4 Replies Latest reply on Aug 23, 2006 6:31 AM by drhok

    SOAP over HTTPS?

    drhok

      Hello,

      I would like to change an existing SOAP interface to a JBoss(4.0.2)-based webservice from HTTP to HTTPS, in order to ensure both privacy and integrity of data.

      But how do I do it?

      Just changing the line

      <wsdlsoap:address location="http://myserver:8080/"/>

      to

      <wsdlsoap:address location="https://myserver:8443/"/>

      in the wsdl doesn't seem to work.

      Furthermore, I am worried about about a huge handshake overhead when I turn on SSL, because a new TCP connection is established for each request.

      And for each new TCP connection a new TLS context is negotiated. (Is this actually true, or does the TLS context survive closing the underlying TCP connection?)

      Will this cause a significant delay and load on the AS?

      Can I turn on http keepalive to avoid closing the TCP connection? If so, how?

      Is there an alternative to HTTPS?

      Thanks,

      Heiko

        • 1. Re: SOAP over HTTPS?
          estrellarichardson

          I have the same questions, would love to hear the answer.

          • 2. Re: SOAP over HTTPS?
            stevenh


            Heiko,
            It sounds like you are talking about the ssl connector rather than the web service port, so ill float what i know and you can pick and choose.

            The actual ssl connector is controlled by jbossweb-tomcat55.sar\server.xml. you will have to enable ssl here before you can use the https.

            As for your web service the controls for changinging ports in your wsdl is done in two parts. the uriScheme (the https bit) is controlled from the wsdl, ie if the url in the wsdl starts with "https" it will update the wsdl with a url including the secure web port and https. and if it is anything else it will use the default port, and the provided schema.

            the port themselves are configured in a archive jbossws.sar\jbossws.beans.
            http://www.jboss.com/index.html?module=bb&op=viewtopic&t=84965

            Steve.

            • 3. Re: SOAP over HTTPS?
              stevenh

               

              "stevenh" wrote:


              As for your web service the controls for changinging ports in your wsdl is done in two parts. the uriScheme (the https bit) is controlled from the wsdl, ie if the url in the wsdl starts with "https" it will update the wsdl with a url including the secure web port and https. and if it is anything else it will use the default port, and the provided schema.

              Steve.


              Sorry this is no longer correct this is actually driven by the transportGuarantee.



              • 4. Re: SOAP over HTTPS?
                drhok

                 

                "DrHok" wrote:
                I would like to change an existing SOAP interface to a JBoss(4.0.2)-based webservice from HTTP to HTTPS, in order to ensure both privacy and integrity of data.

                But how do I do it?



                Actually it turned out to be easier than I thought (on JBoss 4.0.2):

                1. Uncomment and edit the SSL/TLS Connector section in server/default/deploy/jbossweb-tomcat55.sar/server.xml.

                2. Generate a server key pair using keytool, see http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html.

                3. Export the public key and import it on the client, also using keytool.

                Then, if the ws client uses https://server:8443/... instead of http://server:8080/..., SOAP goes over TLS.

                The WSDL doesn't need to know about TLS.

                Note: I think my description of activating TLS is accurate, but I can't guarantee that it works. I guessed the first two steps by diffing a virgin jboss-4.0.2.zip with a running AS where TLS was activated by someone else. I might have missed some details of the configuration.

                "DrHok" wrote:
                Will this cause a significant delay and load on the AS?


                I made a performance comparison between TLS on and off, and surprisingly the effect of TLS is really small.

                Neither the response times nor the load on the AS changed much (roughly +10%).

                However, the network latency might increase if client and server are further apart in terms of IP hops (I tried up to 3), because sending a SOAP request and receiving a response over TLS requires 6 packet round-trips instead of 3 without TLS.