This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
We are developing an application which is acting as service and client. As a service multiple clients are interacting with our system and as a client we need to call many web services. It is an intranet application and it is between multiple parties and using transport level security ie., HTTP over SSL. My web service receives the request and forward to the other party. In this scenario if i need to pass the request to many clients (web services) do i need to have all the clients certificates with in my server. As i am new to SSL / HTTPS please guide me as do i need to store any particular information regarding client info apart from the details of wsdl. I am using WAS 6.0 app server.
When you use HTTPS for webservices, to establish a secure connection usually we concern about three things.. 1) server authentication 2) client authentication 3) encryption of the ssl connection.
For server authentication, any way you will have certificate generated for its authentication and can be shared with clients.
For client authentication, most of the times certificates are not required. Its optional thing. Usually client authentication may not be required for the webservices unless in some critical cases where server wants to exchange some financial documents with client and you need to validate. In your case if you think client also needs authentication, you will have to generate certificates for clients and store in the server.
As mentioned bfore, client certificates are rarely used for WS. Usually, HTTP basic authentication or WS-Security authentication (both of which support username and password) are used. I wrote a JavaRanch Journal article that describes how to use both kinds of authentication with WS using various code examples.