Thanks for the help, I appreciate.
I am actually not strongly attached to TLS vs SSL (I put TLS in my example as I extracted most of it from the JSSE reference help). I guess I need to get back to the JSSE documentation to understand how to configure my JVM to use my TrustManager. Worst case, if I do not find a way to do it, I can probably do what you suggest which does not seem too bad.
Thanks again.
Thomas
-----Original Message-----
From: Richard Sitze [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 07, 2002 6:02 PM
To: [EMAIL PROTECTED]
Subject: Re: Specific TrustManager for Axis client over SSL
Don't worry so much about the AXIS SocketFactory classes, they don't map
to what you think they map to... they are purely internal.
The DEFAULT behavior in AXIS is to use JSSE directly, which allows you to
configure your security as-per the Java security model - see the JSSE
documentation on how to register and install for your JVM. If you can
configure the JVM to use your TrustManager, you will not have anything
more to do on the AXIS end of things. Unfortunately, not everything can
be done via Java security settings/configuration. For example, you can
only use SSL. If you want to use TLS (transport layer security) instead,
you must write your own code to register/configure the security system...
and that is exactly what the SunJSSESocketFactory code does (ignore the
class comment that says SSL). It demonstrates how YOU can override the
JVM configuration.
Now, I'm not an expert in this area, so I cannot say if your code is
correct or not... but assuming that it is (you want TLS instead of SSL,
and that you cannot otherwise configure the TrustManager), then: 1. copy SunJSSESocketFactory to MyJSSESocketFactory 2. have MyJSSESocketFactory implement SecureSocketFactory (that's a bug
in JSSESocketFactory & SunJSSESocketFactory).
3. modify the MyJSSESocketFactory.getContext() method to use your trust
manager & return the context... (let Axis handle the SocketFactory):
....
TrustManager[] myTM = new TrustManager [] { new MyTrustManager() };
SSLContext ctx = SSLContext.getInstance ("TLS");
ctx.init (null, myTM, null);
return ctx;
Then, create a jar file containing:
my/package/MyJSSESocketFactory.class
META-INF/services/org.apache.axis.components.net.SecureSocketFactory
This last file must contain a single line of text that directs Axis to
your implementation. In this case, put in
my/package/MyJSSESocketFactory
Finally, drop your Jar file into the CLASSPATH where Axis will be able to
locate the service declaration and your implementation.
Happy Trails, <ras>
*******************************************
Richard A. Sitze
IBM WebSphere WebServices Development
[EMAIL PROTECTED]
11/07/2002 03:17 PM
Please respond to axis-dev
To: [EMAIL PROTECTED]
cc:
Subject: Specific TrustManager for Axis client over SSL
I wanted to define my own TrustManager to define customized actions when
web service server is not trusted.
It seems that the way to do it is to use the axis.socketSecureFactory
property to define your own socket factory.
But it also seem that the axis SocketFactory interface to implement is a
proprietary one (org/apache/axis/components/net/SocketFactory.java).
The problem in my case is that I do not want to create a new SocketFactory
class, I'd like to reuse the default one provided by JSSE.
I guess I can write a wrapper on top of the default JSSE one, but it does
not seem trivial to do so.
According to what I understood form the JSSE documentation, I need to do
something like that:
TrustManager[] myTM = new TrustManager [] { new MyTrustManager() };
SSLContext ctx = SSLContext.getInstance ("TLS");
ctx.init (null, myTM, null);
SocketFactory socketFactory = ctx.getSocketFactory();
And I do not have to write my own SocketFactory in order to do that.
Am I missing something or the only way is to write my own socket factory?
Thanks.
Thomas
