client certificate by adding cert_reqs=ssl.CERT_REQUIRED to the call of ssl_wrap.
And also how do I take dump to see the communication between client and server?
Use the packet capture tool of your choice and which is supported on your unknown platform. wireshark is a good choice and you will find plenty of documentation about how to use it.
I have written web service and hosted project on server with SSL certificate.If I want to call HTTPS url, I need to import certificate in JVM manually or through program on client side.
I can't ask any client to do extra work on his side before calling my https url, I would loose my credibility.
If any one knows how to deal with this, please help me on this.
Ideally, you should pay for a real SSL certificate (trusted by one of the common root certificate authorities), rather than getting a self-signed one. Then there won't be any need to important any certificates.
The point about losing credibility with your client is an important one, because that's precisely why you need to buy an SSL certificate - it establishes that an element (however weak) of authenticity... you might still be serving up malware or whatever, but there's still a paper trail back from the site serving the content to whoever paid for the SSL certificate.
I am writing a Java proxy which communicates to other servers using SSL.
It all works well using ServerSocketFactory along with keystore and trustore which is populated with the server cert.
I wonder, is there a way in Java 7 to disable the certification and trust all servers? (and yes I know this is risky - bu the proxy is for internal use only)
I have seen some examples of implementing TrustManager using X509TrustManager implementation, although apparently Java 7 does not support these contracts and X509TrustManager itself has been deprecated.
Appreciate your advise and any code sample on Java 7 that works.
MITM proxy servers (i.e. servers capable of looking into SSL/TLS traffic) normally use their own CA to generate fake certificates for the requested site.
Install this CA certificate in your client's trust store instead of tweaking the code. This is a much cleaner solution, and in the long run, it's easier to deploy.
(For a more direct answer to your question, the countless example of trust managers that do nothing still work fine in Java 7.)
What I did was implementing a java.security.Provider using the code mentioned in this post
https://code.google.com/p/misc-utils/wiki/JavaHttpsUrl
Note: it is the second solution offered.
This post does not mention that you should also add a keystore in-order to make things work.
So, these VM argument should be set as well (Unless so you will get an error message of "no cipher suites in common"):
-Djavax.net.ssl.keyStore=KEYSTORE LOCATION
-Djavax.net.ssl.keyStorePassword=YOUR PASS
I hope this will help you, since in all the places I looked at this part was not mentioned.
Don't be surprised but my question is not about something not working: why the .Net WebClient is able to use HTTPS out-of-the-box without any configuration?
I wouldn't ask if I had not some serious reasons to think it should not be the case: indeed I've used the Apache HttpClient to do the exact same operation, a POST through HTTPS, but it complained.
What bothered the HttpClient was the fact the server TLS certificate was not known.
It's a legitimate complaint so I've added the certificate to the JRE certificates store I was using and after that all worked as expected.
First could you remove an horrible doubt: WebClient is correctly using HTTPS and if I try to connect to "https://downloadspywaresandmalwares.com" it should reject me with something like "are you crazy dude, this is not a trusted location!"?
So I guess this has to do with the diverging security policies of .Net and Java: maybe Java is bundled with its own set of certificates and authorities whereas .Net is more integrated with the OS which may have a bigger set of trusted certificates.
So how could I check all these assumptions?
If it can have any importance: I've used the web-site from Chrome but never from IE so WebClient is not using IE configuration.
Thanks for any input. :)
Ok I think I've finally got it:
as I suspected .Net does not have its own certificates store but uses the OS store
I've managed to find and delete the certificate but this is not easy because Windows is fighting to maintain some certificates in its store
once deleted, as expected, the WebClient is broken and complains because it "Could not establish trust relationship for the SSL/TLS secure channel"
so yes the WebClient uses correctly SSL, that's a relief :)
Hopefully this information will be useful for somebody else...
I have a requirement to use client/server architecture and with Open SSL authentication.
Here, how server to know the connect client using their OPen SSL certificate?
Anyone knows the link, sample then please reply me.We have to develop it in Java.
OpenSSL is not Java, so your solution cannot be both - but I think I know what is intended.
Normally OpenSSL is used as part of Apache http as part of mod_ssl. This in turn uses a "connector" to send the requests to an application server, e.g. Apache Tomcat. You can configure this connector to also send the SSL certificates to tomcat if that is required, but normally the authentication/verification is handled within the deamon.
All this is pretty easy to Google, although you should factor in some time to fully understand the connectors. You've the keywords, now use them :)