0 Replies Latest reply on Jun 10, 2010 10:24 AM by fernando.villarreal

    Web services over SSL configuration issues

    fernando.villarreal
    fernando.villarreal Jun 10, 2010 10:24 AM

      Hi everyone,

           We're working with JBoss 4.2.3GA to publish a web service. We have to publish it over SSL with certificate validation.

      We activated SSL on server.xml like this

       

      <Connector port="8181" address="${jboss.bind.address}"
                  protocol="HTTP/1.1" SSLEnabled="true"
                  maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
                  emptySessionPath="true"
                  scheme="https" secure="true" clientAuth="true"
                  sslProtocol = "TLS"
                  keystoreFile="/etc/server/server.keystore"
                  keystorePass="xxxxxxxx"
                  truststoreFile="/etc/server/server.truststore"
                  truststorePass="xxxxxxxx"
          ></Connector>

       

      Jboss worked fine but when we get the WSDL on both HTTP and HTTPS the soap:address was always the same

       

      <soap:address location='http://ws.testing.com:8080/testing-web/TestingService'/>

       

      So we had to patch Jboss with jboss-native 3.2.2GA (the last version that works with JBoss 4.2.3GA) and changed the web service's web.xml file to add:

       

      <security-constraint>
          <web-resource-collection>
            <web-resource-name>All resources</web-resource-name>
            <url-pattern>/*</url-pattern>
          </web-resource-collection>
          <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </user-data-constraint>
        </security-constraint>

       

      Now every time I get the WSDL it responds with

       

      <soap:address  location='https://ws.testing.com:8181/testing-web/TestingService'/>

       

      Here comes the first question:

       

      is it possible to get

      <soap:address  location='http://ws.testing.com:8080/testing-web/TestingService'/>

      when I get it from HTTP and get

      <soap:address  location='https://ws.testing.com:8181/testing-web/TestingService'/>

      when I get it from HTTPS?

       

      Second question:

      Now, working like this it works just fine from a Java application using the server's keystore as a truststore and server's truststore as keystore.

       

      I can also get the wsdl from command line with openssl

      openssl s_client -connect ws.testing.com:8181 -cert client.cert

      and then

      GET /testing-web/TestingService?wsdl

       

      But from a web browser i got an error:

       

      Chrome:

      Error 117 (net::ERR_BAD_SSL_CLIENT_AUTH_CERT): Certificado de autenticación de cliente SSL no válido

       

      Firefox:

      El otro extremo de la conexión SSL no esperaba un mensaje de negociación que ha recibido.

      (Código de error: ssl_error_handshake_unexpected_alert)

       

      Does anyone know how to solve this issue?

       

      Regards,

       

      Fernando Villarreal

      • 5106 Views
      • Tags: