Re: [Axis2] SSL and certificate support
Dumindu Pallewela wrote: Subra A Narayanan wrote: But when I was reading rampart documentation, it talks about soap body encryption using SSL certs. How is that different from using apache for SSL? To add to my previous reply, *SSL certificate* seems a misnomer when talking about Rampart, and SOAP body encryption. Shouldn't it rather be *x509 certificate*? Any thoughts? Which documentation are we talking about? Installation/Configuration guides[1][2] ? It should be X509 certificates. -Kau [1] http://ws.apache.org/rampart/c/docs/installationguide.html [2] http://ws.apache.org/rampart/c/docs/configurations.html -Dumindu. -- http://blog.kaushalye.org/ http://wso2.org/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [Axis2] SSL and certificate support
Subra A Narayanan wrote: > But when I was reading rampart > documentation, it talks about soap body encryption using SSL certs. > How is that different from using apache for SSL? To add to my previous reply, *SSL certificate* seems a misnomer when talking about Rampart, and SOAP body encryption. Shouldn't it rather be *x509 certificate*? Any thoughts? -Dumindu. -- Dumindu Pallewela http://blog.dumindu.com GPG ID: 0x9E131672 WSO2 | http://wso2.com | "Oxygenating the Web Service Platform" signature.asc Description: OpenPGP digital signature
Re: [Axis2] SSL and certificate support
Subra A Narayanan wrote: > Hey Dumindu, > > Just want to make sure I understand this correctly. So if I just want > to run my axis2 webserices in SSL mode, I dont need rampart. I can > just use apache for that, right? YES, Absolutely! > But when I was reading rampart > documentation, it talks about soap body encryption using SSL certs. > How is that different from using apache for SSL? > SSL/TLS only concerns about the *transport* security. That is "Eve" in the middle of the channel cannot eavesdrop Bob's private conversation with Alice. :) However if you need more, like message level security, you need WS-Sec. Say you need to store your SOAP message and later consume it. WS-Sec can provide security while it is being stored, whereas SSL/TLS fails to provide that. You can find some more insight to it from "Alternatives" section of [1] > My second question is, lets assume I want to use client authentication > for my webservice. I have to set the following 2 variables in the > httpd.conf file > > SSLVerifyClient require > SSLVerifyDepth 1 > > I understand that this will force the client to send a cert with every > request. But after receives the client cert, what does it do with it? > does it check against a list of certs thats allowed to access the > service? Is this feature built-in to axis2 or do we hv to implement it > ourselves? Axis2/C does nothing with the client's certificate at the server side. It is up to the user to configure their Apache2 server to accept/reject the clients based on the certificates provided _if_ they need such functionality. Note that Apache2 works as yet another transport and hence we shouldn't be messing around with the transport implementation details at the Axis2/C module level. If for some reason you need to do it in Axis2 code, my guess is that you need a really ugly hack, making it better left with Apache2 (Assuming that you are not considering the situation where you would write the SSL transport support for the server code, i.e., for simple_axis_server). HTH, Dumindu. [1] http://en.wikipedia.org/wiki/Web_Services_Security -- Dumindu Pallewela http://blog.dumindu.com GPG ID: 0x9E131672 WSO2 | http://wso2.com | "Oxygenating the Web Service Platform" signature.asc Description: OpenPGP digital signature
Re: [Axis2] SSL and certificate support
Hey Dumindu, Just want to make sure I understand this correctly. So if I just want to run my axis2 webserices in SSL mode, I dont need rampart. I can just use apache for that, right? But when I was reading rampart documentation, it talks about soap body encryption using SSL certs. How is that different from using apache for SSL? My second question is, lets assume I want to use client authentication for my webservice. I have to set the following 2 variables in the httpd.conf file SSLVerifyClient require SSLVerifyDepth 1 I understand that this will force the client to send a cert with every request. But after receives the client cert, what does it do with it? does it check against a list of certs thats allowed to access the service? Is this feature built-in to axis2 or do we hv to implement it ourselves? Thanks, Subra Hi Greg, >> Sorry if this is in some documentation somewhere (I've tried and not >> found if). A cursory glance at the rampart code shows a lot of >> references to ssl and certificates. Some specific questions: >> >> Is SSL supported on server side? Client? Yes, Axis2/C supports both ssl server authentication and client authentication. Please refer to the axis2c manual [1]. I would suggest you use axis2 1.0.0 RC3 [2] or the latest svn head, since ssl transport has been updated since 0.96 release. In this case you will have to refer to the documentation from the trunk [3]. Note that ssl transport is not a feature of rampart, but of Axis2/C itself. Regards, Dumindu. [1] http://ws.apache.org/axis2/c/docs/axis2c_manual.html#ssl_client [2] http://people.apache.org/~samisa/release/1.0.0/RC3/ [3] http://svn.apache.org/viewvc/webservices/axis2/trunk/c/xdocs/docs/ axis2c_manual.html?view=co#ssl_client - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [Axis2] SSL and certificate support
Greg Denton wrote: Note that ssl transport is not a feature of rampart, but of Axis2/C itself. Just to confirm, the documentation seems to imply that SSL transport is not a part of Axis2/C "server-side" (I guess this would be the "simple axis server") only client. For server-side, apache must be used, correct? Yes, simple_axis_server is incapable of handling SSL requests. What I meant by saying that the SSL transport is a feature of Axis2/C is that Rampart has nothing to do with the SSL transport (yet). Sorry if it was misleading. I found the client certificate info in the new docs, thanks. IIRC, SSL Client authentication is a post-0.96 feature. It will be updated in the site with the next release. Regards, Dumindu. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [Axis2] SSL and certificate support
>> Note that ssl transport is not a feature of rampart, but of Axis2/C itself. Just to confirm, the documentation seems to imply that SSL transport is not a part of Axis2/C "server-side" (I guess this would be the "simple axis server") only client. For server-side, apache must be used, correct? (I imagine this is due to the extreme security requirements of the server and wanting to reuse apache to meet them.) I found the client certificate info in the new docs, thanks. Thanks. -Original Message- From: Dumindu Pallewela [mailto:[EMAIL PROTECTED] Sent: Thursday, April 26, 2007 10:40 PM To: Apache AXIS C User List Subject: Re: [Axis2] SSL and certificate support Hi Greg, >> Sorry if this is in some documentation somewhere (I've tried and not >> found if). A cursory glance at the rampart code shows a lot of >> references to ssl and certificates. Some specific questions: >> >> Is SSL supported on server side? Client? Yes, Axis2/C supports both ssl server authentication and client authentication. Please refer to the axis2c manual [1]. I would suggest you use axis2 1.0.0 RC3 [2] or the latest svn head, since ssl transport has been updated since 0.96 release. In this case you will have to refer to the documentation from the trunk [3]. Note that ssl transport is not a feature of rampart, but of Axis2/C itself. Regards, Dumindu. [1] http://ws.apache.org/axis2/c/docs/axis2c_manual.html#ssl_client [2] http://people.apache.org/~samisa/release/1.0.0/RC3/ [3] http://svn.apache.org/viewvc/webservices/axis2/trunk/c/xdocs/docs/ axis2c_manual.html?view=co#ssl_client - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [Axis2] SSL and certificate support
Hi Greg, Sorry if this is in some documentation somewhere (I’ve tried and not found if). A cursory glance at the rampart code shows a lot of references to ssl and certificates. Some specific questions: Is SSL supported on server side? Client? Yes, Axis2/C supports both ssl server authentication and client authentication. Please refer to the axis2c manual [1]. I would suggest you use axis2 1.0.0 RC3 [2] or the latest svn head, since ssl transport has been updated since 0.96 release. In this case you will have to refer to the documentation from the trunk [3]. Note that ssl transport is not a feature of rampart, but of Axis2/C itself. Regards, Dumindu. [1] http://ws.apache.org/axis2/c/docs/axis2c_manual.html#ssl_client [2] http://people.apache.org/~samisa/release/1.0.0/RC3/ [3] http://svn.apache.org/viewvc/webservices/axis2/trunk/c/xdocs/docs/ axis2c_manual.html?view=co#ssl_client - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[Axis2] SSL and certificate support
Please use the correct prefix... Dumindu. Greg Denton wrote: Sorry if this is in some documentation somewhere (I’ve tried and not found if). A cursory glance at the rampart code shows a lot of references to ssl and certificates. Some specific questions: Is SSL supported on server side? Client? Are client side certificates (i.e. server-requested client authentication via certificates) supported on the server side? Client? Thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]