Professional Documents
Culture Documents
Summary: This document is a step by step guide to deploy the web services in SSL
using axis2 and consuming such web services.
Introduction: For the secure web service communication, the web service must be
deployed over the https protocol. Https protocol uses digital certificate for the
authentication and to ensure that no body can intercept the data except two authenticated
parties. Once both parties has been authenticated, data is exchanged in encrypted format
using public key and private keys. This document outlines the basic steps required to
deploying the web service over the https protocol and writing the java client for accessing
the web service deployed over the secure site. We will be using Axis2 SOAP Engine for
web services and tomcat will be used as the servlet container. It is assumed that you are
familiar with writing web services using axis2, otherwise please read user guide first.
1.0 Configuring Tomcat Server for HTTPS
The first step in deploying the web services over a secure protocol HTTPS is configuring
the servlet container. Since we want the server to be authenticated by client, we need to
generate digital certificate for the tomcat server. So lets generate the servers certificate.
1.1 Generate Server Certificate
Java provides very useful utility keytool to generate and manage certificate. We will use
this utility to create a keystore and self signed certificate for the server. Keystore is a file
where the the information related to the certificate is stored.
[root@suprety program]#$JAVA_HOME/bin/keytool -genkey -alias
tomcatServer -keyalg RSA -keystore tomcatKeyStore
Enter keystore password: changeit
What is your first and last name?
[Unknown]: myName
What is the name of your organizational unit?
[Unknown]: research
What is the name of your organization?
[Unknown]: Free Software
What is the name of your City or Locality?
[Unknown]: Kathmandu
What is the name of your State or Province?
[Unknown]: Nepal
What is the two-letter country code for this unit?
[Unknown]: NP
Is CN=myName, OU=research, O=Free Software, L=Kathmandu, ST=Nepal, C=NP
correct? [no]: yes
*******************************************
*******************************************
The above information tells us that in the keystore named tomcatKeyStore, there is a
single certificate and private key for alias tomcatserver.
1.1.1 Export Server Certificate
We now need to export server certificate so that they can be used by the client.
The certificate for the tomcatserver is now exported to the file tomcatserver.cer, Lets
examine the tomcatserver.cer
[root@suprety program]# cat tomcatserver.cer
-----BEGIN CERTIFICATE-----
MIICTDCCAbUCBEMBdF4wDQYJKoZIhvcNAQEEBQAwbTELMAkGA1UEBhMCTlA
xDjAMBgNVBAgTBU5lcGFsMRIwEAYDVQQHEwlLYXRobWFuZHUxFjAUBgNVBA
oTDUZyZWUgU29mdHdhcmUxETAPBgNVBAsTCHJlc2VhcmNoMQ8wDQYDVQQDE
wZteU5hbWUwHhcNMDUwODE2MDUwNjM4WhcNMDUxMTE0MDUwNjM4WjBtMQsw
CQYDVQQGEwJOUDEOMAwGA1UECBMFTmVwYWwxEjAQBgNVBAcTCUthdGhtYW5
kdTEWMBQGA1UEChMNRnJlZSBTb2Z0d2FyZTERMA8GA1UECxMIcmVzZWFyY2
gxDzANBgNVBAMTBm15TmFtZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCg
YEAvNXtW+gioHpLIQN2ILm3se/imjKSYk5lWjVt1zeVzYQcBfq2F6XLM8kK
zgT0msvjfSO7bwBizzyiGyUEM7cp/iKuNKkFTvxua4mTESwS0tc9/XmuuAU
eCpkLA13b/EdY9ZCQHqvnnEeVL+f6Gmh1hwJfAAnTyqdTtL6cUliEthMCAw
EAATANBgkqhkiG9w0BAQQFAAOBgQCvNjGjbzbeR2ZhuLh7DBwWJD7jqnX6E
Pf2SKs5mPKDs5zBWXhROGZDdvfuyKLmpFF3mKL3LE+14kEm8uWqepgZNU50
MQC0GmWx5Pq3s+zgBlMhfSlC3qCFxph/gjwhAonAymIK7fLIYP89heatlqc
VhQabOD6ijnU/0ta4GbHTCA==
-----END CERTIFICATE-----
1.1.2 Import Server Certificate to Client TrustStore
For Our web service client to communicate to server over SSL, it must have an a
truststore file. The truststore file should have imported the the certificate of the other
party so as to authenticate them. Since we want to authenticate the tomcat server, we
need to import the server certificate to this truststore. To import the server certificate,
[root@suprety program]# $JAVA_HOME/bin/keytool -import -alias
tomcatCert -file tomcatserver.cer -keystore clientTrustStore
Enter keystore password: changeit
Owner: CN=myName, OU=research, O=Free Software, L=Kathmandu, ST=Nepal,
C=NP
Issuer: CN=myName, OU=research, O=Free Software, L=Kathmandu, ST=Nepal,
C=NP
Serial number: 4301745e
Valid from: Tue Aug 16 10:51:38 NPT 2005 until: Mon Nov 14 10:51:38 NPT
2005
Certificate fingerprints:
MD5: 6D:2D:C5:80:3E:1B:1C:56:02:79:F8:60:81:1A:DE:3A
SHA1:
5F:28:97:25:6A:18:A3:4C:18:C5:FA:7F:AD:0B:72:8B:ED:71:25:99
Trust this certificate? [no]: yes
Certificate was added to keystore
The above command generate a truststore file named clientTrustStore with the
tomcatserver certificate as a trusted certificate.
<Connector
className= "org.apache.coyote.tomcat4.CoyoteConnector"
port="8443" minProcessors="5"
maxProcessors="75"
enableLookups="true"
acceptCount="100" debug="0"
scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
keystoreFile="/usr/lib/ooo-1.1/program/tomcatKeyStore"
keystorePass="changeit"
</Connector>
We added two parameters in above file, the first one is the keystoreFile, it values is
keystore file that we created in previous step. You need to change the path of the file to
make it work in your environment. The second parameter is the keystorePassword, its
values should be same as the password for the keystore.
System.setProperty("javax.net.ssl.trustStorePassword",
"changeit");
....
....
This is all we have to do, now we call the secure web service with out any problem.
Source code of the https web service client is given below.
//FileName: HttpsWebServiceClient.java
package test;
import javax.xml.namespace.QName;
import javax.xml.stream.XMLOutputFactory;
import javax.xml.stream.XMLStreamWriter;
import org.apache.axis2.AxisFault;
import org.apache.axis2.Constants;
import org.apache.axis2.addressing.EndpointReference;
import org.apache.axis2.clientapi.Call;
import org.apache.axis2.om.OMAbstractFactory;
import org.apache.axis2.om.OMElement;
import org.apache.axis2.om.OMFactory;
import org.apache.axis2.om.OMNamespace;
import org.apache.axis2.om.impl.OMOutputImpl;
/**
* @author Shankar Raj Uprety
*/
if(result!=null){
displayResult(result);
}else{
System.out.println("Got Null Result");
}
}
Note:
This Client program runs only with latest release of the axis2 (version 0.91). You will get
connection reset exception if you try with older releases.
4.0 Conclusion
Web services overs https for the secure communication between the web service and
client can be implemented using Axis2 SOAP Engine by carrying out above outlined
steps.
5.0 References:
1. JSSE Reference Guide
http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html
2. Setting up Apache Tomcat and a Simple Apache SOAP Client for SSL
Communication
http://ws.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html
3. Axis2 User Guide
http://ws.apache.org/axis2/userguide.html