Rampart has a slightly different implementation for Mutual Authentication
pom.xml has maven-antrun-plugin copya prebuilt services-14.xml to
META-INF/services.xmland a prebuilt SecureService14.aar pom.xml: <plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-antrun-plugin</artifactId>
<version>1.1</version> <tasks>
<java classname="org.apache.axis2.wsdl.WSDL2Java" fork="true">
<arg line="-uri src/main/resources/ping/ping.wsdl -ss -o
target/generated-code -p org.apache.axis2.oasis.ping -d xmlbeans -g"/>
<classpath refid="maven.dependency.classpath"/>
<classpath refid="maven.compile.classpath"/>
<classpath refid="maven.runtime.classpath"/>
</java>
<executions>
<execution> <copy
overwrite="yes"
file="src/test/resources/rampart/services-14.xml"
tofile="target/temp-ramp/META-INF/services.xml"/>
<jar
jarfile="target/test-resources/rampart_service_repo/services/SecureService14.aar"
basedir="target/temp-ramp"/>
mutual-authentication is enforced in the policy as defined by services-14.xml
contents of services-14.xml:
<service name="SecureService14"> <module ref="addressing"/>
<module ref="rampart"/> <parameter locked="false"
name="ServiceClass">org.apache.rampart.Service</parameter> <operation
name="echo">
<messageReceiver
class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/>
<actionMapping>urn:echo</actionMapping>
</operation> <wsp:Policy wsu:Id="MutualCertificate11Sign_IPingService_policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing";>
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:EndorsingSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body/>
<sp:Header Name="To"
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
<sp:Header Name="From"
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
<sp:Header Name="FaultTo"
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
<sp:Header Name="ReplyTo"
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
<sp:Header Name="MessageID"
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
<sp:Header Name="RelatesTo"
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
<sp:Header Name="Action"
Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
</sp:SignedParts>
<sp:Wss11
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";>
<ramp:user>alice</ramp:user>
<ramp:encryptionUser>bob</ramp:encryptionUser>
<ramp:passwordCallbackClass>org.apache.rampart.PWCallback</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property>
<ramp:property
name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy></service>
Martin
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung.
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est
interdite. Ce message sert à l'information seulement et n'aura pas n'importe
quel effet légalement obligatoire. Étant donné que les email peuvent facilement
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité
pour le contenu fourni.
From: [email protected]
To: [email protected]; [email protected]
Subject: RE: Mutual SSL with Axis2
Date: Fri, 21 Dec 2012 21:39:46 +0000
I have done the following:
if (sslProtocol !=
null &&
"https".equals(endPoint.getProtocol()))
{
serviceClient.getOptions().setProperty(HTTPConstants.CUSTOM_PROTOCOL_HANDLER,
sslProtocol);
//if the endpoint is https, the port is 443 by default
final
int urlPort = endPoint.getPort();
final
int port = urlPort == -1 ? 443 : urlPort;
httpClient.getHostConfiguration().setHost(endPoint.getHost(),
port, sslProtocol);
}
serviceClient.getOptions().setSoapVersionURI(SOAP12Constants.SOAP_ENVELOPE_NAMESPACE_URI);
serviceClient.getOptions().setProperty(HTTPConstants.REUSE_HTTP_CLIENT,
Boolean.TRUE);
serviceClient.getOptions().setProperty(HTTPConstants.CACHED_HTTP_CLIENT,
httpClient);
Where sslProtocol is a org.apache.commons.httpclient.protocol.Protocol instance
that I only create if I have a custom SSLSocketFactory (for use with mutual
TLS).
httpClient is a org.apache.commons.httpclient.HttpClient instance I create with
a MultiThreadedHttpConnectionManager with some custom configuration of the
connection properties (number of connections, timeouts,
etc.).
Brett Okken
| CAMM Platform Services | Lead Architect | 816.201.6112 |
www.cerner.com |
[email protected]
From: Ockleford Paul (NHS CONNECTING FOR HEALTH) [mailto:[email protected]]
Sent: Friday, December 21, 2012 11:28 AM
To: [email protected]
Subject: Mutual SSL with Axis2
Hi,
I have one way SSL working fine as I have my web services exposed over https
and I am able to consume them with a client built from the wsdl using
wsdl2java. I would now like to set up mutual SSL so that I can allow only
clients I choose to connect to my service.
I have tried getting this set up by creating a self signed certificate at my
client and then exporting the public portion which I have added to cacerts on
my server. I then amended the tomcat config for the url /applications
so that it requires a client certificate. This means when I now browse to the
wsdl address with my browser I get the following error:
The request sent by the client was syntactically incorrect (No client
certificate chain in this request).
I then made a slight change to my client code:
SecureProtocolSocketFactory spsf =
new AuthSSLProtocolSocketFactory(new
File("N:/Workspaces/Webservices/HelloWorld/client-keystore").toURI().toURL(),
"changeit",
new
File("N:/Workspaces/Webservices/HelloWorld/client-keystore").toURI().toURL(),
"changeit");
Protocol authhttps =
new
Protocol ("https", spsf, 443);
Protocol.registerProtocol("https",
authhttps);
I then assumed that making a call from my client that everything would work but
it seems like my client also get the same html page returned from tomcat now to
say that there is no client certificate chain in the request.
Is there something else that I need to do?
Again any help is appreciated.
********************************************************************************************************************
This message may contain confidential information. If you are not the intended
recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take
any action in reliance on its contents:
to do so is strictly prohibited and may be unlawful.
Thank you for your co-operation.
NHSmail is the secure email and directory service available for all NHS staff
in England and Scotland
NHSmail is approved for exchanging patient data and other sensitive information
with NHSmail and GSi recipients
NHSmail provides an email address for your career in the NHS and can be
accessed anywhere
********************************************************************************************************************
CONFIDENTIALITY NOTICE This message and any included attachments are from
Cerner Corporation and are intended only for the addressee. The information
contained in this message is confidential and may constitute inside or
non-public information under international, federal, or state securities laws.
Unauthorized forwarding, printing, copying, distribution, or use of such
information is strictly prohibited and may be unlawful. If you are not the
addressee, please promptly delete this message and notify the sender of the
delivery error by e-mail or you may call Cerner's corporate offices in Kansas
City, Missouri, U.S.A at (+1) (816)221-1024.
