Re: Trouble calling a secure Web Service requiring client certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Frank, On 6/22/2009 4:37 PM, frank.bowar wrote: > I used WSDL2Java to create stubs for the Web Service I am connecting to. > Here is my code that wraps around the generated stubs: [snip] I didn't see any SSL or cert stuff in there. > The only method in the stubs that I modified was sendData() to include the > username/password in the soap header. Here is that code: [snip] Nor here. >> Your code may have to become a lot more complicated in order >> to make a connecting using a client certificate while running >> within Tomcat. > > I hope not ... it seems like I'm so close. Where do you choose the client certificate that the server expects to receive? >> Or, you may have to override the keystore on >> Tomcat's command-line so that these system properties are set >> /before/ Tomcat tried to load anything itself. > > I added the following to the Tomcat startup command: > > -Djavax.net.ssl.trustStore="C:/certs/datahub.keystore" > -Djavax.net.ssl.trustStorePassword="wintwins" > -Djavax.net.ssl.keyStore="C:/certs/SDXWebservice.pfx" > -Djavax.net.ssl.keyStorePassword="137246?82" > -Djavax.net.ssl.keyStoreType="PKCS12" > > with no difference in the way things are running. I think my truststore > file is being used because if I don't define the truststore, the > communication process traps out much sooner. Apparently, choosing only the keystore is not sufficient. I must admit I don't have really any experience with client certificates and don't understand the whole SSL handshake process that would end up selecting a certificate. When you say that it "doesn't work", what /does/ happen when you try to run this code? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpBPeMACgkQ9CaO5/Lv0PAgKwCeJ1BG4CU1658AIFJn38OeuqtF L4kAn2qXGsB+MN2BAcSxNiTqgrRr05dl =lQQ5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Trouble calling a secure Web Service requiring client certificate
Hi Chris - > Can you post the relevant parts of your code? I used WSDL2Java to create stubs for the Web Service I am connecting to. Here is my code that wraps around the generated stubs: try { writer = new BufferedWriter(new FileWriter(outFile)); loc = new SDXWSLocator(xmlns, serviceProvider, soapAddress, username, password); soap = loc.getSDXWSSoap(); MISO2007-10-152007-10-16Daily"); ioBuff = soap.sendData("MISO"); MISO2007-10-151"); //Log.log("ioBuff="+ioBuff); if(StringTools.isStringNull(ioBuff) == false) writer.write(ioBuff); writer.close(); } catch(IOException ioe) ... The only method in the stubs that I modified was sendData() to include the username/password in the soap header. Here is that code: public java.lang.String sendData(java.lang.String szXMLRequest) throws java.rmi.RemoteException { if (super.cachedEndpoint == null) { throw new org.apache.axis.NoEndPointException(); } org.apache.axis.client.Call _call = createCall(); _call.setOperation(_operations[1]); _call.setUseSOAPAction(true); _call.setSOAPActionURI("SDX:SendData"); _call.setEncodingStyle(null); _call.setProperty(org.apache.axis.client.Call.SEND_TYPE_ATTR, Boolean.FALSE); _call.setProperty(org.apache.axis.AxisEngine.PROP_DOMULTIREFS, Boolean.FALSE); _call.setSOAPVersion(org.apache.axis.soap.SOAPConstants.SOAP12_CONSTANTS); _call.setOperationName(new javax.xml.namespace.QName("http://ws.sdx.net";, "SendData")); /* * Add the authentication information to the Header. * * Added manually by FLB. */ SOAPHeaderElement header = new SOAPHeaderElement(sXmlns, "AuthenticationXML"); SOAPElement node; try { node = header.addChildElement("User"); node.addTextNode(sUser); node = header.addChildElement("Password"); node.addTextNode(sPassword); } catch (SOAPException ex) { ex.printStackTrace(); } _call.addHeader(header); setRequestHeaders(_call); setAttachments(_call); try { log("szXMLRequest.size="+szXMLRequest.length()+" "+szXMLRequest); java.lang.Object _resp = _call.invoke(new java.lang.Object[] {szXMLRequest}); if (_resp instanceof java.rmi.RemoteException) { throw (java.rmi.RemoteException)_resp; } else { extractAttachments(_call); try { return (java.lang.String) _resp; } catch (java.lang.Exception _exception) { return (java.lang.String) org.apache.axis.utils.JavaUtils.convert(_resp, java.lang.String.class); } } } catch (org.apache.axis.AxisFault axisFaultException) { throw axisFaultException; } } > Your code may have to become a lot more complicated in order > to make a connecting using a client certificate while running > within Tomcat. I hope not ... it seems like I'm so close. > Or, you may have to override the keystore on > Tomcat's command-line so that these system properties are set > /before/ Tomcat tried to load anything itself. I added the following to the Tomcat startup command: -Djavax.net.ssl.trustStore="C:/certs/datahub.keystore" -Djavax.net.ssl.trustStorePassword="wintwins" -Djavax.net.ssl.keyStore="C:/certs/SDXWebservice.pfx" -Djavax.net.ssl.keyStorePassword="137246?82" -Djavax.net.ssl.keyStoreType="PKCS12" with no difference in the way things are running. I think my truststore file is being used because if I don't define the truststore, the communication process traps out much sooner. I hope this helps you help me! - Frank. > -Original Message- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Monday, June 22, 2009 3:03 PM > To: Tomcat Users List > Subject: Re: Trouble calling a secure Web Service requiring > client certificate > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Frank, > > On 6/22/2009 3:53 PM, frank.bowar wrote: > > I've got a TOMCAT application that pulls data from a Web > Service and > > just recently the Web Service was hardened to require > client certificates. > > > > I debugged all my certificate issues and got my Java class > that talks > > to the Web Service working just fine as a stand-alone app. > However, > > I'm having trouble getting it to work within Tomcat. My > certificate > > is not being sent to the Web Service. > > Can you post the relevant parts of your code? > > > This is how I initialize my keystore and truststore: > > > > System.setProperty("javax.net.ssl.trustStore
Re: Trouble calling a secure Web Service requiring client certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Frank, On 6/22/2009 3:53 PM, frank.bowar wrote: > I've got a TOMCAT application that pulls data from a Web Service and just > recently the Web Service was hardened to require client certificates. > > I debugged all my certificate issues and got my Java class that talks to the > Web Service working just fine as a stand-alone app. However, I'm having > trouble getting it to work within Tomcat. My certificate is not being sent > to the Web Service. Can you post the relevant parts of your code? > This is how I initialize my keystore and truststore: > > System.setProperty("javax.net.ssl.trustStore", > "c:\\certs\\datahub.keystore"); > System.setProperty("javax.net.ssl.trustStorePassword","turstpass"); > System.setProperty("javax.net.ssl.keyStore", > "c:\\certs\\SDXWebservice.pfx"); > System.setProperty("javax.net.ssl.keyStorePassword","keypass"); > System.setProperty("javax.net.ssl.keyStoreType", "PKCS12"); Depending on what else your code does, you may have to set these values on a KeyStore object and load it yourself. It's possible that Tomcat has already loaded the system-wide keystore from somewhere else by the time the above code runs, and thus does not affect anything. Your code may have to become a lot more complicated in order to make a connecting using a client certificate while running within Tomcat. Or, you may have to override the keystore on Tomcat's command-line so that these system properties are set /before/ Tomcat tried to load anything itself. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAko/44UACgkQ9CaO5/Lv0PANYQCeM9FdzgCvPBZyIOZWzK2+fn/h w9oAn3NPslY7Bl9gnUHUSclR6s9B+MxX =poak -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Trouble calling a secure Web Service requiring client certificate
I've got a TOMCAT application that pulls data from a Web Service and just recently the Web Service was hardened to require client certificates. I debugged all my certificate issues and got my Java class that talks to the Web Service working just fine as a stand-alone app. However, I'm having trouble getting it to work within Tomcat. My certificate is not being sent to the Web Service. This is how I initialize my keystore and truststore: System.setProperty("javax.net.ssl.trustStore", "c:\\certs\\datahub.keystore"); System.setProperty("javax.net.ssl.trustStorePassword","turstpass"); System.setProperty("javax.net.ssl.keyStore", "c:\\certs\\SDXWebservice.pfx"); System.setProperty("javax.net.ssl.keyStorePassword","keypass"); System.setProperty("javax.net.ssl.keyStoreType", "PKCS12"); I'm using Tomcat 6 and JRE 1.6. My web app is not secure and I had been using the out-of-the-box server.xml file, but I've been playing with an SSL connector on 8443, but I still can't get it to work and am not sure if I need to add this connector or not. I'm not a security expert at all and have really been struggling with this for far too long! Any and all help is appreciated. Thanks in advance. - Frank.