I need to send a soap request messages in a two way SSL connection security mechanism to a server and also process the Soap response from the server..I am using Spring MVC along with Spring ws which is configured entirely using annotations and requires to be configured in two way SSL connection for sending soap requests to the Server.How can I have two way SSL connection in my Spring MVC web service application in order to send my soap messages to the sever over SSL?.
Asked
Active
Viewed 1.1k times
7
-
If you have a certificate for your server, and access the web services over HTTPS, SSL/TLS will protect data in transit in both directions. – SilverlightFox May 17 '16 at 14:46
-
I am a beginner in web services and I have to figure out a way to configure my Spring Mvc Application for a two way SSL connection if you could help me with an example or sample code it would be great. – May 17 '16 at 14:52
-
1Are you asking about [Mutual Authentication](https://en.wikipedia.org/wiki/Mutual_authentication)? – hooknc May 25 '16 at 04:17
-
@hooknc I need to connect to a bank api with a soap request in a two way SSL connection from my Spring MVC application. – May 25 '16 at 05:55
-
@brt which server you are using. – Prashant Thorat May 25 '16 at 09:35
-
Maybe you ask about two-way authentication with client certificate? – user1516873 May 25 '16 at 10:31
-
@prashant Thorat I am using Tomcat 7 Server with Spring MVC – May 25 '16 at 11:25
-
The Bank Api has given me choice to go with SSL connection to connect to their api from my Spring MVC application. – May 25 '16 at 11:29
-
that means your client project should run on ssl. i.e. https – Prashant Thorat May 25 '16 at 11:48
-
@Prashant Thorat I do not want my entire Web application in https but only a part where I connect to the Bank Api – May 25 '16 at 13:22
4 Answers
2
I can guide you about all the required steps, but there are gaps. Please review my answer so I could provide you the right configuration links
Two-Way SSL is a TLS connection with client certificate authentication. It it not the same that signing soap request (certificate is used once to authenticate client in TLS (see Two-way SSL clarification), and sign a soap is make a digital signature over the soap body and include it in the soap header)
You need a lot of things (please check)
A server to manage TLS connection. You have selected tomcat. No problem, but in my opinion is simpler to put an apache with reverse proxy
An SSL certificate, preferably issued by a trusted entity. If not, you can generate your own certificate, but needs extra configuration in next steps
The public key of the SSL certificate (the x509 certificate) to configure the client truststore
A client certificate to be authenticated in TLS connection
openssl software in order to generate certificates
I also recommend using this application (http://portecle.sourceforge.net/)to modify JKS keystores and not a hell
Configure the server
1) Generate SSL certificate (server.crt and server.key)
If you have one, go to 2). If not, follow http://www.akadia.com/services/ssh_test_certificate.html
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
You'll get server.crt and server.key
2) Convert to PKCS12 (server.pfx) Configuration will be simpler If has provided you a certificate, also will give you a CACert.
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile CACert.crt
3) Generate a client certificate (client.p12) (extracted from https://gist.github.com/mtigas/952344) Create a Certificate Authority root openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Create the Client Key and CSR
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
# self-signed
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
Convert Client Key to PKCS
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
4) Configure server truststore (truststore.jks)
Open portecle
New KeyStore -> JKS
Import trusted certificate. Import client.crt and ca.crt
Save as truststore.jks
5) Configure tomcat SSL with client auth
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support Similar to Prashant Thorat answer
<Connector
port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
connectionTimeout="20000"
redirectPort="8443"
scheme="https"
secure="true"
SSLEnabled="true"
sslProtocol="TLS"
keystoreFile="server.pfx"
keystorePass="thepassword"
keystoreType="PKCS12"
truststoreFile="truststore.jks"
truststorePass="thepassword"
truststoreType="JKS"
clientAuth="true">
Configure the client
1) Create client trustore (client-truststore.jks) Open portecle, create a new JKS and include server certificate (server.crt) as trusted (
2) Create client keystore (client-keystore.jks) Open portecle, create a new JKS and import a key/pair. Use client.p12 or client.crt and client.key. Import also ca.crt
3) Configure spring I've never done WS spring, but with CXF. It's the same concept You do not need to sign SOAP, you only need a TLS connection with client auth, so no soap configuration needed
Follow this tutorial https://secinto.wordpress.com/2013/01/21/spring-and-webservices-how-to-use-ssltls-client-authentication/
the key is
private void setupTLSSpring() throws Exception {
ProtocolSocketFactory authSSLProtocolSocketFactory = new AuthSSLProtocolSocketFactory(new URL(
"file:%PATH_TO_KEYSTORE%/client-keystore.jks"), PASSWORD, new URL(
"file:%PATH_TO_TRUSTSTORE%/client-truststore.jks"), PASSWORD);
Protocol.registerProtocol("https", new Protocol("https", authSSLProtocolSocketFactory, 8410));
}
EDITED
If you use a Bank API, probably the bank provides the server with a trusted SSL certificate and a client certificate for authentication ¿It is not like this? in this case forget 'configure server' section
In 'configure client' step 1, extract the public key from server SSL certificate and import into client-truststore.jks.
If some step is not suitable for your desired configuration, please detail it
1
I wanted to share a full tutorial and github project link which is telling about two way ssl connection in spring.
Full 2-way SSL Tutorial Link:
Everything You Ever Wanted to Know About SSL (but Were Afraid to Ask)
Github Project Link:
UPDATE:
Actually, I have no same same code as requirement. But I got some links which are related to SSL. I am just sharing with you as helping hand.
SkyWalker
- 28,384
- 14
- 74
- 132
-
The link provided above shows two way SSL connection with spring boot which has embedded tomcat server .I need to configure two way SSL connection in a Spring bootless application with separate Tomcat 7 Server.If any links or sample code are available please update . – May 19 '16 at 16:51
-
1
-
@brt I have updated 2 links. Please check and share if you got some helpful things. – SkyWalker May 24 '16 at 09:56
1
First you have to check the spring documentation to understand the basics about spring security for web services: http://docs.spring.io/spring-ws/site/reference/html/security.html. I found another tutorial (XML too), that explains how to test your web service security: https://jeromebulanadi.wordpress.com/2010/02/25/basic-spring-web-service-tutorial-from-contract-to-security/#server_security
Then if you have any specific problem when doing the implementation edit your question.
FelipeCaparelli
- 135
- 3
- 13
0
I think the best thing you can do is configure a http server with SSL in front of your service. So you don't need to expose your service direct to the internet neither configure SSL in your services. And you can reuse it when you create more service.
Below I'm listing a tutorial to configure Nginx and Apache with SSL certificate and as a reverse proxy to your service.
SSL certificates:
Marcel Dias
- 4,271
- 1
- 14
- 10