Subra A Narayanan wrote: > Hey Dumindu, > > Just want to make sure I understand this correctly. So if I just want > to run my axis2 webserices in SSL mode, I dont need rampart. I can > just use apache for that, right?
YES, Absolutely! > But when I was reading rampart > documentation, it talks about soap body encryption using SSL certs. > How is that different from using apache for SSL? > SSL/TLS only concerns about the *transport* security. That is "Eve" in the middle of the channel cannot eavesdrop Bob's private conversation with Alice. :) However if you need more, like message level security, you need WS-Sec. Say you need to store your SOAP message and later consume it. WS-Sec can provide security while it is being stored, whereas SSL/TLS fails to provide that. You can find some more insight to it from "Alternatives" section of [1] > My second question is, lets assume I want to use client authentication > for my webservice. I have to set the following 2 variables in the > httpd.conf file > > SSLVerifyClient require > SSLVerifyDepth 1 > > I understand that this will force the client to send a cert with every > request. But after receives the client cert, what does it do with it? > does it check against a list of certs thats allowed to access the > service? Is this feature built-in to axis2 or do we hv to implement it > ourselves? Axis2/C does nothing with the client's certificate at the server side. It is up to the user to configure their Apache2 server to accept/reject the clients based on the certificates provided _if_ they need such functionality. Note that Apache2 works as yet another transport and hence we shouldn't be messing around with the transport implementation details at the Axis2/C module level. If for some reason you need to do it in Axis2 code, my guess is that you need a really ugly hack, making it better left with Apache2 (Assuming that you are not considering the situation where you would write the SSL transport support for the server code, i.e., for simple_axis_server). HTH, Dumindu. [1] http://en.wikipedia.org/wiki/Web_Services_Security -- Dumindu Pallewela http://blog.dumindu.com GPG ID: 0x9E131672 WSO2 | http://wso2.com | "Oxygenating the Web Service Platform"
signature.asc
Description: OpenPGP digital signature
