SSL Security for Web Services

JAX-RPC doesn't mandate the support for HTTPS. However it is possible to configure the Tomcat to accept HTTPS connections in the same way as for a Web application. It is also possible to configure mandatory client authentication through the client certificate, resulting in mutual authentication. We have already described the required configuration details in Chapter 9 and do not repeat them here. Instead, we go through the steps in configuring and running the previous example to use HTTPS.

Web service client programs can use HTTPS by simply setting appropriate system properties and using address URLs with scheme https in place of http, to access the service. The relevant system properties for Sun's implementation of J2SE v1.4.x are described in Chapter 6, Securing the Wire.

Let us go through the steps of running the example service StringEchoPort1 and the client so that SOAP messages are exchanged over an HTTPS connection with mutual authentication. For this purpose, we create self-signed certificates for both the client program and the Tomcat server. These certificates and the corresponding private keys are stored in respective keystore files. Then we populate the client's truststore with the server's certificate and the server's truststore with the client's certificate. As the main ideas behind these steps have already been covered in previous chapters, we skip the explanations and simply show the steps with the relevant commands and configuration changes.

Step 1.
Create keystore and truststore for service and client with self-signed certificates. This step is required only to make the example self-contained. In practice, you are using existing certificates and keystore and truststore files.

The commands to create self-signed certificates within a Windows script file are shown below:

set SERVER_DN="CN=localhost, OU=X, O=Y, L=Z, S=XY, C=YZ"
set CLIENT_DN="CN=Client, OU=X, O=Y, L=Z, S=XY, C=YZ"
set KSDEFAULTS=-storepass changeit -storetype JCEKS
set KEYINFO=-keyalg RSA

keytool -genkey -dname %SERVER_DN% %KSDEFAULTS% -keystore 
server.ks %KEYINFO% -keypass changeit
keytool -export -file temp$.cer %KSDEFAULTS% -keystore server.ks
keytool -import -file temp$.cer %KSDEFAULTS% -keystore client.ts 
–alias serverkey -noprompt

keytool -genkey -dname %CLIENT_DN% %KSDEFAULTS% -keystore 
client.ks %KEYINFO% -keypass changeit
keytool -export -file temp$.cer %KSDEFAULTS% -keystore client.ks
keytool -import -file temp$.cer %KSDEFAULTS% -keystore server.ts
-alias clientkey -noprompt

The complete script is in the setup.bat file under srcjsbookch11ex1 directory. After running this script, you have the server private key and certificate in the server's keystore server.ks, the client private key and certificate in the client's keystore client.ks, the server certificate in the client's truststore client.ts, and the client certificate in the server's truststore server.ts.

Note that we have used JCEKS (Java Cryptographic Extension Key Store) as the type of the keystore. This must be specified as the keystore type whenever we access these keystore files.

Step 2.
Copy the server keystore and truststore files in the Tomcat home directory. Strictly speaking, the keystores need not be in the Tomcat home directory but then you have to specify the exact path in the configuration described in the next two steps.

Step 3.
Modify the Tomcat configuration file server.xml as shown below. This file can be found in %TOMCAT_HOME%conf directory:

<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
    port="8443" minProcessors="5" maxProcessors="75"
    enableLookups="true"
    acceptCount="100" debug="0" scheme="https" secure="true"
    useURIValidationHack="false" disableUploadTimeout="true">
  <Factory

className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
      protocol="TLS"
      clientAuth="true"
								keystoreFile="server.ks" keystoreType="JCEKS"
								truststoreFile="server.ts" truststoreType="JCEKS"
								keystorePass="changeit"
  />
</Connector>

Step 4.
Run Tomcat with system properties set for server keystore and truststore. To do this, go to the Tomcat home directory and issue the following commands:

C:...-jdk14>set TS_PROP=-Djavax.net.ssl.trustStore=server.ts
C:...-jdk14>set TSTYPE_PROP=-Djavax.net.ssl.trustStoreType=JCEKS
C:...-jdk14>set CATALINA_OPTS=%TS_PROP% %TSTYPE_PROP%
C:...-jdk14>binstartup

The prompt has been shortened to fit each command within a line.

Step 5.
Modify the client program EchoClient.java to use https:// URL and compile it:

String epAddr = "https://localhost:8443/axis/services/StringEchoPort1";
String wsdlAddr = epAddr + "?wsdl";

The modified source code is available in EchoClient2.java file under the example source directory. 8443 is the default port number used by Tomcat for HTTPS connections.

Step 6.
Run the client program. This involves specifying the system properties for SSL-specific parameters:

C:ch11ex1>java -Djavax.net.ssl.keyStore=client.ks 
-Djavax.net.ssl.keyStoreType=JCEKS 
-Djavax.net.ssl.keyStorePassword=changeit 
-Djavax.net.ssl.trustStore=client.ts 
-Djavax.net.ssl.trustStoreType=JCEKS EchoClient

A point worth noting is that we resorted to changing the URL in the client program. For Web applications, one could simply rely on making the appropriate changes in the deployment descriptor file web.xml and the Web container would redirect requests for SSL-protected URLs to the corresponding HTTPS URLs. One could do this for Web services as well and the Web container will faithfully issue HTTP redirect messages. However, the client library of Axis-1.1RC2 implementing HTTP is not capable of handling HTTP redirects and fails.

This makes it hard to protect only certain services within a Web container with HTTPS and let others be accessed with plain HTTP. You must have all services deployed within a particular Web container accepting an HTTPS connection or none. It is also not possible to have separate Web service-specific server certificates.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.21.247.16