SOAP over HTTPS
There are various mechanisms for securing the web services. Today, I will write about the scenario when a client needs to call a web service over HTTPS, provided the service is available over HTTPS.
This is Transport Layer Security (TLS) that runs beneath HTTP. Another is Message Level Security, which has many options (XML encryption etc) which is more secured.
This scenario is very common, though, it is not the perfect way of securing a web service, but it is used when, for example, a client is calling an authentication web service, by passing in the user id and password. Now, you don't want the password to go in clear text on HTTP, rather you would want this particular service be called over HTTPS.
Let's see how to make this happen. In theory, it is same as calling a URL in java using HTTPS.
First, go the the web service URL in your browser, using HTTPS and store its public certificate on your PC, in a file. This is done when the browser prompts the security warning about the server, view certificate and select copy to file, to save it on your local.
Once you have the server certificate, you need to store it in a keystore. I am using IBM HTTP Server, so I will use IKeyMan utility. However, this can be done using any corresponding utility provided by your HTTP server.
In IKeyMan, create a new JKS key store, select 'Signer Certificates' and click Add/Edit to add the saved server certificate to this keystore.
So, now we have the keystore containing the server's public certificate.
If your client is a Standalone Web Service client (meaning a stanalone java application), all you have to do is specify the location of this keystore using a java property before calling the web service over HTTPS.
Something like this, for IBM JRE:
System.setProperty("javax.net.ssl.trustStore","C:\\wsclient\\myWSClientKeystore.jks");
MyWSServiceProxy proxy = new MyWSServiceProxy();
boolean authenticatede = proxy.authenticate("john.doe@blogger.com");
Make sure the web service end point is using HTTPS.
Now, if you are using a Managed Web Service client, meaning one which is deployed in a EAR file (WAR or EJB), then you better import the server certificate in the keystore used by your application server or specify a new keystore in the application server.
Depending upon which application server you are using, the configuration options may be different. For example, IBM WebSphere has couple of options for doing this. A simple one is this:
Go to the WebSphere Admin console (I am using v5.1). Go to Security -> SSL. Here you will see SSL Configuration Repertoires. You can add cert in one of the existing keystores listed here, or add a new repertoire. When you add new, you can use the keystore we created above for standalone client. Please make sure 'Client Authentication' is not checked, as we are not doing the client authentication with the server.
Now, go to Web module ->
So, in this scenario, we did no authentication. However, with transport level security, there is also an option to do the authentication. Meaning, only the trusted clients can invoke a web service and get results.
In short, this can be achieved by generating a keypair (public key and private key) for the client. The keystore will contain server's public key certificate and client's public and private key.
The server will have to import the public key certificate of the client into its keystore. In this case, when a client calls the web service over HTTPS, the server will check if the request is coming from a trusted client, by decrypting the data using client's public key and its private key, and if decryption is successfull, will return the results.
posted by Rakesh Jain @ 4:43 PM
2 comments
2 Comments:
SOA & Cloud Computing India 2009 – Get close to cutting-edge technologies
Like it or not, the DNA of IT is changing. Thanks to economic slowdown and cuts in IT budget, CIOs have to go lean and ensure good returns on IT spending. They have come under pressure to change their traditional approach to IT development and seriously explore technologies and approaches such as Cloud, SaaS, SOA, Lean IT, Green technologies and so on.
Developers, architects and other IT professionals have also come under pressure to adapt to the changing IT landscape. They have to rethink the tools of their trade, the platforms they use, get familiar with emerging approaches and frameworks to stay relevant. There is one conference which offers them a front row seat to the rapidly changing IT world.
Business Technology presents Third Annual Edition of SOA & Cloud Computing India 2009 Conferences, 15th October at Bangalore.
The international conference is designed to give progressive executives and developers a ringside view of the current developments in the emerging critical technologies. It will feature technical sessions from leading industry players of the Cloud ecosystem - the infrastructure firms, the platform providers, and application developers.
SOA India 2009 caters to the need of Indian Enterprise IT community of CIOs, CTOs, Management, IT directors, IT managers, IT architects, Network and Infrastructure specialists, Project Managers, Project Leaders, and Software Architects.
If you are responsible for business optimization, designing, developing and/or implementing your organization's IT strategy, join us this year for an unbiased source of insight, and expertise from the top experts to ensure the success of your initiatives.
To avail early bird discounts or for more information Call +91 080 41124392/93 or visit conference website www.soaindia.com.
I almost never comment, however after reading a few of the responses here "SOAP over HTTPS".
I do have some questions for you if you tend not to mind.
Could it be just me or does it look like like some of the responses come across like they are left by brain dead
individuals? :-P And, if you are writing on additional online social sites, I'd like to follow you. Would you post a list of the complete urls of your shared pages like your linkedin profile, Facebook page or twitter feed?
Also see my site :: how to make an app
Post a Comment
<< Home