Gary, thanks for offering to help. Let me try to clarify my problem.
As I understand it, Axis will create HTTPS (SSL) connections transparently,
using the underlying JSSE. When the client connects to the server, the SSL
connection will receive the server's certificate, which much be trusted in
order for the connection to succeed. That means I must have the
server-cert's CA in my 'trustStore' (not surprising there). The trustStore
is by default the "cacerts" file in $JAVA_HOME/jre/lib/security". If I want
to use a different Trust Store, I can set the 'javax.net.ssl.trustStore'
System property (and corresponding 'javax.net.ssl.trustStorePassword') in
order for JSSE to use the proper store. This is a system-wide setting
(per-VM), and hence not changeable for each client within a VM making SSL
connections.
Furthermore, if the server challenges me for a client-certificate, JSSE will
look for an <<appropriate>> (i am unsure how a cert is selected if there is
more than 1) certificate in the default 'keyStore'. Similarly, I can
override the default KeyStore with the 'javax.net.ssl.keyStore' (and
javax.net.ssl.keyStorePassword') System properties. I believe that the
key/cert in the store must either have the same password as the KeyStore, or
else none (if not, how do I pass it in?)
Since I don't want keys/certs with no password in my KeyStore, and I don't
want them all to have the same password as the KeyStore itself... I _could_
also create the KeyStore (and TrustStore) dynamically, the following way:
SSLContext.getInstance("SSL").init(keyManagers, trustManagers,
secureRandom);
...and hence build a 1-key keyManager and 1 CA trustManager to use,
on-demand. Using Axis's generated Java stubs (wsdl2java) I don't have
access to the SSL context of the specific connection (and I'm not even sure
if I can alter the SSL properties of a single SSL connection), and I don't
want to alter the gloabl SSLContext as it will affect other connections
which occurr simultaneously.
If I could override the SecureSocketFactory inside JSSE (which JDK1.4 does
not let you do), I could write a factory which is pre-configured to use
speicific client key/certs and CA certs for specific URLs or hostsnames.
Example:
https://soapserver1.com/ key1 CAx
https://soapserver2.net key2 CAy
etc...
Since I cannot, my only option _seems_ to be putting all keys in one
KeyStore, putting all CA certs in one TrustStore (naturally, this I can live
with), and making all keys have the same password, which is that of the
KeyStore itself. Then, the SSL connection will figure out which
client-certificate to use to establish the session (I don't know how this
works, but I suppose a combination of algorithm support and/or Issuer DN??,
but there could be more than one acceptable client cert to use).
I didn't know about the 'axis.secureSocketFactory' property (I'm quite new
to Axis), but I figured since JSSE won't let me plug in my own, then Axis
cannot either. Perhaps this property was used only for people running
JDK1.3 + JSSE extension? There is of course the SunJSSESocketFactory
provided with Axis, which gives me some customization, though I have no idea
if I can use it, nor how to instantiate it with the 'attributes' Hashtable
it takes which can hold 'keyStore', 'keyStorePass', etc. Is this coming
from AxisClientEngine??
In summary, I need to have each Axis client connection proivde it's own
client-cert that it will present to the server, if/when prompted. Is this
possible in some (nice, configurable) way? If there is a way, does using
generated Stubs leave me with fewer options, without having to edit their
source?
Many thanks in advance for any light you can shed on this.
Kind regards,
Stuart
-----Original Message-----
From: Gary L Peskin [mailto:[EMAIL PROTECTED]
Sent: Wednesday 17 December 2003 18:37
To: [EMAIL PROTECTED]
Subject: RE: SecureSocketFactory pluggability?
I'd like to understand better what's happening here and I think I can help.
Can you please explain the first few paragraphs in baby steps so that I can
understand the exact problem?
Is the problem that you can't specify the socket factory that Axis will use?
Have you looked at the properties axis.SocketFactory and
axis.socketSecureFactory?
If you could take just a few minutes, it would be great.
Thanks,
Gary
> -----Original Message-----
> From: Stuart Miller [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, December 17, 2003 2:21 AM
> To: '[EMAIL PROTECTED]'
> Subject: SecureSocketFactory pluggability?
>
>
> The Axis framework seems pluggable with respect to
> SocketFactories, as was JSSE prior to the JDK 1.4. Now with
> JDK 1.4, I cannot swap SocketFactory impls (via java.security
> file) due to US export regulations.
>
> With the out-of-the-box JSSESocketFactory, I can alter the
> System properties 'javax.net.ssl.xxx' to point it to my
> trust/cert stores, and tell it the passwords. However, what
> if I need a different cert/trust store for each client?
>
> If I could tell Java/Axis to use the SunJSSESocketFactory (or
> my own version), then I could build a Hashtable of properties
> specifying 'keystore' 'keyStorePass', etc. But alas, I
> cannot with JDK1.4
>
> eg. SecureSocketFactory ssf =
> (SecureSocketFactory)SocketFactoryFactory.getFactory("https",
> myProps);
>
> So I'm left with
> System.setProperty("javax.net.ssl.xxx", "xyz");
>
> as the only way to tell Aix which CA's to trust and which
> client certs it can use. But I assume these properties are
> only read once.. the first time the SocketFactory for HTTPS
> is created. Even if not, changing them at run-time is not
> safe due to multiple clients running at the same time.
>
> Furhtermore, when I use wsdl2java to generate Java stubs, I
> seem to be completely insulated from any ability to change
> SSL environment things such as trustStore and keyStore. It's
> all automatic and hidden.
>
> Has someone any idea of how I can do what I'm trying to do?
>
> Can I, for example, alter the SSL connection parameters in
> the context of some Stub (ie. access the SecureSocket being
> used)? Something like this...
>
> SSLContext.getInstance("SSL").init(keyMgrs, trustMgrs, secureRandom);
>
> ...only synchronized in a way that prevents other clients
> from connecting with these params until i'm done?
>
> Any help is greatly appreciated. I have connections working
> fine, including client-auth, but I [seem to] lack the ability
> to have different settings for each client in a single VM.
>
> Stuart
>
