You can configure SSL communication for your client applications to access web
services.
Before you begin
You must complete the following prerequisites before enabling the SSL communication for web
services access:
Note: The keytool utility can be found in your Java™ installation directory.
About this task
If you need to use your web service client application with the secured HTTP protocol to access
the protected web service resources, all the message are encrypted according to the SSL
specification.
Procedure
- Enable the jaxws-2.2, servlet-3.0(or
servlet-3.1) and appSecurity-2.0 features in the
server.xml file.
<featureManager>
<feature>jaxws-2.2</feature>
<feature>servlet-3.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>
- Configure the SSL elements in the server.xml file.
<sslDefault sslRef="customizeSSLConfig" />
<ssl id="customizeSSLConfig" keyStoreRef="serverKeyStore" trustStoreRef="serverTrustStore" />
<keyStore id="serverKeyStore" location="myKey.jks" type="JKS" password="passw0rd" />
<keyStore id="serverTrustStore" location="myKey.jks" type="JKS" password="passw0rd" />
- Configure the service provider by specifying the web service endpoints.
- Create web services.
@WebService(serviceName = "SayHelloPojoService",
portName = "SayHelloPojoPort")
public class SayHelloPojoService implements SayHelloService {
...
}
@WebService(serviceName = "SayHelloStatelessService",
portName = "SayHelloStatelessPort",
endpointInterface = "com.ibm.ws.jaxws.transport.server.security.SayHelloService")
@Stateless(name = "SayHelloSessionBean")
public class SayHelloStatelessService implements SayHelloLocal {
...
}
- Configure the ibm-ws-bnd.xml file for the service provider.
<?xml version="1.0" encoding="UTF-8"?>
<webservices-bnd xmlns="http://websphere.ibm.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee
http://websphere.ibm.com/xml/ns/javaee/ibm-ws-bnd_1_0.xsd "
version="1.0">
<http-publishing>
<webservice-security>
<security-constraint>
<web-resource-collection>
<web-resource-name>All</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</webservice-security>
</http-publishing>
</webservices-bnd>
Note: The ibm-ws-bnd.xml file must be in the /WEB-INF
directory of a web application, or the /META-INF directory of a EJB-based web
service application (JAR archive).
- Configure the service client by specifying the web service endpoints. For example, the client
application is a web application named TransportSecurityClient.war.
- Configure the client application in the server.xml file.
<application id="TransportSecurityClient" name="TransportSecurityClient"
location="TransportSecurityClient.war"
context-root="TransportSecurityClient" type="war" />
- Configure the ibm-ws-bnd.xml file for the client application.
<?xml version="1.0" encoding="UTF-8"?>
<webservices-bnd id="idvalue0" version="1.0" xmlns="http://websphere.ibm.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee
http://websphere.ibm.com/xml/ns/javaee/ibm-ws-bnd_1_0.xsd " >
<!-- POJO service reference binding-->
<service-ref name="service/SayHelloPojoService">
<port name="SayHelloPojoPort"
namespace="http://ibm.com/ws/jaxws/transport/security/"
ssl-ref="customizeSSLConfig"/>
<properties http.conduit.tlsClientParameters.disableCNCheck="true" />
</service-ref>
<!-- Stateless service reference binding-->
<service-ref name="service/SayHelloStatelessService">
<port name="SayHelloStatelessPort"
namespace="http://ibm.com/ws/jaxws/transport/security/"
ssl-ref="customizeSSLConfig"/>
<properties http.conduit.tlsClientParameters.disableCNCheck="true" />
</service-ref>
</webservices-bnd>
Note: - The ibm-ws-bnd.xml file must be in the /WEB-INF
directory of the client web application.
- The value of ssl-ref attribute must match the ID value of
ssl element in server.xml file.
- If the ssl-ref attribute is not specified in the
ibm-ws-bnd.xml file, the following Liberty configurations can be used by the web
services engine, if present:
- The default SSL configuration
The outbound default SSL configuration
An outbound SSL configuration filter
- The http.conduit.tlsClientParameters.disableCNcheck attribute is used to
control whether to validate the remote server. Use false for this attribute in a
production environment because the hostName verification will be ignored if
this attribute is true.
- Generate the client stubs through WSDL location.
@WebServiceClient(name = "SayHelloPojoService",
targetNamespace = "http://ibm.com/ws/jaxws/transport/security/",
wsdlLocation = "https://localhost:8020/TransportSecurityProvider/unauthorized/employPojoService?wsdl")
public class SayHelloPojoService
extends Service
{...}
@WebServiceClient(name = "SayHelloStatelessService",
targetNamespace = "http://ibm.com/ws/jaxws/transport/security/",
wsdlLocation = "https://localhost:8020/TransportSecurityProvider/unauthorized/EmployStatelessService?wsdl")
public class SayHelloStatelessService
extends Service
{...}
- Use the @WebServiceRef annotation to inject the web service into the servlet.
For example, the TestJaxWsTransportSecurityServlet.
@WebServiceRef(name = "service/SayHelloPojoService")
SayHelloPojoService pojoService;
@WebServiceRef(name = "service/SayHelloStatelessService")
SayHelloStatelessService statelessService;