Dear Wiki user, You have subscribed to a wiki page or wiki category on "Ws Wiki" for change notification.
The following page has been changed by RichardUnger: http://wiki.apache.org/ws/FrontPage/Axis/DynamicSSLConfig ------------------------------------------------------------------------------ The following describes a setup for dynamically choosing the client certificate used for SSL Authentication from an Axis Client. - This method has been tested using Axis 1.4 and Java 1.5 under Tomcat 5.5.20 and WebSphere 6.1. + This method has been tested using Axis 1.4 and Java 1.5 under Tomcat 5.5.20 and !WebSphere 6.1. === The Motivation === @@ -19, +19 @@ In its current implementation, the SSL Transport for Axis has several shortcomings: - * The base SecureSocketFactory (JSSESocketFactory) cannot be configured dynamically. It is configured using environment variables, which is not suitable if it is desired to change the client certificate at run-time. + * The base !SecureSocketFactory (!JSSESocketFactory) cannot be configured dynamically. It is configured using environment variables, which is not suitable if it is desired to change the client certificate at run-time. - * The SunJSSESocketFactory is more configurable, accepting a keyfile parameter from the Axis configuration at run-time. This is the one to use, however, by itself it does not do all that we need, so we have provided an extension of this class (see below)... + * The !SunJSSESocketFactory is more configurable, accepting a keyfile parameter from the Axis configuration at run-time. This is the one to use, however, by itself it does not do all that we need, so we have provided an extension of this class (see below)... - * Even the SunJSSESocketFactory does not accept all the configurations we need (eg: truststore config) + * Even the !SunJSSESocketFactory does not accept all the configurations we need (eg: truststore config) - * Even were the SocketFactory fully configurable to our desires, dynamic configuration at runtime would not be possible. This is beacause Axis caches the instantiated SocketFactories, meaning settings are applied only once. + * Even were the !SocketFactory fully configurable to our desires, dynamic configuration at runtime would not be possible. This is beacause Axis caches the instantiated !SocketFactories, meaning settings are applied only once. - * The cacheing of SocketFactories occurs in a component called SocketFactoryFactory, the cache remembers one entry per protocol. So, the moment you make the first call over https, a SocketFactory is created for the protocol https using the currently configured parameters. After this no new SocketFactories are created for https, even if the parameters (eg keystore name) change. + * The cacheing of !SocketFactories occurs in a component called !SocketFactoryFactory, the cache remembers one entry per protocol. So, the moment you make the first call over https, a !SocketFactory is created for the protocol https using the currently configured parameters. After this no new !SocketFactories are created for https, even if the parameters (eg keystore name) change. So, it seems we are in a bind if we want to enable dynamic runtime selection of the client certificate. === The Solution === The solution depends on a few modified classes for Apache Axis. In particular the solution consists of: - * A modified SocketFactoryFactory, which implements a cacheing scheme in which the keystore name is considered + * A modified !SocketFactoryFactory, which implements a cacheing scheme in which the keystore name is considered - * An extension to SunJSSESocketFactory which allows more configuration from Axis + * An extension to !SunJSSESocketFactory which allows more configuration from Axis - * An Axis EngineConfiguration class, '''SSLClientAxisConfig''', which holds the SSL paramters, and sets everything up + * An Axis !EngineConfiguration class, '''!SSLClientAxisConfig''', which holds the SSL paramters, and sets everything up Together, use of these components allows the desired dynamic configuration. @@ -40, +40 @@ To set up dynamic certificates for your axis client, proceed as follows: - 1. Replace the SocketFactoryFactory class with your new version. This can be done in one of three ways (method 1 is safest): + 1. Replace the !SocketFactoryFactory class with your new version. This can be done in one of three ways (method 1 is safest): 1. Find the original class file within axis.jar (it lives in org/apache/axis/components/net) and delete it, replace it with the modified class file 1. Place the modified class file in a new JAR, and make sure this JAR loads before axis.jar (eg call it _axis.jar) 1. For webapps, place the modified class file within your WEB-INF/classes folder. It seems tomcat loads these before axis.jar 1. Add the remaining classes to your application - 1. Use the SSLClientAxisConfig class to initialize your Axis client before making a call (see example below) + 1. Use the !SSLClientAxisConfig class to initialize your Axis client before making a call (see example below) - 1. When you want to use a different certificate, create a new SSLClientAxisConfig, with updated paramters, and use it to create a new Axis client. This client will use the new certificate. + 1. When you want to use a different certificate, create a new !SSLClientAxisConfig, with updated paramters, and use it to create a new Axis client. This client will use the new certificate. - Example usage of the SSLClientAxisConfig: + Example usage of the !SSLClientAxisConfig: {{{ // create config boolean logging = false; // no logging @@ -79, +79 @@ === Getting the code === - * The code can be downloaded in compiled form (Java 1.5, Sun compiler) as a JAR archive: + * The code can be downloaded in compiled form (Java 1.5, Sun compiler) as a JAR archive: attachment:axistools.jar - * The source code can be downloaded from the following link, also as a JAR archive: + * The source code can be downloaded from the following link, also as a JAR archive: attachment:axistools-src.jar Note that both JARs contain all the classes described above, as well as the classes needed for the logging features. - Note that the SocketFactoryFactory replacement class is also included in the JARs, but may need to be moved elsewhere depending on your setup (see above) to ensure it loads before the original class in axis.jar. + Note that the !SocketFactoryFactory replacement class is also included in the JARs, but may need to be moved elsewhere depending on your setup (see above) to ensure it loads before the original class in axis.jar. === Shortcomings === - * Because the SocketFactoryFactory is not a "exchangeable component" of Axis, the class from the original Axis distribution must be replaced with the new version. This can be inconvenient. + * Because the !SocketFactoryFactory is not a "exchangeable component" of Axis, the class from the original Axis distribution must be replaced with the new version. This can be inconvenient. - * Currently there is no limit to the number of SocketFactories cached in the SocketFactoryFactory. Thus, for setups running a long time without restarts, and using very many different client certificates, out-of-memory related problems might occur as the cache grows too large. + * Currently there is no limit to the number of !SocketFactories cached in the !SocketFactoryFactory. Thus, for setups running a long time without restarts, and using very many different client certificates, out-of-memory related problems might occur as the cache grows too large. * Currently the cacheing is implemented using the keystore name as a key for the cache. If you replace the certificate in the keystore, the new certificate will not be picked up, as the old cache entry will be used (filename is the same). - * For the same reason, changeing only the truststore or other parameters of the SSL connection will not result in a new SocketFactory being created. New SocketFactories are only created in the cache when the keystore name changes. + * For the same reason, changeing only the truststore or other parameters of the SSL connection will not result in a new !SocketFactory being created. New !SocketFactories are only created in the cache when the keystore name changes. * The classes more or less assume software certificates, stored in files of the usual formats (JKS, PKCS12, etc). Usage of Hardware certificates or other advanced JSSE features may require modifications to the code. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
