You can configure SSL communication for your client applications
to access web services.
Before you begin
You must complete the following prerequisites before enabling
the SSL communication for web services access:
Note: The keytool utility can be found in your Java™ installation directory.
About this task
If you need to use your web service client application
with the secured HTTP protocol to access the protected web service
resources, all the message are encrypted according to the SSL specification.
Procedure
- Enable the jaxws-2.2, servlet-3.0(or servlet-3.1)
and appSecurity-2.0 features in the server.xml file.
<featureManager>
<feature>jaxws-2.2</feature>
<feature>servlet-3.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>
- Configure the SSL elements in the server.xml file.
<sslDefault sslRef="customizeSSLConfig" />
<ssl id="customizeSSLConfig" keyStoreRef="serverKeyStore" trustStoreRef="serverTrustStore" />
<keyStore id="serverKeyStore" location="myKey.jks" type="JKS" password="passw0rd" />
<keyStore id="serverTrustStore" location="myKey.jks" type="JKS" password="passw0rd" />
- Configure the service provider by specifying the web service
endpoints.
- Create web services.
@WebService(serviceName = "SayHelloPojoService",
portName = "SayHelloPojoPort")
public class SayHelloPojoService implements SayHelloService {
...
}
@WebService(serviceName = "SayHelloStatelessService",
portName = "SayHelloStatelessPort",
endpointInterface = "com.ibm.ws.jaxws.transport.server.security.SayHelloService")
@Stateless(name = "SayHelloSessionBean")
public class SayHelloStatelessService implements SayHelloLocal {
...
}
- Configure the ibm-ws-bnd.xml file
for the service provider.
<?xml version="1.0" encoding="UTF-8"?>
<webservices-bnd xmlns="http://websphere.ibm.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee
http://websphere.ibm.com/xml/ns/javaee/ibm-ws-bnd_1_0.xsd "
version="1.0">
<http-publishing>
<webservice-security>
<security-constraint>
<web-resource-collection>
<web-resource-name>All</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</webservice-security>
</http-publishing>
</webservices-bnd>
Note: The ibm-ws-bnd.xml file
must be in the /WEB-INF directory of a web application,
or the /META-INF directory of a EJB-based web
service application (JAR archive).
- Configure the service client by specifying the web service
endpoints. For example, the client application is a web application
named TransportSecurityClient.war.
- Configure the client application in the server.xml file.
<application id="TransportSecurityClient" name="TransportSecurityClient"
location="TransportSecurityClient.war"
context-root="TransportSecurityClient" type="war" />
- Configure the ibm-ws-bnd.xml file
for the client application.
<?xml version="1.0" encoding="UTF-8"?>
<webservices-bnd id="idvalue0" version="1.0" xmlns="http://websphere.ibm.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee
http://websphere.ibm.com/xml/ns/javaee/ibm-ws-bnd_1_0.xsd " >
<!-- POJO service reference binding-->
<service-ref name="service/SayHelloPojoService">
<port name="SayHelloPojoPort"
namespace="http://ibm.com/ws/jaxws/transport/security/"
ssl-ref="customizeSSLConfig"/>
<properties http.conduit.tlsClientParameters.disableCNCheck="true" />
</service-ref>
<!-- Stateless service reference binding-->
<service-ref name="service/SayHelloStatelessService">
<port name="SayHelloStatelessPort"
namespace="http://ibm.com/ws/jaxws/transport/security/"
ssl-ref="customizeSSLConfig"/>
<properties http.conduit.tlsClientParameters.disableCNCheck="true" />
</service-ref>
</webservices-bnd>
Note: - The ibm-ws-bnd.xml file must be in the /WEB-INF directory
of the client web application.
- The value of ssl-ref attribute must match
the ID value of ssl element in server.xml file.
- If the ssl-ref attribute is not specified in the
ibm-ws-bnd.xml file, the default SSL configuration in Liberty is used by the web services engine if the
configuration is present.
- The http.conduit.tlsClientParameters.disableCNcheck attribute
is used to control whether to validate the remote server. Use false for
this attribute in a production environment because the hostName verification
will be ignored if this attribute is true.
- Generate the client stubs through WSDL location.
@WebServiceClient(name = "SayHelloPojoService",
targetNamespace = "http://ibm.com/ws/jaxws/transport/security/",
wsdlLocation = "https://localhost:8020/TransportSecurityProvider/unauthorized/employPojoService?wsdl")
public class SayHelloPojoService
extends Service
{...}
@WebServiceClient(name = "SayHelloStatelessService",
targetNamespace = "http://ibm.com/ws/jaxws/transport/security/",
wsdlLocation = "https://localhost:8020/TransportSecurityProvider/unauthorized/EmployStatelessService?wsdl")
public class SayHelloStatelessService
extends Service
{...}
- Use the @WebServiceRef annotation to
inject the web service into the servlet. For example, the TestJaxWsTransportSecurityServlet.
@WebServiceRef(name = "service/SayHelloPojoService")
SayHelloPojoService pojoService;
@WebServiceRef(name = "service/SayHelloStatelessService")
SayHelloStatelessService statelessService;