Web services over SSL configuration issues
fernando.villarreal Jun 10, 2010 10:24 AMHi everyone,
We're working with JBoss 4.2.3GA to publish a web service. We have to publish it over SSL with certificate validation.
We activated SSL on server.xml like this
<Connector port="8181" address="${jboss.bind.address}"
protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="true"
sslProtocol = "TLS"
keystoreFile="/etc/server/server.keystore"
keystorePass="xxxxxxxx"
truststoreFile="/etc/server/server.truststore"
truststorePass="xxxxxxxx"
></Connector>
Jboss worked fine but when we get the WSDL on both HTTP and HTTPS the soap:address was always the same
<soap:address location='http://ws.testing.com:8080/testing-web/TestingService'/>
So we had to patch Jboss with jboss-native 3.2.2GA (the last version that works with JBoss 4.2.3GA) and changed the web service's web.xml file to add:
<security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Now every time I get the WSDL it responds with
<soap:address location='https://ws.testing.com:8181/testing-web/TestingService'/>
Here comes the first question:
is it possible to get
<soap:address location='http://ws.testing.com:8080/testing-web/TestingService'/>
when I get it from HTTP and get
<soap:address location='https://ws.testing.com:8181/testing-web/TestingService'/>
when I get it from HTTPS?
Second question:
Now, working like this it works just fine from a Java application using the server's keystore as a truststore and server's truststore as keystore.
I can also get the wsdl from command line with openssl
openssl s_client -connect ws.testing.com:8181 -cert client.cert
and then
GET /testing-web/TestingService?wsdl
But from a web browser i got an error:
Chrome:
Error 117 (net::ERR_BAD_SSL_CLIENT_AUTH_CERT): Certificado de autenticación de cliente SSL no válido
Firefox:
El otro extremo de la conexión SSL no esperaba un mensaje de negociación que ha recibido.
(Código de error: ssl_error_handshake_unexpected_alert)
Does anyone know how to solve this issue?
Regards,
Fernando Villarreal