This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Sockets and Internet Protocols and the fly likes connect to a SOAP webservice using SSL Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Sockets and Internet Protocols
Bookmark "connect to a SOAP webservice using SSL" Watch "connect to a SOAP webservice using SSL" New topic
Author

connect to a SOAP webservice using SSL

Yahya Elyasse
Ranch Hand

Joined: Jul 07, 2005
Posts: 510

Hi all,
I'm using a local apache 2 web server to run sugarcrm community edition on a linux machine. i use a java client with sugarcrm SOAP API to authenticate users. this works for http connections. Now i want to be able to authenticate users through secure https connections.
I know for this i'll need to tell my web server to enable SSL connections..a probable solution is to Modify .htaccess file in the sugar system.
in case there is a user who hasn't configured his web server/sugar system to accept https connections , can we enable him to connect by using SSL code logic in client soap code? I mean there are users in my java application who are complaining that my application couldn't authenticate them through SSL . so i'm looking for a way to support SSL connection through sugarcrm soap API (in java).
What i need is even if user didn't configured his webserver/sugarcrm system for SSL connection , my java client code will enable him to talk to sugarcrm soap service through a secure connection. is this possible? i mean can i write java code on client side to enforce SSL communication with sugarcrm soap service even if user didn't enabled SSL on web server?

any help is much appreciated.
Yahya Elyasse
Ranch Hand

Joined: Jul 07, 2005
Posts: 510

Hello,
i performed the necessary steps to install a self signed certificate and configure my apache2 web server to enable SSL.
the configuration now is successful. when i type url like ' https://localhost' i get the famous apache2 message . i'm also able to connect to my Sugar installation through https from my web browser.

Now the problem:
when i try to connect from my java application it throws a bad exception . i suppose this is caused by the key certificates being self signed and not authenticated by a CA.
i investigated more the issue of the exception error thrown when using a SSL from a Java API with only a self-signed certificate.
this article http://brian.pontarelli.com/2008/07/26/java-ssl-and-self-signed-certificates/ explains a workaround to solve this problem. It suggests that the error exception occurs when the certificate is self-signed or signed by an authority that has not been verified by the JDK you are using. so the self-signed certificate has to be added to JDK's keystore.

my question : if the user of my application didn't added his self-signed certificate to jdk's keystore, is there a way i can automate this process? is it possible to connect through ssl using only a self-signed certificate and force the jdk to accept this self-signed certificate?

thanks.
Rusty Shackleford
Ranch Hand

Joined: Jan 03, 2006
Posts: 490
my question : if the user of my application didn't added his self-signed certificate to jdk's keystore, is there a way i can automate this process? is it possible to connect through ssl using only a self-signed certificate and force the jdk to accept this self-signed certificate?


I don't have a lot of experience, but you should be able to create a dialog to let the user choose to accept the certificate and then programmatically call keystore.

Do not accept is behind the scenes, and seriously consider a signed certificate if you are going offer your program to others. IMO, self signed certs are acceptable for testing and internal use, like inside a LAN, but nothing else.


"Computer science is no more about computers than astronomy is about telescopes" - Edsger Dijkstra
Yahya Elyasse
Ranch Hand

Joined: Jul 07, 2005
Posts: 510

Rusty Shackleford wrote:
my question : if the user of my application didn't added his self-signed certificate to jdk's keystore, is there a way i can automate this process? is it possible to connect through ssl using only a self-signed certificate and force the jdk to accept this self-signed certificate?


I don't have a lot of experience, but you should be able to create a dialog to let the user choose to accept the certificate and then programmatically call keystore.

Do not accept is behind the scenes, and seriously consider a signed certificate if you are going offer your program to others. IMO, self signed certs are acceptable for testing and internal use, like inside a LAN, but nothing else.


thank you,
if user uses a signed certificate 'CA' will it be automatically verified by the jdk ? user in this case don't have to add his CA to the jdk keystore .right?
Rusty Shackleford
Ranch Hand

Joined: Jan 03, 2006
Posts: 490
If the CA is recognized, I believe it should accept it.
Yahya Elyasse
Ranch Hand

Joined: Jul 07, 2005
Posts: 510

Rusty Shackleford wrote:
I don't have a lot of experience, but you should be able to create a dialog to let the user choose to accept the certificate and then programmatically call keystore.

Do not accept is behind the scenes, and seriously consider a signed certificate if you are going offer your program to others. IMO, self signed certs are acceptable for testing and internal use, like inside a LAN, but nothing else.


i want to be able to prompt user to trust the self-signed (unknown certificate). then it is the user responsibility to trust or reject the unknown/self-signed certificate.
Now i need to know which Exception i should catch that indicates the certificate was not trusted ? is there an Error Number or specific Exception that indicates the case of self-signed /untrusted certificates. In other terms i'm looking for a solution to detect when the CA is not trusted and then i prompt user whether to trust the certificate or not. also i'll need to get information of the untrusted certificate how can i get these certificate infos to display to user?

thanks for your further assistance on this issue.
Rusty Shackleford
Ranch Hand

Joined: Jan 03, 2006
Posts: 490
I believe a KeyStoreException is thrown if there is a certificate problem. Here is more information about handling certificates.

The problem with your viewpoint is that the vast majority of computer users don't have the required knowledge to be able to make an informed decision about self-signed certificates. Many security professionals wouldn't be able to tell if it is valid or not either, unless they had prior knowledge of the certificate and its fingerprints. The difference is security pros would likely not accept it but could at least make an informed decision and your "average" user has been conditioned to blindly accept everything. This is the big flaw of SSL, but nothing better has been developed yet, but at least signed certificates strengthen the system quite a bit. Self-signed certificates are a small step up from transmitting data in the clear.
Yahya Elyasse
Ranch Hand

Joined: Jul 07, 2005
Posts: 510

Rusty Shackleford wrote:I believe a KeyStoreException is thrown if there is a certificate problem. Here is more information about handling certificates.

The problem with your viewpoint is that the vast majority of computer users don't have the required knowledge to be able to make an informed decision about self-signed certificates. Many security professionals wouldn't be able to tell if it is valid or not either, unless they had prior knowledge of the certificate and its fingerprints. The difference is security pros would likely not accept it but could at least make an informed decision and your "average" user has been conditioned to blindly accept everything. This is the big flaw of SSL, but nothing better has been developed yet, but at least signed certificates strengthen the system quite a bit. Self-signed certificates are a small step up from transmitting data in the clear.

thank you for your reply,
in your opinion , should i try to handle the special case of untrusted certificate for SSL connection?
I have the impression i'm trying to make my application too smart. Probably i should only test if the application can connect through https to the remote webservice with CA certificate. and if the certificate is not trusted by server then i should merely display an error message to the user?
I'm trying to make the life of my application users easy by offering them all possible options to connect to the soap service.
in your opinion what are the best decisions and features i should implement to make the connection to the soap service robust and reliable? for example, should i consider proxy connection beside SSL? what are the other authentication options i should tackle beside SSL and plain HTTP connection?

thanks.
 
wood burning stoves
 
subject: connect to a SOAP webservice using SSL
 
Similar Threads
https
HTTPS SSL PROBLEM
How to speed up AXIS2 HTTPS/SSL connection?
java soap client to connect to sugarCRM server
Question on HTTPS ?