Hi Andre, I think property javax.net.ssl.trustStore is to be set to a local pathname and not a URL and it is for a good reason -- The owner of the client program should be able to control which CAs are trusted !! If it would be otherwise, there is a security hole !!
For applets, the default trust store should be used which happens if you do not set the property javax.net.ssl.trustStore. If you want a CA that is not there, you should just import the appropriate certificate chain there. My 2 cents. /Pankaj. -----Original Message----- From: Andre Piwoni To: [EMAIL PROTECTED] Sent: 5/6/02 12:24 PM Subject: SSL and Axis Importance: High Instructions for setting up Apache SOAP Client for SSL communication at http://xml.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html <http://xml.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html> are fine, however, the following line in the SOAP client, System.setProperty("javax.net.ssl.trustStore","C:\\jdk1.3\\bin\\client.k eystore") make it unusable when deployed with Java Web Start or as an applet as far as I know. One solution, I thought, would be to send client.keystore in .jar file along with application and to point javax.net.ssl.trustStore to location in .jar file which I couldn't accomplish successfully. Whathever reads this property apparently does not know how to read .jar files. Second solution that came to my mind was to load client.keystore into instance of KeyStore class and initialize SSLContext with it as shown below: TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509", "SunJSSE"); tmf.init(keyStore); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, tmf.getTrustManagers(), null); HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory() ); However, designers of SSLUtilities class that builds SSLSocket in ApacheSOAP use SSLSocketFactory factory = (SSLSocketFactory)SSLSocketFactory.getDefault(). This method creates new SSLContext which uses default keystore so my second idea didn't work out. Why do we are required to have client authentication in Apache SOAP at all? Why not allow more control over SSLContext? Any help with getting around any of these limitations is very welcome. Thanks! Andre [EMAIL PROTECTED]
