How to secure webservices using SSL

Hi All,

In one of my recent interviews, I was asked on how to secure Webservices using SSL. For that I answered them that, a certificate needs to be registered certificate keystore (cacerts) using Keytool utility and instead of using Http, we need to use HTTPS. Apparently my answer was not satisfactory for them and wanted more explanation on that.

Is my answer not adequate or did I miss any important point ? Please advice.

Your answer was very good.

Thank you.

I do not know, what additional information the interviewer wanted to derive from me.

Apart from what I answered, are there any additional changes needed from client perspective ?

I do not know, what additional information the interviewer wanted to derive from me.

Interesting. How do know that the interviewer was not satisified with your answer? What did they want more explanation on?

In regards to client HTML browsers, there are many security settings related to SSL processing behavior. I doubt that the interviewer was expecting exact details on these settings, or at least he/she should not have been....unless your other responses to other questions created doubt about your experience.

SSL is not a good way to secure web services anyway, so you are most likely better off that they did not like your response.

Hi!
I don't know if this is what they were after, but there is also the option to have mutual authentication with SSL.
On the client side, you need:
- The client key.
- The server certificate from the server's keystore.
The above are to go in a keystore and a certificates file for the client.

...and on the server side, you need:
- The server's key.
- The certificate from the client's keystore.
Again, the above are to go in a keystore and a certificates file for the server.

A webpage with more details: http://www.java-tips.org/java-ee-tips/java-api-for-xml-web-services/using-jax-ws-based-web-services-wit.html
Best wishes!

Kumar Raja wrote:Hi All,
In one of my recent interviews, I was asked on how to secure Webservices using SSL

What about the login/authentication part? Did they ask you specifically about a certain web server? Tomcat requires some minor changes to server.xml. Maybe they were looking for that? Or maybe they wanted you to say something about having the certificate signed by Certificate Authority? The keytool generates self-signed certificates and your users would have to trust your certificate prior to installing it. Some people are just vague though and don't know what they want to ask.