Re: HTTPS and Client Certificates...

Mon, 26 Mar 2007 00:33:06 -0800

Hi Griffin

Sorry for the delay in getting back on this.. I tried using https/client certs with both hostname verification and two way authentication and everything seemed to work fine for me. I have now included some sample key stores: synapseIdentity.jks & synapseTrust.jks and axis2Identity.jks & axis2Trust.jks in the repository/conf subdirectory, for use with the Synapse sample.

I started Synapse and Axis2 server (with the SimpleStockQuoteService deployed) and used the client as follows, making Synapse use its client cert when talking to the backend Axis2 server - which enforces 2 way SSL.

ant stockquote -Durl=https://localhost:9002/axis2/services/SimpleStockQuoteService

Everything seemed to work fine for me using the trunk today - but I have not made any changes in the past few days related to this. I would suggest you try this against the latest build at http://people.apache.org/~asankha/builds/ and if you still see a problem, file a JIRA with the information on how I could re-create it - preferably using the sample code.

asankha



axis2.xml used by Synapse
    <transportReceiver name="https" class="org.apache.axis2.transport.nhttp.HttpCoreNIOSSLListener">
        <parameter name="port" locked="false">8443</parameter>
        <parameter name="non-blocking" locked="false">true</parameter>
        <parameter name="keystore" locked="false">
            <KeyStore>
                <Location>synapseIdentity.jks</Location>
                <Type>JKS</Type>
                <Password>password</Password>
                <KeyPassword>password</KeyPassword>
            </KeyStore>
        </parameter>
        <parameter name="truststore" locked="false">
            <TrustStore>
                <Location>synapseTrust.jks</Location>
                <Type>JKS</Type>
                <Password>password</Password>
            </TrustStore>
        </parameter>
        <!--<parameter name="SSLVerifyClient">require</parameter>
            supports optional|require or defaults to none -->
    </transportReceiver>
...
    <transportSender name="https" class="org.apache.axis2.transport.nhttp.HttpCoreNIOSSLSender">
        <parameter name="non-blocking" locked="false">true</parameter>
        <parameter name="keystore" locked="false">
            <KeyStore>
                <Location>synapseIdentity.jks</Location>
                <Type>JKS</Type>
                <Password>password</Password>
                <KeyPassword>password</KeyPassword>
            </KeyStore>
        </parameter>
        <parameter name="truststore" locked="false">
            <TrustStore>
                <Location>synapseTrust.jks</Location>
                <Type>JKS</Type>
                <Password>password</Password>
            </TrustStore>
        </parameter>
        <parameter name="HostnameVerifier">DefaultAndLocalhost</parameter>
            <!--supports Strict|AllowAll|DefaultAndLocalhost or the default if none specified -->
    </transportSender>

axis2.xml used by the sample Axis2 server
    <transportReceiver name="https" class="org.apache.axis2.transport.nhttp.HttpCoreNIOSSLListener">
        <parameter name="port" locked="false">9002</parameter>
        <parameter name="non-blocking" locked="false">true</parameter>
        <parameter name="keystore" locked="false">
            <KeyStore>
                <Location>axis2Identity.jks</Location>
                <Type>JKS</Type>
                <Password>password</Password>
                <KeyPassword>password</KeyPassword>
            </KeyStore>
        </parameter>
        <parameter name="truststore" locked="false">
            <TrustStore>
                <Location>axis2Trust.jks</Location>
                <Type>JKS</Type>
                <Password>password</Password>
            </TrustStore>
        </parameter>
        <parameter name="SSLVerifyClient">require</parameter>
            <!--supports optional|require or defaults to none -->
    </transportReceiver>
...
    <transportSender name="https" class="org.apache.axis2.transport.nhttp.HttpCoreNIOSSLSender">
        <parameter name="non-blocking" locked="false">true</parameter>
        <parameter name="keystore" locked="false">
            <KeyStore>
                <Location>axis2Identity.jks</Location>
                <Type>JKS</Type>
                <Password>password</Password>
                <KeyPassword>password</KeyPassword>
            </KeyStore>
        </parameter>
        <parameter name="truststore" locked="false">
            <TrustStore>
                <Location>axis2Trust.jks</Location>
                <Type>JKS</Type>
                <Password>password</Password>
            </TrustStore>
        </parameter>
        <!--<parameter name="HostnameVerifier">DefaultAndLocalhost</parameter>
            supports Strict|AllowAll|DefaultAndLocalhost or the default if none specified -->
    </transportSender>

Michael Griffin wrote: 
Asankha,

FYI - Using the latest build from the trunk, I am able to use HTTPS and
Client Certificates to communicate with a proxied Web Service but I have to
use the Commons Transport and define my keystore and truststore information
as system properties via the command line.  When I use the NIO sender, it
hangs after recieving 20 bytes of the response.

Regards,
Griffin
  

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to