Re: How to create a SSL client to support https
Hi Dumindu, As per your suggestions if client won't need any authentication, only SERVER_CERT is required. I am not sure why SERVER_CERT also required. Here server certificate may expire and so on. Is it easy to make changes in src\core\transport\http\sender\ssl\ssl_utils.c for SSL_VERIFY_NONE?? I don't want any type of validation for client. Thanks in Advance. Thanks, Ashok Dumindu Pallewela wrote: Hi Kelvin, If you didn't know this already: You do *not* have to set ssl parameters *both* in axis2.xml and in your client code. We have given the user the option to choose which he prefers. Please further comments inline. Regards, Dumindu. In short, I configure axis2.xml as: transportSender name=https class=axis2_http_sender parameter name=PROTOCOL locked=falseHTTP/1.1/parameter /transportSender !--parameter name=SERVER_CERTE:/Project/VS8/Axis2_prototype/debug/TrustList.pem/parameter-- !--parameter name=KEY_FILEE:\Project\VS8\Axis2_prototype\debug\TrustList.pem/parameter parameter name=SSL_PASSPHRASEpassphrase/parameter-- !-- -- tag in XML makes whatever it encloses a comment. Thus, in the above, SERVER_CERT parameter is not set. Only the client key's pass phrase, which you don't need, is set from the above configuration. Since you have mentioned that you don't need client authentication, please remove the last two lines, so that you don't have unnecessary stuff: transportSender name=https class=axis2_http_sender parameter name=PROTOCOL locked=falseHTTP/1.1/parameter /transportSender parameter name=SERVER_CERTE:/Project/VS8/Axis2_prototype/debug/TrustList.pem/parameter Then run your axis client making sure that the AXIS2C_HOME is set to the directory where the now edited axis2.xml resides. Also your epr should start with https:// If this doesn't work, there is no point in trying setting these parameters in client code. And I create TrustList.pem file following the manual of Axis2/C: For testing purposes, you can use the server's certificate instead of the CA certificate. You can obtain this by running the command |openssl s_client -connect servername:port| and copying the portion of the output bounded by and including: -BEGIN CERTIFICATE- -END CERTIFICATE- Get the content of this file is: -BEGIN CERTIFICATE- MIIB7TCCAVagAwIBAgIEPygs+DANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJV UzEMMAoGA1UEChMDSUJNMQwwCgYDVQQLEwNTV0cxEDAOBgNVBAMTB2pzZXJ2ZXIw HhcNMDMwNzMwMjAzOTIwWhcNMjExMDEzMjAzOTIwWjA7MQswCQYDVQQGEwJVUzEM MAoGA1UEChMDSUJNMQwwCgYDVQQLEwNTV0cxEDAOBgNVBAMTB2pzZXJ2ZXIwgZ8w DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIQhMysAHrupK8YLnu54xipwbYfJw1ac xMSNQPphN2ZQEznGNp1E8tONwN4RJ4nCW/5mQRFkErOUJW3ZQKP/gwK37HwKz1+V OVOlQ9fitArsnEZTeqzdmBLa+vx7B7bZ8bIRPzI0CeWgQiYZZjSCsZz8JcQZxLM6 ob9mKE28VeZvAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAEPCRwEUBxz6+9A5/AoPB LiYInrowLfY+w3xJyDCie+GneLnirL+1HXRBbNOJYQTCpzN00Cgq2M/LU6tUeeZQ 3gwidiqFUculi2Z+8wd60q8vy6qdJ1kvg9atwMdQV2LFf7TPNccmULD9/LV9h3AV oBbsFukZAroF0ZvO+/4vrIk= -END CERTIFICATE- This is fine. My colleague once tried to send soap message created by gsoap, although the message itself is wrong. But he still get some error message back and in the console of the server, there are some error messages like I mentioned before. can you send those error messages? even if that is not axis2 we may be able to get an idea about what's going wrong. - To unsubscribe, e-mail: axis-c-user-unsubscr...@ws.apache.org For additional commands, e-mail: axis-c-user-h...@ws.apache.org -- View this message in context: http://old.nabble.com/How-to-create-a-SSL-client-to-support-https-tp11441745p27621164.html Sent from the Axis - C++ - User mailing list archive at Nabble.com.
Re: How to create a SSL client to support https
Hi Dumindu, Sorry for reply later. I followed your suggesttion, but it still failed. 1st, I commented the following statement. //axis2_options_set_soap_version(options, env, AXIOM_SOAP12); //axis2_options_set_transport_in_protocol(options, env, AXIS2_TRANSPORT_ENUM_HTTP); so let Axis2/C choose correct protocol automatelly. 2nd, I wrote axis2.xml like: transportSender name=https class=axis2_http_sender parameter name=PROTOCOL locked=falseHTTP/1.1/parameter /transportSender !--parameter name=SERVER_CERTE:\Project\VS8\Axis2_prototype\debug\TrustList.pem/parameter parameter name=KEY_FILE/path/to/client/certificate/chain/file/parameter parameter name=SSL_PASSPHRASEpassphrase/parameter -- 3rd, I set the just one parameter of server_cert in the codes: axutil_property_t *ssl_ca_file = axutil_property_create(env); axutil_property_set_value(ssl_ca_file, env, axutil_strdup(env, E:\\Project\\VS8\\Axis2_prototype\\debug\\TrustList.pem)); axis2_options_set_property(options, env, SERVER_CERT, ssl_ca_file); How I judge it failed? Because I followed the one tutorial to build a web service server by myself, http://publib.boulder.ibm.com/infocenter/wsadhelp/v5r1m2/index.jsp?topic=/com.ibm.etools.webservice.was.creation.ui.doc/samples/sstockq.html, using WebShpere v5.1, and sent a simple soap message to the server via https protocol. But there is nothing erroe messages displayed in the server concole. (If the server receives some soap message (correct or wrong), it will display some error messages in the concole. Pls. refer to my new reply of my another proplem email, named How to get ordered namespace sequence, about the function axutil_hash_find_entry) I used gsoap to create a message which was sent to web service server via https protocol, and whatever message is correct or not, the concole will display something. Then I commented the explicitly setting property in the program and set them in the axis2.xml like: transportSender name=https class=axis2_http_sender parameter name=PROTOCOL locked=falseHTTP/1.1/parameter /transportSender parameter name=SERVER_CERTE:\Project\VS8\Axis2_prototype\debug\TrustList.pem/parameter parameter name=KEY_FILEE:\Project\VS8\Axis2_prototype\debug\TrustList.pem/parameter parameter name=SSL_PASSPHRASEpassphrase/parameter But it still no any effects. How should I do? By the way, in this web page: http://people.apache.org/~dumindu/HowToConfigureSSL.html, I have two suggests, 1st, you still use axis2/c v0.96 api, like: ssl_ca_file = axis2_property_create(env); AXIS2_PROPERTY_SET_VALUE(ssl_ca_file, env, axis2_strdup(/home/dumindu/dummyCA/demoCA/cacert.pem, env)); AXIS2_OPTIONS_SET_PROPERTY(options, env, SERVER_CERT, ssl_ca_file); 2nd, You can find the complete sample code here. There is no link when clicking here. Dumindu Pallewela [EMAIL PROTECTED] wrote: Hi Kelvin, Find my comments inline. Kelvin Lin wrote: Hi all, But it failed in my environment, because I can't find some apis and variable name at all, like axis2_property_t and AXIS2_OPTIONS_SET_PROPERTY. Those instructions were intended for v0.96. Since v1.0 the util declarations were renamed with a axutil_ prefix and the macros were dropped. Hence these should be axutil_property_t and axis2_options_set_property respectively. I used official version axis2c-src-1.0.0 and changed axis2.xml like: HTTP/1.1 /path/to/ca/certificate name=KEY_FILE/path/to/client/certificate/chain/file passphrase -- This is all you need in order to get ssl working, usually. :) At the same time, I called following apis in my program: axis2_options_set_soap_version(options, env, AXIOM_SOAP12); axis2_options_set_transport_in_protocol(options, env, AXIS2_TRANSPORT_ENUM_HTTPS); Axis2 engine should set the appropriate protocols according to the epr that you use. For example for a https endpoint, axis2 engine would look at the https:// uri and understand that the protocol that should be used is https. In particular, setting transport_in protocol is not useful if you are not using different ports to send and receive messages (dual client). But the server I built by myself didn't have any response and get error code 82, Input stream is NULL in msg_ctx. That is because our simple_axis_server is not capable of handling ssl. Please refer to the axis2 manual [1] for more information on deploying axis2 in apache2 server. Make sure to have mod_ssl installed. What apis should I call to support https and how to config axis2.xml to specify pem file both under needing authentication and no needing authentication? There are three properties that are related to ssl transport, SERVER_CERT, KEY_FILE and SSL_PASSPHRASE. Please refer to [2] for more information on each. This is how you set the
How to create a SSL client to support https
Hi all, I have followed the installation guide to compile source codes including ENABLE_SSL=1 successfully. It could support http protocol well but failed to support https. I have checked axis-c-user mail list and found some similar articles to handle this problem, like: you can give the certificates as a parameter in axis2.xml |parameter name=SERVER_CERT/path/to/ca/certificate/parameter|| ||| or as properties set in the code. eg: ssl_ca_file = axis2_property_create(env); AXIS2_PROPERTY_SET_VALUE(ssl_ca_file, env, axis2_strdup(/home/user/cacert.pem, env)); AXIS2_OPTIONS_SET_PROPERTY(options, env, SERVER_CERT, ssl_ca_file); Note that you have to create a property and set it using the AXIS2_OPTIONS_SET_PROPERTY function call. ** When using AXIS2_OPTIONS_SET_PROPERTY() first you need to create an axis2_property_t instance and then set it. eg. axis2_property_t *ssl_server_cert_prop = axis2_property_create_with_args(env, 0, AXIS2_TRUE, 0, AXIS2_STRDUP(cert_filename, env)); AXIS2_OPTIONS_SET_PROPERTY(options, env, SERVER_CERT, ssl_server_cert_prop); But it failed in my environment, because I can't find some apis and variable name at all, like axis2_property_t and AXIS2_OPTIONS_SET_PROPERTY. I used official version axis2c-src-1.0.0 and changed axis2.xml like: transportSender name=https class=axis2_http_sender parameter name=PROTOCOL locked=falseHTTP/1.1/parameter /transportSender parameter name=SERVER_CERT/path/to/ca/certificate/parameter !--parameter name=KEY_FILE/path/to/client/certificate/chain/file/parameter parameter name=SSL_PASSPHRASEpassphrase/parameter -- At the same time, I called following apis in my program: axis2_options_set_soap_version(options, env, AXIOM_SOAP12); axis2_options_set_transport_in_protocol(options, env, AXIS2_TRANSPORT_ENUM_HTTPS); But the server I built by myself didn't have any response and get error code 82, Input stream is NULL in msg_ctx. What apis should I call to support https and how to config axis2.xml to specify pem file both under needing authentication and no needing authentication? I am freshman to Axis2/C, so pls. tell me detailedly:) Thanks a lot. Kelvin.Lin - Don't be flakey. Get Yahoo! Mail for Mobile and always stay connected to friends.
Re: How to create a SSL client to support https
Hi Kelvin, Find my comments inline. Kelvin Lin wrote: Hi all, But it failed in my environment, because I can't find some apis and variable name at all, like axis2_property_t and AXIS2_OPTIONS_SET_PROPERTY. Those instructions were intended for v0.96. Since v1.0 the util declarations were renamed with a axutil_ prefix and the macros were dropped. Hence these should be axutil_property_t and axis2_options_set_property respectively. I used official version axis2c-src-1.0.0 and changed axis2.xml like: transportSender name=https class=axis2_http_sender parameter name=PROTOCOL locked=falseHTTP/1.1/parameter /transportSender parameter name=SERVER_CERT/path/to/ca/certificate/parameter !--parameter name=KEY_FILE/path/to/client/certificate/chain/file/parameter parameter name=SSL_PASSPHRASEpassphrase/parameter -- This is all you need in order to get ssl working, usually. :) At the same time, I called following apis in my program: axis2_options_set_soap_version(options, env, AXIOM_SOAP12); axis2_options_set_transport_in_protocol(options, env, AXIS2_TRANSPORT_ENUM_HTTPS); Axis2 engine should set the appropriate protocols according to the epr that you use. For example for a https endpoint, axis2 engine would look at the https:// uri and understand that the protocol that should be used is https. In particular, setting transport_in protocol is not useful if you are not using different ports to send and receive messages (dual client). But the server I built by myself didn't have any response and get error code 82, Input stream is NULL in msg_ctx. That is because our simple_axis_server is not capable of handling ssl. Please refer to the axis2 manual [1] for more information on deploying axis2 in apache2 server. Make sure to have mod_ssl installed. What apis should I call to support https and how to config axis2.xml to specify pem file both under needing authentication and no needing authentication? There are three properties that are related to ssl transport, SERVER_CERT, KEY_FILE and SSL_PASSPHRASE. Please refer to [2] for more information on each. This is how you set the SERVER_CERT for expample: axutil_property_t ssl_ca_file = axutil_property_create(env); axutil_property_set_value(ssl_ca_file, env, axutil_strdup(env, /home/dumindu/dummyCA/demoCA/cacert.pem)); axis2_options_set_property(options, env, SERVER_CERT, ssl_ca_file); You can set the other three properties accordingly, too. These properties however, are *not needed* to be set in the code, if you can set them in axis2.xml. Tutorial [2] was written a while back, so there can be a few errors. Please let me know if you find any :) Regards, Dumindu. [1] http://ws.apache.org/axis2/c/docs/axis2c_manual.html#mod_axis2 [2] http://people.apache.org/~dumindu/HowToConfigureSSL.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to create a SSL client to support https
Hi Dumindu, Thank you very much. You pull me out from the mess and give me the confidence to finish the work. But because I will be not available in the following three days, I have to try your method in next Monday(China Time). And if there are any problems, I will tell you. I skim your reply and I have a question about this paragraph: That is because our simple_axis_server is not capable of handling ssl. Please refer to the axis2 manual [1] for more information on deploying axis2 in apache2 server. Make sure to have mod_ssl installed. I used IBM Websphere as http server. Does it matter to the solution. Thanks a lot again. Kelvin.Lin Dumindu Pallewela [EMAIL PROTECTED] wrote: Hi Kelvin, Find my comments inline. Kelvin Lin wrote: Hi all, But it failed in my environment, because I can't find some apis and variable name at all, like axis2_property_t and AXIS2_OPTIONS_SET_PROPERTY. Those instructions were intended for v0.96. Since v1.0 the util declarations were renamed with a axutil_ prefix and the macros were dropped. Hence these should be axutil_property_t and axis2_options_set_property respectively. I used official version axis2c-src-1.0.0 and changed axis2.xml like: HTTP/1.1 /path/to/ca/certificate name=KEY_FILE/path/to/client/certificate/chain/file passphrase -- This is all you need in order to get ssl working, usually. :) At the same time, I called following apis in my program: axis2_options_set_soap_version(options, env, AXIOM_SOAP12); axis2_options_set_transport_in_protocol(options, env, AXIS2_TRANSPORT_ENUM_HTTPS); Axis2 engine should set the appropriate protocols according to the epr that you use. For example for a https endpoint, axis2 engine would look at the https:// uri and understand that the protocol that should be used is https. In particular, setting transport_in protocol is not useful if you are not using different ports to send and receive messages (dual client). But the server I built by myself didn't have any response and get error code 82, Input stream is NULL in msg_ctx. That is because our simple_axis_server is not capable of handling ssl. Please refer to the axis2 manual [1] for more information on deploying axis2 in apache2 server. Make sure to have mod_ssl installed. What apis should I call to support https and how to config axis2.xml to specify pem file both under needing authentication and no needing authentication? There are three properties that are related to ssl transport, SERVER_CERT, KEY_FILE and SSL_PASSPHRASE. Please refer to [2] for more information on each. This is how you set the SERVER_CERT for expample: axutil_property_t ssl_ca_file = axutil_property_create(env); axutil_property_set_value(ssl_ca_file, env, axutil_strdup(env, /home/dumindu/dummyCA/demoCA/cacert.pem)); axis2_options_set_property(options, env, SERVER_CERT, ssl_ca_file); You can set the other three properties accordingly, too. These properties however, are *not needed* to be set in the code, if you can set them in axis2.xml. Tutorial [2] was written a while back, so there can be a few errors. Please let me know if you find any :) Regards, Dumindu. [1] http://ws.apache.org/axis2/c/docs/axis2c_manual.html#mod_axis2 [2] http://people.apache.org/~dumindu/HowToConfigureSSL.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when.