-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Maria,
On 3/18/14, 5:58 PM, Maria Cristina Siena wrote: > Hi, > > I developed a web service using jax-ws and configured Tomcat to > support SSL connection. Here are my steps: > > ****** Step 1 - Generate a self-signed server certificate > > Use JDK 1.7 keytool: > > keytool -genkey -alias trackerdev -keypass changeit -storepass > changeit -keystore D:\Tomcat7\htdkeystore\trackerdev.ks –ext > san=ip:xx.x.x.xxx > > Is CN=xx.x.x.xxx, OU=it, O=companynamehere, L=citynamehere, > ST=provincenamehere, C=ca correct? [no]: yes > > ****** Step 2 – Configure Tomcat to support SSL connection > > On the dev server: > > Modify TOMCAT_HOME\conf\server.xml by adding the following block > where keystoreFile and keystorePass are set to values from the > previous step: > > <Connector port="8444" protocol="HTTP/1.1" SSLEnabled="true" > maxThreads="150" scheme="https" secure="true" clientAuth="false" > sslProtocol="TLS" keystoreFile="htdkeystore/trackerdev.ks" > keystorePass="changeit" /> > > ****** Step 3 - Export the generated server certificate to a > certificate file > > On the dev server: > > keytool –export -alias trackerdev -storepass changeit –file > D:\Tomcat7\htdkeystore\serverdev.cer -keystore > D:\Tomcat7\htdkeystore\trackerdev.ks > > ****** Step 4 - Import the server certificate into the truststore > file (Open an administrator cmd window and hit Shift, Ctrl, Enter) > > Copy serverdev.cer from the dev server and on the local machine: > > keytool –import –v –trustcacerts –alias trackerdev –file > C:\fromdevserver\serverdev.cer –keystore "C:\Program > Files\Java\jdk1.7.0_51\jre\lib\security\cacerts" -keypass changeit > -storepass changeit > > Trust this certificate? [no]: yes > > ****** Step 5 – Modify webapps’s web.xml > > Add the following: <listener> <listener-class> > com.sun.xml.ws.transport.http.servlet.WSServletContextListener > </listener-class> </listener> <servlet> > <servlet-name>tracker</servlet-name> <servlet-class> > com.sun.xml.ws.transport.http.servlet.WSServlet </servlet-class> > </servlet> <servlet-mapping> <servlet-name>tracker</servlet-name> > <url-pattern>/tracker</url-pattern> </servlet-mapping> > <security-constraint> <web-resource-collection> > <web-resource-name>securedapp</web-resource-name> > <url-pattern>/tracker</url-pattern> </web-resource-collection> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> </security-constraint> > > ****** MY QUESTION IS THIS: > > I tested the web service using https and it worked for me. I > provided another team with my server certificate so that they could > add it to their truststore file but I have no idea if they did or > not. All I know is that they got an error loading the wsdl. The > exception they got was: > > Error loading [https://xx.x.x.xxx:8444/appname/tracker?wsdl] > org.apache.xmlbeans.XmlException: > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > > They claim that the certificate is not properly signed. Well, I > don't know. It is a self-signed certificate. Self-signed certificates are almost never trusted by outsiders. Why not go ahead and get a trusted cert? You can get them for free at StartSSL.com. Note that Java does not ship with a StartSSL CA root-level certificate, so you still have to import the CA's root key into the client's key store. If your client is willing to import /your/ self-signed CA's certificate (that is, your own certificate) into their trust store, then just send them your CA cert. They may not know how to configure that correctly -- it's not exactly the easiest thing in the world for a Java client. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTKOUVAAoJEBzwKT+lPKRYxuQP+gOh9NnPEjB2nfXw3qe1r1v6 jzPkDxRFf7qIqhdJMEuGy40ndatK2Q2xU2IPPZi0P2ba+y/PWQ7g9egFlutZC3H5 uR+TtPOxw67njLGy2QehCgOaQ+/eBoXUFlU9bywfMYpm22OmrIxogiahvlAnP6Y4 ZKEPaJ5GxJaq+f6kiWsgWNPZMIQUYEL2eK9CKdMWz2GzIwdVXnHqRhaqHlP5u3hE SZrEOOubYCLaQN6AtGV4kyBBj97zR/u5JWh7t8jlHekZwY5jeroP/s8knOTxAXOn 6aEbmdEh85uSyLc02FixDzPA41h6BHSRyM1X1TrhgInABkIMBJtC3kecscjcWnUV CXaNW69vq/2l64z4O7CR/IrRtR8gLHcUDNpIN2PjpOFHD9oSNvBAXEMv5sM/VYFc hHIJbStUi/q/3JUGe6m2qVvCkeuxKORXzZ1KwczVK2o+J7IXO1XZ0wzKAWvig63A paGi1jNEFJTLia+vy8Xsr5g+Qw1AxnKS0unSNIvZdMaWj/zxKrYKsXn09BUJcgzg AJeRtK1zbadFVbj5Plct52/EpRjFlErLi1UlErFptYr2NRBDC8+rqRY2e73vsTar dU0n3C7W4l5mJtKvdJnVYl390RVDfF6GlYgHHVrejfj3tJXUoD620ZIQgm4tn7Um OG0P6Q9NyO7JzeVFSOcd =Q4ZE -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
