I am attempting to construct a Glassfish hosted web service that impersonates (for development testing) a WCF hosted web service. I have the WSDL from the WCF hosted service, and I can construct the Java service and Java client from the WCF-hosted WSDL with no issues. The WSDL uses Mutual Certificate Security for data exchange.
The WSDL has an embedded X509 certificate that matches the WCF server's host certificate.
When I try to connect my Java client to the Glassfish-hosted Java service I get - of course - certificate errors.
So what steps do I take to get this to work? I am assuming that:
A) I need to replace the X509 certificate string in the WSDL with the contents of the self-signed Glassfish certificate 's1as' created when I installed Glassfish.
B) Set the Glassfish server SSL parameters for the server Network config to use the default cacerts.jks and keystore.jks certificate stores supplied with the Glassfish installation. Even though I am not using SSL here, I am assuming the server needs to know where its truststore and keystore is to perform mutual certificate security across HTTP.
C) Add the 's1as' server certificate to the truststore for the Java client.
D) Add whatever certificate I was previously using for the original WCF connecting client to the keystore for the Glassfish server. (I am not sure on this one?)
Is there something I am missing here? Any assistance would be much appreciated.
Apparently, you're using message layer security, not SSL. So the communication layer is not encrypted, just the messages themselves.
This is done in Glassfish using the WSIT features. I suggest looking at the Mutual Certificate Security example in the WSIT Tutorial: http://docs.oracle.com/cd/E19316-01/820-1072/ahiem/index.html.
Basically, WSIT uses the keystores in as-install/domains/domain1/config, and you need to specify them by alias name in your WSIT descriptor.
Greets, Geert.
Related
I am a newbie when it comes to SSL. So I could use some expertise here regarding my situation.
I have a Java based web app that makes SSL API calls. The API and web app, both are hosted in the same server (myserver), and web app makes API calls. Now for testing purpose, we created a self signed certificate with the local domain name and server name (myserver.mydomain.local) and added to the cacerts. SSL handlshake works as desired.
But now, our client is using a CA certificate which they imported to cacerts. And during the SSL handshake, the web app client complains that the certificate issued by the
CN=abc-dns.com,OU=Root Certificate, OU=WASFarmLLLCell01, OU=WASFarmLLLCellManager01, O=IBM, C=US is not trusted; where abc-dns.com is the server name where the API is hosted through Web Sphere.
Do they need to add a self signed certificate in the trust store with the server name abc-dns.com in it to resolve the SSL handshake? Any tips will be greatly appreciated.
The public key from abc-dns.com needs to be added to the truststore of the server that is throwing the handshake exception. There are multiple ways of doing that, here's one:
https://www.ibm.com/support/knowledgecenter/SSEQTP_9.0.5/com.ibm.websphere.base.doc/ae/usec_sslretrievesignercert.html
I am new to JAX-WS SOAP Web Service, Can any one help me how to consume soap web service over https.
Publisher has shared a ssl certificate(.cer) with me, imported this in a TrustStore using a keytool command.
Now to call saop webservice over a https secure layer I need the .jks file to set it as System Environment Variable.
I followed many resources How can i create keystore from an existing certificate (abc.crt) and abc.key files?
but it is expecting serverprivatekey.key file.
I do not have private key with me, please help how to proceed.
am I on the right way? or Something wrong in my approach?
You do not need the private key of the server. You only need to import the public key certificate.cer in a truststore. (Really you only need the root certificate). If you have already done on a JKS, configure to use it through
System.setProperty("javax.net.ssl.trustStore",path/to/your/truststore);
System.setProperty("javax.net.ssl.trustStorePassword",password;
Note: The trustmanager of the HTTPS connection will verify the identity of the server during the handshake checking that the signature perfomed by server corresponds to the public key. So the private key must be private and you should not access to it.
How to configure TOMCAT to make the browser show the installed certificates (A3; token USB) when a URL (servlet) is called?
I will retriev the X509 certificate on the servlet request parameter.
Your question is a bit difficult to understand, but I'm guessing that you want tomcat to request a certificate from a client.
If this is the case, then you will want to enable what is called mutual authentication in tomcat.
You will have to set the clientAuth attribute of your tomcat ssl connector to either want or true. The ssl connector will be found in your tomcat server.xml file.
'want' asks the client to send a certificate if it has one, but the request will go though if the client doesn't have a certificate and 'true' means the client is required to send a certificate and the request will fail if the client does not provide a certificate.
More information can be found on the tomcat website:
SSL/TLS Configuration HOW-TO
I built a Web-Service application in Jdeveloper 11.1.1.7 and deployed it on weblogic 10.3.6 with all Key-store and SSL configuration.
SSl Configuration:
Use Server Certs : Checked
Two Way Client Cert Behavior: Client Certs Not Requested. [That is means it is one-way ssl.
Correct me if that wrong]
SSL Listen Port Enabled: Checked
Key-store Configuration:
Custom Identity and Custom Trust. The file path has been specified for those custom key store
A sample client application has been created and everything seems to be fine; I mean the client can not access the server application without specifying the trust store file location where the server certificate is stored and it is trusted at the client end.
By the server certificate I mean the same certificate that has been configured in server Key-store Configuration
for your information the client application referring to trust store as follow:
System.setProperty("javax.net.ssl.trustStore",[Trust-store location goes here]);
System.setProperty("javax.net.ssl.trustStorePassword", [password goes here]);
Till now nothing wrong. Next is the problem details:
For the purpose of testing I tried to access the deployed web-service application using the SoapUI (open source software). What is confusing is the request has been sent, accepted at the server and proceed without specifying any thing for server certificate nor trust store location in SoapUI project configuration !!
Why the SOAP request has been accepted from SoapUI without referring to server certificate? The request should be rejected in this case.
My experience with SoapUI is that it is quite lenient. For example, if it doesn't check if the CN of server certificate matches the fully qualified domain name in the URL. In your case, your server most likely uses a CA signed certificate. Most of the root and intermediate certificates of well known CA's (e.g. VeriSign/Symantec) are already included in the default truststores for most systems. If your server had used a self-signed certificate, then SoapUI would have incurred SSL error unless you import the self-signed certificates into the truststore of the host where SoapUI is running.
In my project,I have integrated Spring Security with CAS server authentication. Now my project is an http application where as the CAS server is an Https application. I was getting following exception after Spring Security and CAS integration: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
In order to solve this error ,I replaced CAS server usr\java\jre\lib\security\cacerts file with my local usr\java\jre\lib\security\cacerts file. After this step the error was gone.
Now I want to deploy my application to some other server. In this new server some other applications are also deployed which may be using different CAS authentication. I cannot directly replace my CAS server cacerts file with this new server cacerts file as in that other application deployed may fail.Right? Can anyone suggest what should I do so that cacerts can be merged,or what should be done? i got to know a command called as keytool but unable to understand how it could be used to merge cacerts file. I dont know how to get my CAS server .cer file,I got to know this could be used in merging,please suggest solution
There is a missunderstanding here.
cacerts is Java's default truststore containing all the trusted certificates for known CA's (Verisign etc). So java can by default trust these certificates same way that your browser does.
This truststore should be used when you want to connect to servers that are signed by these CAs.
In all other cases you are expected to use your own custom truststore so that you can trust specific servers.Actually this is the norm.
So what you should be doing is to load in your code your own truststore and provide that to Java's JSSE to use for authentication during handshake