I'd like to test whether my Geneva-based fedearated security services can be consumed with NetBeans/WSIT. Is there something like step-by-step guide? Server side uses 'message credentials over HTTPS' security mode while all the examples I've seen rely on message-level encryption and focus on consuming .net STS from Java RP-service.
Here are some links.
mszCool: Identity Interoperability - Geneva Beta 1 STS with .NET Client and Netbeans 6.5 / Metro 1.3 / WSIT / Java client working..
The WSIT Tutorial.
WSIT Documentation: Security Mechanisms:
However, the message security
mechanisms require a newer version of
certificates than is available with
GlassFish. You can download valid
keystore and truststore files for the
client and server as described in To Manually Update GlassFish Certificates.
To use this mechanism, follow the steps in Configuring SSL For Your Applications.
See Also: Example: Transport Security (SSL).
Related
In my current project, I have an Oracle Database 11g. On the database is installed Java 1.6.
My task is to connect over https to web service provider from database procedure (plsql). For this task have used Java stored procedure (rather than HTTP_UTIL plsql package) because I also need to sign XML with a certificate before sending. The whole process worked well til now (picture A).
Nowadays the web service provider has disabled the TLS1.0 and only TLS1.1 and TLS1.2 are supported. This brings me problems because Java 1.6 does not support TLS1.1 and TLS1.2 and it's impossible to upgrade Java on the database side.
The idea is to write some kind of webservice proxy.. (picture B):
My idea is to make some kind of web service proxy (Web-service to Web-service communication over SSL) but doesn't know if this is the right approach to take? Another question is what is the best (simple) way to do that? For web service deployment I have Oracle Weblogic or Tomcat container.
thank you for any info. I can't get any support from Oracle about this scenario (consuming webservice from Oracle 11g over TLS1.1/TLS1.2).
You could use Bouncy Castle as an JCE Provider, if it is possible to load additional libs into the JVM.
The you would have to use Bouncy Castle in your SSL Connection as described here.
Otherwise you could upgrade your database if you can somehow sign your XML in PL/SQL.
Else you can also go for the other alternative you mentioned, as long as it is in a secured environment it should not be a problem. Maybe this can also simplify your setup since you do not have to sign your XML in the database but can rather do it in the oracle/tomcat container.
Solved with:
SSLContext sslcontext = SSLContext.getInstance("TLS",new BouncyCastleJsseProvider());
now I have to upload libraries with loadjava to Oracle database
Here is the basic architecture I currently use to deliver access to web application (AngularJS on the front-end - JEE-JAX-RS for the back-end REST API):
Client -> Apache -> Application server (Java container - ex. tomcat)
The client browser connect to the application through HTTPS (handled by Apache) and Apache forwards the connection to the Java container (I'm using Oracle Weblogic).
Everything works fine. But now I'd like to use HTTP/2.
Apparently, HTTP/2 will be available only in JEE8 (Servlet v4) which means it will not be available in solution like Weblogic before a loooong time.
Actually I have two questions :
Can I just activate Apache mod_http2 and configure my front-end
(AngularJS) to communicate in HTTP/2 or is it also necessary for my
application server to be able to handle HTTP/2 ?
If Apache receive connection in HTTP/2 and forward it to the Java
container through HTTP/1.1 or AJP will I still benefit from all the HTTP/2 advantages, even if part of the connection is not in HTTP/2 ?
Apache (and Nginx) do not currently have the capability to work in reserve-proxy mode and communicate to the backend using HTTP/2.
When you have such "mixed" communication (browser to Apache in HTTP/2 and Apache to backend in HTTP/1.1 or AJP) you are losing a number of optimizations that HTTP/2 brings, in particular multiplexing and HTTP/2 push, not to mention the overhead due to translating the request from HTTP/2 to HTTP/1.1 and viceversa.
HTTP/2 is already available in the Java world: Jetty (I am the Jetty HTTP/2 lead), Undertow and Netty already provide transparent HTTP/2 support so that you just deploy your JEE application, enable HTTP/2 and it's done.
Because of these limitations of Apache and Nginx, we currently recommend to use HAProxy in front of Jetty (as explained in details here).
This configuration will give you the maximum benefit for HTTP/2: fast TLS offloading performed by HAProxy, powerful load balancing, very efficient communication with the backend (no translation to HTTP/1.1), with HTTP/2 everywhere and therefore all its benefits.
Jetty also offers an automatic HTTP/2 push mechanism, which is not available, to my knowledge, in Apache or Nginx.
Specifically for your questions:
You can activate mod_http2 so that browser and Apache will communicate via HTTP/2, but you may lose HTTP/2 Push. Communication with the backend will use HTTP/1.1, however. This will work but it's not an optimal HTTP/2 deployment.
You will not benefit of any HTTP/2 advantage in the communication between the client and the backend if part of the communication is not in HTTP/2.
Yes, you can activate mod_http2 in httpd.conf file in Apache24/conf folder. You also need to enable the following modules:
1. mod_log_config
2. mod_setenvif
3. mod_ssl
4. socache_shmcb_module
You have to include the httpd-ssl.conf file in your httpd.conf file by uncommenting the line -- include /extra/httpd-ssl.conf
Include the certificate and key in the conf folder and set their paths in the https-ssl.conf file
The above steps will enable HTTP/2 in Apache 2.4
You can enable HTTP/2.0 for your Java Application hosted on Tomcat by installing Tomcat-9. Tomcat-9 supports HTTP/2.0 and server push services.
You can redirect your Requests from Apache 2.4 to Tomcat 9 using the instructions in the below link
https://www3.ntu.edu.sg/home/ehchua/programming/howto/ApachePlusTomcat_HowTo.html
Using these steps you can enable HTTP/2.0 to work between client browser, Apache and your Java Application. You will get the full benefits of HTTP/2.0 in this way.
I have already implemented all the above steps in my Project and getting full rewards of high performance in communication.
If you have any doubts you can leave your comments here.
HTTP/2 is also available in Tomcat 8.5
We have Oracle Hyperion Master Data Management (aka Data Relationship Management) installed along with it's Web Service API, which is essentially an EAR file deployed on WebLogic. A built-in server side security policy has been attached to this web service. We have a .NET client which needs to speak to this Web Service endpoint, but we are not really sure how to set the client side security policy as defined by Oracle.
Versions used - DRM: 11.1.2.1; WebLogic: 10.3.4
I'm looking for pointers (& sample code if possible) on how we can achieve this.
Thanks.
I got the solution for this from http://download.oracle.com/docs/cd/E17904_01/web.1111/e16098.pdf. Section 5 in that document speaks of how to export the certificate from WLS and import the same into the .NET client app along w/ other config as specified in the document. Hope this helps.
I am looking for a Java based REST server which support following authentication mechanism. Also please let me know the best resources for the REST based authentication
Token
Certificate
Kerberos
Oauth
Open Id
I am an architect from WSO2... so my reply could be biased...
You can use the open source WSO2 Application Server to deploy your RESTful services and WSO2 Identity server has the support for 2-legged OAuth...
Thanks...
Partial answer for method 2) Certificate:
If you're planning on using certificates for authentication, I must assume that the API will be consumed by a limited number of trusted client applications. I've recently developed and deployed a REST API for internal use within an organization, and we use server-client certificates for authentication. This solution delivers a really high level of security, but is very impractical to use in an externally exposed API. This post gives some information: Java HTTPS client certificate authentication.
Any Java container should support these with either:
Apache / IIS as a reverse proxy deployed for SSO (Single Sign On)
Authentication plugins
I developed an application that uses Apache XML security library for xml encryption and signing. It runs on SUN's JDK without any problems, however, IBM JDK gives me tons of problems.
It doesn't sign right (validation fails), pkcs11 provider fails to encrypt.
It seems that problem is because IBM provides their own security providers.
I tried to comment out those providers (namely fips), and I almost managed to get same behaviour as on sun's jdk, except pkcs11 provider, which alwasy fails.
Any suggestions?
Does this thread help - http://www.ibm.com/developerworks/forums/message.jspa?messageID=1315965?
I had trouble in the past with an SSL enabled web application in Apache Tomcat because Tomcat defaults to using algorithm=SunX509 when you define a secure Connector. When using the IBM JDK, you must override by explicitly using algorithm=Ibmx509.
I'm guessing there's a similar issue at the root of your problem.