Ryan LeCompte wrote:
> Sharib,
>
> Thank you for your response. I was actually able to the mutual
> authentication working under Tomcat today. However, I didn't have to see the
> <login-config> and <user-data-constraint> fields as you mentioned. You
> mentioned that this is only for the server side? My client is a standalone
> JAX-RPC client that doesn't run within a web container, so there is no
> web.xml file associated with the standalone JAX-RPC client. However, the
> remote web service implementation that runs within Tomcat has a web.xml
> file. Is that where you want me to specify the settings that you mentioned?
> I haven't set them at this point and I am able to get mutual SSL
> communication to happen without any problems. I have done the correct
> importing of the certificates for the client/server, and also set
> clientAuth=true in Tomcat. I'm now trying to do the same experiment with the
> same web service deployed on the .Net platform in IIS. It seems as though
> the only thing that I really have to set on my JAX-RPC client to get it to
> work with all flavors of SSL (including mutual authentication) is to set the
> following system properties to the correct values:
>
> System.setProperty("javax.net.ssl.trustStore", trustStorePath);
> System.setProperty("javax.net.ssl.trustStorePassword",
> trustStorePassword);
> System.setProperty("javax.net.ssl.trustStoreType",
> trustStoreType);
> System.setProperty("javax.net.ssl.keyStore", keyStorePath);
> System.setProperty("javax.net.ssl.keyStorePassword",
> keyStorePassword);
> System.setProperty("javax.net.ssl.keyStoreType", keyStoreType);
> System.setProperty("java.protocol.handler.pkgs",
> "com.sun.net.ssl.internal.www.protocol");
> Security.addProvider(new
> com.sun.net.ssl.internal.ssl.Provider());
>
> There should be nothing else to set on the JAX-RPC client side to get all
> flavors of SSL to work, correct?
JAXRPC client just does URLConnection to your endpoint. Everything is
handled by the JVM. All these properties are used by JVM to establish
HTTPS connection. So check with JVM documentation to see if you require
anything.
Thanks,
Jitu
>
> Thanks,
> -- Ryan
>
> -----Original Message-----
> From: Sharib Anis [mailto:sharib.anis_at_wilabs.com]
> Sent: Thursday, November 18, 2004 9:12 PM
> To: users_at_jax-rpc.dev.java.net
> Subject: RE: Mutual SSL authentication with JAX-RPC
>
> Hi Ryan,
>
> First you have to decide what kind of authentication you want to use. Three
> types are common:
>
> * HTTP basic authentication--The Web server authenticates a principal using
> the username and password obtained from the Web client. The username and
> password are included in the HTTP headers and are handled at the transport
> layer.
> * Form-based authentication--A developer can customize a form for entering
> username and password information, and then use this form to pass the
> information to the J2EE Web container. This type of authentication, geared
> toward Web page presentation applications, is not used for Web services.
> * HTTPS mutual authentication--Both the client and the server use digital
> certificates to establish their identity, and authentication occurs over a
> channel protected by Secure Sockets Layer.
>
> It seems to me you're trying to use the last one. If yes, then 1. You do
> need to set this:
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> </login-config>
> and this:
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> in the <security-constraint/>.
> These settings are only on the server side.
> 2. Import the server cert into client keystore AND vice versa.
> 3. In Tomcat, you may set the clientAuth="true". It's not a must, you may
> also set it to "want", if you want Tomcat to request a client Certificate,
> but not fail if one isn't presented.
>
> Thanks and Regards,
> Sharib Anis
> Senior Research Engineer
> Wireless Intellect Labs Pte Ltd
> A MobileOne Company
> http://www.wilabs.com
> sharib.anis_at_wilabs.com
> DID: +65-6843 8672; Fax: +65-6560-4950 (TZ: +0800 GMT)
>
> There are 10 kinds of people in the world, those who understand binary and
> those who don't.
>
> DISCLAIMER: This email (including any attachments) is intended for the
> recipient(s) named above and may contain information that is confidential to
> Wireless Intellect Labs Pte Ltd. Any use of the information (including, but
> not limited to, total or partial reproduction, distribution or dissemination
> in any form) by persons other than the intended recepient(s) is prohibited.
> If you are not an intended recipient of this email, please notify the sender
> immediately and delete it. Any views expressed in this message are those of
> the individual sender, except where the sender states them, with requisite
> authority, to be those of Wireless Intellect Labs Pte Ltd.
>
> -----Original Message-----
> From: Ryan LeCompte [mailto:ryan.lecompte_at_pangonetworks.com]
> Sent: 19 November 2004 01:33
> To: users_at_jax-rpc.dev.java.net
> Subject: Mutual SSL authentication with JAX-RPC
>
>
> Hello,
>
> I'm trying to have my static stub JAX-RPC client communicate via SSL with a
> remote web service. I'm setting the two system properties for specifying the
> SSL trust store path and trust store password. The client is able to
> successfully communicate via SSL when the remote web service's web server is
> configured to not require client-side authentication (for example in tomcat
> the configuration attribute 'clientAuth="false"' would be used). However,
> when I turn on this attribute and require client-side authentication, the
> JAX-RPC client fails to communicate successfully with the web service. Is
> there anything else that must occur on the JAX-RPC client side when the
> remote web server requires a client-side certification authentication? I'm
> still new to SSL, so perhaps I have the basic concept confused. Do I have to
> import another certification in the client-side keystore for this to work? I
> looked in the java web services tutorial and they say that you need to
> specify the following in web.xml:
>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> </login-config>
>
> However, this is a standalone JAX-RPC client that isn't running within a web
> container (thus there is no web.xml).
>
> Am I missing something here? Thank you for any suggestions...
>
> -- Ryan
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jax-rpc.dev.java.net
> For additional commands, e-mail: users-help_at_jax-rpc.dev.java.net
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jax-rpc.dev.java.net
> For additional commands, e-mail: users-help_at_jax-rpc.dev.java.net
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_jax-rpc.dev.java.net
For additional commands, e-mail: users-help_at_jax-rpc.dev.java.net