RE: Specific TrustManager for Axis client over SSL

[thomas . cherel]

Title: Message

Just to follow-up on the issue.

I managed to have my own TrustManagerFactory being use so my own X509TrustManager are used and are trusting any https server (no need to play with the keystore or anything like that anymore, I can call "as is" any web services over https).

The only way I found through the JSSE and JCA APIs is by writing my own Provider (java.security.Provider) which is looking something like that:

 

package mypackage;

 

public final class MyProvider extends java.security.Provider {

    public static synchronized void install(){
    }

    public Provider()
    {
        super("WSJSSE", 1.0, "Automatic HTTPS server trust");
        AccessController.doPrivileged(new PrivilegedAction() {

            public Object run()
            {
                put("TrustManagerFactory.WSX509", "mypackage.MyTrustManagerFactoryImpl");
                return null;
            }
        });
    }
}

I also had to add a line in the jre/lib/security/java.security to declare this provider:

 

security.provider.X=mypackage.MyProvider

 

And finally, I had to setup a security variable to specify that my TrustManagerFactory is the one to use:

 

java.security.Security.setProperty ("ssl.TrustManagerFactory.algorithm", "WSX509").

 

I wanted to give those details for two reasons:

 

- The property suffix TrustManagerFactory used in the Provider class (put("TrustManagerFactory.WSX509", ...) was not very easy to find. May it is just coming from the fact that I am not 100% familiar with the JSSE/JCA APIs, but I do not find it very clear from the documentation. JSSE documentation provides example of code when you are in control of the creation of the SSLContext, but in my case, using Axis, I am not. If anyone as any pointers to help me validate the way I am doing this, I will appreciate.

 

- Even if at the end it is not a lot of code (I did not provide the details of MyTrustManagerFactoryImpl and MyX509TrustManager, but they are quite small), it seems quite a lot to do just to be able to hook you own TrustManager, but I did not find any other way. Is it supposed to be THE way?

 

Thanks.

 

Thomas

 

PS: agree, those are more JSSE/JCA questions than Axis one, but, at least, I wanted to update the mailing list with what I found.

 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 07, 2002 11:19 PM
To: [EMAIL PROTECTED]
Subject: RE: Specific TrustManager for Axis client over SSL

Thanks for the help, I appreciate.

I am actually not strongly attached to TLS vs SSL (I put TLS in my example as I extracted most of it from the JSSE reference help). I guess I need to get back to the JSSE documentation to understand how to configure my JVM to use my TrustManager. Worst case, if I do not find a way to do it, I can probably do what you suggest which does not seem too bad.

Thanks again.

Thomas

-----Original Message-----
From: Richard Sitze [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 07, 2002 6:02 PM
To: [EMAIL PROTECTED]
Subject: Re: Specific TrustManager for Axis client over SSL

Don't worry so much about the AXIS SocketFactory classes, they don't map
to what you think they map to...  they are purely internal.

The DEFAULT behavior in AXIS is to use JSSE directly, which allows you to
configure your security as-per the Java security model - see the JSSE
documentation on how to register and install for your JVM.  If you can
configure the JVM to use your TrustManager, you will not have anything
more to do on the AXIS end of things.  Unfortunately, not everything can
be done via Java security settings/configuration.  For example, you can
only use SSL.  If you want to use TLS (transport layer security) instead,
you must write your own code to register/configure the security system...
and that is exactly what the SunJSSESocketFactory code does (ignore the
class comment that says SSL).  It demonstrates how YOU can override the
JVM configuration.

Now, I'm not an expert in this area, so I cannot say if your code is
correct or not... but assuming that it is (you want TLS instead of SSL,
and that you cannot otherwise configure the TrustManager), then: 1.  copy SunJSSESocketFactory to MyJSSESocketFactory 2.  have MyJSSESocketFactory implement SecureSocketFactory (that's a bug

in JSSESocketFactory & SunJSSESocketFactory).
3.  modify the MyJSSESocketFactory.getContext() method to use your trust
manager & return the context... (let Axis handle the SocketFactory):

     ....
     TrustManager[] myTM = new TrustManager [] { new MyTrustManager() };
     SSLContext ctx = SSLContext.getInstance ("TLS");
     ctx.init (null, myTM, null);
     return ctx;

Then, create a jar file containing:
          my/package/MyJSSESocketFactory.class
 META-INF/services/org.apache.axis.components.net.SecureSocketFactory

This last file must contain a single line of text that directs Axis to
your implementation.  In this case, put in
          my/package/MyJSSESocketFactory

Finally, drop your Jar file into the CLASSPATH where Axis will be able to
locate the service declaration and your implementation.

Happy Trails, <ras>

*******************************************
Richard A. Sitze
IBM WebSphere WebServices Development

[EMAIL PROTECTED]
11/07/2002 03:17 PM
Please respond to axis-dev
 
        To:     [EMAIL PROTECTED]
        cc:
        Subject:        Specific TrustManager for Axis client over SSL

I wanted to define my own TrustManager to define customized actions when
web service server is not trusted.
It seems that the way to do it is to use the axis.socketSecureFactory
property to define your own socket factory.
But it also seem that the axis SocketFactory interface to implement is a
proprietary one (org/apache/axis/components/net/SocketFactory.java).
The problem in my case is that I do not want to create a new SocketFactory
class, I'd like to reuse the default one provided by JSSE.
I guess I can write a wrapper on top of the default JSSE one, but it does
not seem trivial to do so.
According to what I understood form the JSSE documentation, I need to do
something like that:
TrustManager[] myTM = new TrustManager [] { new MyTrustManager() };
SSLContext ctx = SSLContext.getInstance ("TLS");
ctx.init (null, myTM, null);
SocketFactory socketFactory = ctx.getSocketFactory();
And I do not have to write my own SocketFactory in order to do that.
Am I missing something or the only way is to write my own socket factory?
Thanks.
Thomas