File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Services and the fly likes SOAP over HTTPS / SSL Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "SOAP over HTTPS / SSL" Watch "SOAP over HTTPS / SSL" New topic
Author

SOAP over HTTPS / SSL

Ramamurthy Sudhi
Greenhorn

Joined: Aug 01, 2006
Posts: 6
Hello everyone,

need help -

my project requires making a SOAP call to access a web service over HTTPS. We are using WSAD 5.0 server with IIS web server. I am very new to this. Could anyone sort of guide me?
I have the WSDL file & I generated Java Proxy clients using WSDL2Client. How do I go about ensuring that the SOAP goes over SSL/HTTPS? Are there any security changes required at the app server level? Should I have made any changes to WSDL document itself as it has http:// references in the soap binding.
The service provider uses real certificates (veriSign). How do I handle exchange of certificates?

Any help is greatly appreciated. Thanks in advance.
Watsh Rajneesh
Ranch Hand

Joined: Apr 17, 2006
Posts: 110
You can export a verisign certificate from IE (Tools->Internet Options->Content->Certificates...->Trusted Root Certificates (tab)) and export the one which shows Server Authentication in the description and export as DER encoding (a .cer file). Say you save this in a file named verisign.cer.

Then use keytool.exe to import this certificate as trusted root certificate store:
keytool -import -trustcacerts -alias verisign -file verisign.cer –keystore %JAVA_HOME%/lib/security/cacerts -storepass changeit -storetype JKS

You may also store it in another keysotre file than the default cacerts. The password "changeit" is default password for cacerts keystore.

The client uses the imported certificate to trust the server that owns that certificate. When a client establishes a session, the server sends a server certificate to the client. If the certificate is a member of the certificates included in the client keystore, the client trusts the server and so proceeds to the session.

For the client, you must set up Java system properties that are required when invoking SSL. These are:
  • the keystore type (storetype),
  • keystore filename (keystore), and
  • keystore password (storepass)

  • Here's how you do this in your client code:


    Note: If your wsdl does not specify the service endpoint location with https:// url then your service does not require ssl. Also, before you change the wsdl's service endpoint location to an https:// url you will first need to check if thats valid url (usually the service location url appended with ?WSDL should show the WSDL file for the service).


    SCJP 5.0 (90%), SCDJWS 1.4 (88%), SCWCD 1.4 (82%), SCBCD 1.3 (85%)
    Watsh Rajneesh
    Ranch Hand

    Joined: Apr 17, 2006
    Posts: 110
    A correction:

    To add the verisign certificate (or any new certificate) as trusted root certificate to cacerts file, use the following command:


    It will prompt for the password for the cacerts keystore which is "changeit" by default. It will also prompt if you want to trust this certificate .. answer yes. The keytool -list will list this certificate details:
    C:\>keytool -list
    Enter keystore password: changeit

    Keystore type: jks
    Keystore provider: SUN

    Your keystore contains 1 entry

    verisign_new, Aug 3, 2006, trustedCertEntry,
    Certificate fingerprint (MD5): 26:XXXX60

    To check if the certificate was installed:

    where, verisign_new is the alias we used which added the certificate to keystore.

    Even though the default cacerts should include the verisign class 2 ca certificate (as documented by JDK tools doc for keytool), it does not list it and so i think its better to install a verisign cert manually in the client side JVM keystore as shown above.
    Ramamurthy Sudhi
    Greenhorn

    Joined: Aug 01, 2006
    Posts: 6
    Thanks a lot.
    Our Web Admin helped us to import the certificate in cacert file. Should I still set the trustore, keystore properties in the code? Wouldn't webSphere server know where to find the certificate/public key information?

    Thanks
    Watsh Rajneesh
    Ranch Hand

    Joined: Apr 17, 2006
    Posts: 110
    You will need to set the system properties to let the JVM know which keystore to look into for trusted ca certificates when a server tries to authenticate itself with your client (running in the context of your JVM process). And also the password for the keystore to allow the JVM to be able to access the trusted ca certs stored in the keystore. Websphere is just an application which runs in the context of JVM and in turn manages the lifecycle of your client app.
    bharath chary
    Greenhorn

    Joined: Mar 16, 2012
    Posts: 2
    This thread helped me a lot, in addition to I would like to add my issues faced, in process of applying these changes,

    I have imported the Key as mentioned in the thread, but inspite of setting the correct password of cacerts.jks ,it throws me a error some thing like as shown below

    Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
    at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
    at java.security.KeyStore.load(KeyStore.java:1185)
    at com.sun.net.ssl.internal.ssl.TrustManagerFactoryImpl.getCacertsKeyStore(TrustManagerFactoryImpl.java:202)
    at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.getDefaultTrustManager(DefaultSSLContextImpl.java:70)
    at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.<init>(DefaultSSLContextImpl.java:40)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
    at java.lang.Class.newInstance0(Class.java:355)
    at java.lang.Class.newInstance(Class.java:308)
    at java.security.Provider$Service.newInstance(Provider.java:1221)
    ... 54 more
    Caused by: java.security.UnrecoverableKeyException: Password verification failed
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
    ... 66 more

    ....

    I have used keytool in cmd(command promt) to set the password and I was trying to change it using -newpasswd flag, but still I used to get the same error,

    After so much of googleing I found a software tool, which maintains these sort of SSL certificates, tool name is Keystore Explorer, home page link is http://www.lazgosoftware.com/kse/index.html,
    Using this tool I have exported the keystore, and changed the default password to some 'abc123' and its worked for me, I have modified the code snippet as well, below is my updated code snippet to set the JAVA environment.

    String javaHomePath = System.getProperty("JAVA_HOME");
    String keystore = "C:\\Program Files\\Java\\jre1.6.0_06\\lib\\security\\cacerts.jks";
    String keystorepass= "abc123";
    String storetype= "JKS";
    String truststorepass = "abc123";

    String[][] props = {
    { "javax.net.ssl.trustStore", keystore, },
    { "javax.net.ssl.trustStorePassword", truststorepass, },
    { "javax.net.ssl.keyStore", keystore, },
    { "javax.net.ssl.keyStorePassword", keystorepass, },
    { "javax.net.ssl.keyStoreType", storetype, },
    };

    Hope this will help some one.

    Thanks for the thread, Handsof to coderanch .........!!!
    Happy coding.

    Tim Moores
    Rancher

    Joined: Sep 21, 2011
    Posts: 2408
    This won't help you with your current problem, but a much better way to achieve encrypted SOAP communication is to use the WS-Security standard that is supported by all major SOAP implementations.
     
     
    subject: SOAP over HTTPS / SSL
     
    Similar Threads
    https
    Digital signature in SOAP XML
    web service over HTTPS for multiple clients
    JAX-RPC over HTTPS
    Web Service SSL Client