Enabling SSL communication for web services access

You can configure SSL communication for your client applications to access web services.

Before you begin

You must complete the following prerequisites before enabling the SSL communication for web services access:
  • Generate a pair of self-signed public and private keys for client and provider:
    keytool -genkey -alias default -keystore myKey.jks -dname "CN=myServer, O=IBM, C=CN"
        -storepass passw0rd -keypass passw0rd -storetype jks  -validity 1000 -keyalg RSA
  • Copy the myKey.jks file to the ${server.config.dir}/resources/security directory.
Note: The keytool utility can be found in your Java™ installation directory.

About this task

If you need to use your web service client application with the secured HTTP protocol to access the protected web service resources, all the message are encrypted according to the SSL specification.

Procedure

  1. Enable the jaxws-2.2, servlet-3.0(or servlet-3.1) and appSecurity-2.0 features in the server.xml file.
    <featureManager>
      <feature>jaxws-2.2</feature>
      <feature>servlet-3.0</feature>
      <feature>appSecurity-2.0</feature>
    </featureManager>
  2. Configure the SSL elements in the server.xml file.
    <sslDefault sslRef="customizeSSLConfig" />
    <ssl id="customizeSSLConfig" keyStoreRef="serverKeyStore" trustStoreRef="serverTrustStore" />
    <keyStore id="serverKeyStore" location="myKey.jks" type="JKS" password="passw0rd" />
    <keyStore id="serverTrustStore" location="myKey.jks" type="JKS" password="passw0rd" />
  3. Configure the service provider by specifying the web service endpoints.
    1. Create web services.
      @WebService(serviceName = "SayHelloPojoService",
                  portName = "SayHelloPojoPort")
      public class SayHelloPojoService implements SayHelloService {
      	...
      }
      
      @WebService(serviceName = "SayHelloStatelessService",
                  portName = "SayHelloStatelessPort",
                  endpointInterface = "com.ibm.ws.jaxws.transport.server.security.SayHelloService")
      @Stateless(name = "SayHelloSessionBean")
      public class SayHelloStatelessService implements SayHelloLocal {
      	...
      }
    2. Configure the ibm-ws-bnd.xml file for the service provider.
      <?xml version="1.0" encoding="UTF-8"?>
      <webservices-bnd xmlns="http://websphere.ibm.com/xml/ns/javaee" 
      		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
      		xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee
          http://websphere.ibm.com/xml/ns/javaee/ibm-ws-bnd_1_0.xsd " 
      		version="1.0">
      	<http-publishing>
      		<webservice-security> 
      			<security-constraint>
      				<web-resource-collection>
      					<web-resource-name>All</web-resource-name>
      					<url-pattern>/*</url-pattern>
      					<http-method>GET</http-method>
      					<http-method>POST</http-method>
      				</web-resource-collection>
      				<user-data-constraint>
      					<transport-guarantee>CONFIDENTIAL</transport-guarantee>
      				</user-data-constraint>
      			</security-constraint>                     
      		</webservice-security>
      	</http-publishing>
      </webservices-bnd>
      Note: The ibm-ws-bnd.xml file must be in the /WEB-INF directory of a web application, or the /META-INF directory of a EJB-based web service application (JAR archive).
  4. Configure the service client by specifying the web service endpoints. For example, the client application is a web application named TransportSecurityClient.war.
    1. Configure the client application in the server.xml file.
      <application id="TransportSecurityClient" name="TransportSecurityClient" 
      		location="TransportSecurityClient.war"
      		context-root="TransportSecurityClient" type="war" />
    2. Configure the ibm-ws-bnd.xml file for the client application.
      <?xml version="1.0" encoding="UTF-8"?>
      <webservices-bnd id="idvalue0" version="1.0" xmlns="http://websphere.ibm.com/xml/ns/javaee" 
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee
          http://websphere.ibm.com/xml/ns/javaee/ibm-ws-bnd_1_0.xsd " >
      	<!-- POJO service reference binding-->
      	<service-ref name="service/SayHelloPojoService">
      		<port name="SayHelloPojoPort" 
      				namespace="http://ibm.com/ws/jaxws/transport/security/"
      				ssl-ref="customizeSSLConfig"/>
          <properties http.conduit.tlsClientParameters.disableCNCheck="true" />
      	</service-ref>
      	<!-- Stateless service reference binding-->
      	<service-ref name="service/SayHelloStatelessService">
      		<port name="SayHelloStatelessPort" 
      				namespace="http://ibm.com/ws/jaxws/transport/security/"
      				ssl-ref="customizeSSLConfig"/>
          <properties http.conduit.tlsClientParameters.disableCNCheck="true" />	
      </service-ref>
      </webservices-bnd>
      Note:
      • The ibm-ws-bnd.xml file must be in the /WEB-INF directory of the client web application.
      • The value of ssl-ref attribute must match the ID value of ssl element in server.xml file.
      • If the ssl-ref attribute is not specified in the ibm-ws-bnd.xml file, the following Liberty configurations can be used by the web services engine, if present:
        • The default SSL configuration
        • [17.0.0.3 and later]The outbound default SSL configuration
        • [17.0.0.3 and later]An outbound SSL configuration filter
      • The http.conduit.tlsClientParameters.disableCNcheck attribute is used to control whether to validate the remote server. Use false for this attribute in a production environment because the hostName verification will be ignored if this attribute is true.
    3. Generate the client stubs through WSDL location.
      @WebServiceClient(name = "SayHelloPojoService",
                        targetNamespace = "http://ibm.com/ws/jaxws/transport/security/",
                        wsdlLocation = "https://localhost:8020/TransportSecurityProvider/unauthorized/employPojoService?wsdl")
      public class SayHelloPojoService
                      extends Service
      {...}
      
      @WebServiceClient(name = "SayHelloStatelessService",
          targetNamespace = "http://ibm.com/ws/jaxws/transport/security/",
          wsdlLocation = "https://localhost:8020/TransportSecurityProvider/unauthorized/EmployStatelessService?wsdl")
      public class SayHelloStatelessService
                      extends Service
      {...}
    4. Use the @WebServiceRef annotation to inject the web service into the servlet. For example, the TestJaxWsTransportSecurityServlet.
      @WebServiceRef(name = "service/SayHelloPojoService")
      SayHelloPojoService pojoService;
      
      @WebServiceRef(name = "service/SayHelloStatelessService")
      SayHelloStatelessService statelessService;

Icon that indicates the type of topic Task topic

File name: twlp_sec_ws_ssl.html