axis web services and custom ssl

Tue, Jul 25, 2006

I’ve been getting reports from the field that the Guanxi Engine and Guard can’t handle their web service setup via ssl, so I took a quick look and it was correct. I hadn’t managed to get round to implementing HTTPS support in the web services.

The Guanxi SSL layer handles it’s own SSL contexts to let the Engine masquerade as multiple Guards over ssl but there was no equivalent functionality in the Axis web services in the Engine and Guard.

So after a couple hours of research on google and the Axis web site, I found a way to override the JVM’s socket factory and provide an easier way to configure the Axis web services when they use HTTPS.

What happens when you set up the Engine or Guard using the installer, is the setup classes load up the Axis AdminClient and tell it to install the web services from the Web Service Deployment Descriptor (wsdd) file for the Engine or Guard. The problem is, AdminClient uses the default JSSESocketFactory which you must configure at the JVM level, so it’s not very good for a server with multiple Engines or Guards on it. What I needed was a way to force the AdminClient to use a custom truststore at run time, rather than the JVM defined one. Doing so also lets me write a UI to import a certificate and put it in the custom truststore so users don’t have to faff about with keytool. They’ll need to get the server’s cert in the first place though.

Why is the server’s cert required? Well, when AdminClient accesses, say, https://guanxi.ac.uk/guanxi_sp/setup.guanxiEngineSetup, it’s defaut JSSESocketFactory makes use of the JVM’s truststore and checks in there for the certificate coming from guanxi.ac.uk. If it’s not there then it will throw the exception:

faultDetail: {http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This is where the custom Guanxi SocketFactory, which extends org.apache.axis.components.net.JSSESocketFactory, comes in. It has it’s own truststore, provided by the Guanxi SSL layer and it’s configured at run time via the AxisProperties object, which EngineSetup or GuardSetup use to pass info to the Axis engine. The Guanxi SocketFactory then provides Axis with a customised Guanxi Socket that it will use for ssl communication with the server.

Although you still need a truststore for the web services to use, the advantage of the custom Guanxi Socket is it allows you to hide the low level JVM stuff from user, especially if they don’t have a default JVM truststore and it keeps it all nice and enclosed in the Guanxi system.

comments powered by Disqus