Re: Trouble calling a secure Web Service requiring client certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Frank, On 6/22/2009 4:37 PM, frank.bowar wrote: > I used WSDL2Java to create stubs for the Web Service I am connecting to. > Here is my code that wraps around the generated stubs: [snip] I didn't see any SSL or cert stuff in there. > The only method in the stubs that I modified was sendData() to include the > username/password in the soap header. Here is that code: [snip] Nor here. >> Your code may have to become a lot more complicated in order >> to make a connecting using a client certificate while running >> within Tomcat. > > I hope not ... it seems like I'm so close. Where do you choose the client certificate that the server expects to receive? >> Or, you may have to override the keystore on >> Tomcat's command-line so that these system properties are set >> /before/ Tomcat tried to load anything itself. > > I added the following to the Tomcat startup command: > > -Djavax.net.ssl.trustStore="C:/certs/datahub.keystore" > -Djavax.net.ssl.trustStorePassword="wintwins" > -Djavax.net.ssl.keyStore="C:/certs/SDXWebservice.pfx" > -Djavax.net.ssl.keyStorePassword="137246?82" > -Djavax.net.ssl.keyStoreType="PKCS12" > > with no difference in the way things are running. I think my truststore > file is being used because if I don't define the truststore, the > communication process traps out much sooner. Apparently, choosing only the keystore is not sufficient. I must admit I don't have really any experience with client certificates and don't understand the whole SSL handshake process that would end up selecting a certificate. When you say that it "doesn't work", what /does/ happen when you try to run this code? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpBPeMACgkQ9CaO5/Lv0PAgKwCeJ1BG4CU1658AIFJn38OeuqtF L4kAn2qXGsB+MN2BAcSxNiTqgrRr05dl =lQQ5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Trouble calling a secure Web Service requiring client certificate
Hi Chris -
> Can you post the relevant parts of your code?
I used WSDL2Java to create stubs for the Web Service I am connecting to.
Here is my code that wraps around the generated stubs:
try
{
writer = new BufferedWriter(new FileWriter(outFile));
loc = new SDXWSLocator(xmlns, serviceProvider, soapAddress, username,
password);
soap = loc.getSDXWSSoap();
MISO2007-10-152007-10-16Daily");
ioBuff =
soap.sendData("MISO");
MISO2007-10-151");
//Log.log("ioBuff="+ioBuff);
if(StringTools.isStringNull(ioBuff) == false)
writer.write(ioBuff);
writer.close();
}
catch(IOException ioe)
...
The only method in the stubs that I modified was sendData() to include the
username/password in the soap header. Here is that code:
public java.lang.String sendData(java.lang.String szXMLRequest) throws
java.rmi.RemoteException
{
if (super.cachedEndpoint == null)
{
throw new org.apache.axis.NoEndPointException();
}
org.apache.axis.client.Call _call = createCall();
_call.setOperation(_operations[1]);
_call.setUseSOAPAction(true);
_call.setSOAPActionURI("SDX:SendData");
_call.setEncodingStyle(null);
_call.setProperty(org.apache.axis.client.Call.SEND_TYPE_ATTR,
Boolean.FALSE);
_call.setProperty(org.apache.axis.AxisEngine.PROP_DOMULTIREFS,
Boolean.FALSE);
_call.setSOAPVersion(org.apache.axis.soap.SOAPConstants.SOAP12_CONSTANTS);
_call.setOperationName(new
javax.xml.namespace.QName("http://ws.sdx.net";, "SendData"));
/*
* Add the authentication information to the Header.
*
* Added manually by FLB.
*/
SOAPHeaderElement header = new SOAPHeaderElement(sXmlns,
"AuthenticationXML");
SOAPElement node;
try
{
node = header.addChildElement("User");
node.addTextNode(sUser);
node = header.addChildElement("Password");
node.addTextNode(sPassword);
}
catch (SOAPException ex)
{
ex.printStackTrace();
}
_call.addHeader(header);
setRequestHeaders(_call);
setAttachments(_call);
try
{
log("szXMLRequest.size="+szXMLRequest.length()+" "+szXMLRequest);
java.lang.Object _resp = _call.invoke(new java.lang.Object[]
{szXMLRequest});
if (_resp instanceof java.rmi.RemoteException)
{
throw (java.rmi.RemoteException)_resp;
}
else
{
extractAttachments(_call);
try
{
return (java.lang.String) _resp;
}
catch (java.lang.Exception _exception)
{
return (java.lang.String)
org.apache.axis.utils.JavaUtils.convert(_resp, java.lang.String.class);
}
}
}
catch (org.apache.axis.AxisFault axisFaultException)
{
throw axisFaultException;
}
}
> Your code may have to become a lot more complicated in order
> to make a connecting using a client certificate while running
> within Tomcat.
I hope not ... it seems like I'm so close.
> Or, you may have to override the keystore on
> Tomcat's command-line so that these system properties are set
> /before/ Tomcat tried to load anything itself.
I added the following to the Tomcat startup command:
-Djavax.net.ssl.trustStore="C:/certs/datahub.keystore"
-Djavax.net.ssl.trustStorePassword="wintwins"
-Djavax.net.ssl.keyStore="C:/certs/SDXWebservice.pfx"
-Djavax.net.ssl.keyStorePassword="137246?82"
-Djavax.net.ssl.keyStoreType="PKCS12"
with no difference in the way things are running. I think my truststore
file is being used because if I don't define the truststore, the
communication process traps out much sooner.
I hope this helps you help me!
- Frank.
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Monday, June 22, 2009 3:03 PM
> To: Tomcat Users List
> Subject: Re: Trouble calling a secure Web Service requiring
> client certificate
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Frank,
>
> On 6/22/2009 3:53 PM, frank.bowar wrote:
> > I've got a TOMCAT application that pulls data from a Web
> Service and
> > just recently the Web Service was hardened to require
> client certificates.
> >
> > I debugged all my certificate issues and got my Java class
> that talks
> > to the Web Service working just fine as a stand-alone app.
> However,
> > I'm having trouble getting it to work within Tomcat. My
> certificate
> > is not being sent to the Web Service.
>
> Can you post the relevant parts of your code?
>
> > This is how I initialize my keystore and truststore:
> >
> > System.setProperty("javax.net.ssl.trustStore
Re: Trouble calling a secure Web Service requiring client certificate
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Frank,
On 6/22/2009 3:53 PM, frank.bowar wrote:
> I've got a TOMCAT application that pulls data from a Web Service and just
> recently the Web Service was hardened to require client certificates.
>
> I debugged all my certificate issues and got my Java class that talks to the
> Web Service working just fine as a stand-alone app. However, I'm having
> trouble getting it to work within Tomcat. My certificate is not being sent
> to the Web Service.
Can you post the relevant parts of your code?
> This is how I initialize my keystore and truststore:
>
> System.setProperty("javax.net.ssl.trustStore",
> "c:\\certs\\datahub.keystore");
> System.setProperty("javax.net.ssl.trustStorePassword","turstpass");
> System.setProperty("javax.net.ssl.keyStore",
> "c:\\certs\\SDXWebservice.pfx");
> System.setProperty("javax.net.ssl.keyStorePassword","keypass");
> System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
Depending on what else your code does, you may have to set these values
on a KeyStore object and load it yourself. It's possible that Tomcat has
already loaded the system-wide keystore from somewhere else by the time
the above code runs, and thus does not affect anything.
Your code may have to become a lot more complicated in order to make a
connecting using a client certificate while running within Tomcat. Or,
you may have to override the keystore on Tomcat's command-line so that
these system properties are set /before/ Tomcat tried to load anything
itself.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAko/44UACgkQ9CaO5/Lv0PANYQCeM9FdzgCvPBZyIOZWzK2+fn/h
w9oAn3NPslY7Bl9gnUHUSclR6s9B+MxX
=poak
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Trouble calling a secure Web Service requiring client certificate
I've got a TOMCAT application that pulls data from a Web Service and just
recently the Web Service was hardened to require client certificates.
I debugged all my certificate issues and got my Java class that talks to the
Web Service working just fine as a stand-alone app. However, I'm having
trouble getting it to work within Tomcat. My certificate is not being sent
to the Web Service.
This is how I initialize my keystore and truststore:
System.setProperty("javax.net.ssl.trustStore",
"c:\\certs\\datahub.keystore");
System.setProperty("javax.net.ssl.trustStorePassword","turstpass");
System.setProperty("javax.net.ssl.keyStore",
"c:\\certs\\SDXWebservice.pfx");
System.setProperty("javax.net.ssl.keyStorePassword","keypass");
System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
I'm using Tomcat 6 and JRE 1.6.
My web app is not secure and I had been using the out-of-the-box server.xml
file, but I've been playing with an SSL connector on 8443, but I still can't
get it to work and am not sure if I need to add this connector or not.
I'm not a security expert at all and have really been struggling with this
for far too long!
Any and all help is appreciated.
Thanks in advance.
- Frank.
