Enabling SSL communication for web services access
You can configure SSL communication for your client applications to access web services.
Before you begin
- Generate a pair of self-signed public and private keys for client
and provider:
keytool -genkey -alias default -keystore myKey.jks -dname "CN=myServer, O=IBM, C=CN" -storepass passw0rd -keypass passw0rd -storetype jks -validity 1000 -keyalg RSA
- Copy the myKey.jks file to the ${server.config.dir}/resources/security directory.
Note: The keytool utility can be found in your Java™ installation directory.
About this task
If you need to use your web service client application with the secured HTTP protocol to access the protected web service resources, all the message are encrypted according to the SSL specification.
Procedure
- Enable the jaxws-2.2, servlet-3.0(or servlet-3.1)
and appSecurity-2.0 features in the server.xml file.
<featureManager> <feature>jaxws-2.2</feature> <feature>servlet-3.0</feature> <feature>appSecurity-2.0</feature> </featureManager>
- Configure the SSL elements in the server.xml file.
<sslDefault sslRef="customizeSSLConfig" /> <ssl id="customizeSSLConfig" keyStoreRef="serverKeyStore" trustStoreRef="serverTrustStore" /> <keyStore id="serverKeyStore" location="myKey.jks" type="JKS" password="passw0rd" /> <keyStore id="serverTrustStore" location="myKey.jks" type="JKS" password="passw0rd" />
- Configure the service provider by specifying the web service
endpoints.
- Create web services.
@WebService(serviceName = "SayHelloPojoService", portName = "SayHelloPojoPort") public class SayHelloPojoService implements SayHelloService { ... } @WebService(serviceName = "SayHelloStatelessService", portName = "SayHelloStatelessPort", endpointInterface = "com.ibm.ws.jaxws.transport.server.security.SayHelloService") @Stateless(name = "SayHelloSessionBean") public class SayHelloStatelessService implements SayHelloLocal { ... }
- Configure the ibm-ws-bnd.xml file
for the service provider.
<?xml version="1.0" encoding="UTF-8"?> <webservices-bnd xmlns="http://websphere.ibm.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-ws-bnd_1_0.xsd " version="1.0"> <http-publishing> <webservice-security> <security-constraint> <web-resource-collection> <web-resource-name>All</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> </webservice-security> </http-publishing> </webservices-bnd>
Note: The ibm-ws-bnd.xml file must be in the /WEB-INF directory of a web application, or the /META-INF directory of a EJB-based web service application (JAR archive).
- Create web services.
- Configure the service client by specifying the web service
endpoints. For example, the client application is a web application
named TransportSecurityClient.war.
- Configure the client application in the server.xml file.
<application id="TransportSecurityClient" name="TransportSecurityClient" location="TransportSecurityClient.war" context-root="TransportSecurityClient" type="war" />
- Configure the ibm-ws-bnd.xml file
for the client application.
<?xml version="1.0" encoding="UTF-8"?> <webservices-bnd id="idvalue0" version="1.0" xmlns="http://websphere.ibm.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-ws-bnd_1_0.xsd " > <!-- POJO service reference binding--> <service-ref name="service/SayHelloPojoService"> <port name="SayHelloPojoPort" namespace="http://ibm.com/ws/jaxws/transport/security/" ssl-ref="customizeSSLConfig"/> <properties http.conduit.tlsClientParameters.disableCNCheck="true" /> </service-ref> <!-- Stateless service reference binding--> <service-ref name="service/SayHelloStatelessService"> <port name="SayHelloStatelessPort" namespace="http://ibm.com/ws/jaxws/transport/security/" ssl-ref="customizeSSLConfig"/> <properties http.conduit.tlsClientParameters.disableCNCheck="true" /> </service-ref> </webservices-bnd>
Note:- The ibm-ws-bnd.xml file must be in the /WEB-INF directory of the client web application.
- The value of ssl-ref attribute must match the ID value of ssl element in server.xml file.
- If the ssl-ref attribute is not specified in the ibm-ws-bnd.xml file, the default SSL configuration in Liberty is used by the web services engine if the configuration is present.
- The http.conduit.tlsClientParameters.disableCNcheck attribute is used to control whether to validate the remote server. Use false for this attribute in a production environment because the hostName verification will be ignored if this attribute is true.
- Generate the client stubs through WSDL location.
@WebServiceClient(name = "SayHelloPojoService", targetNamespace = "http://ibm.com/ws/jaxws/transport/security/", wsdlLocation = "https://localhost:8020/TransportSecurityProvider/unauthorized/employPojoService?wsdl") public class SayHelloPojoService extends Service {...} @WebServiceClient(name = "SayHelloStatelessService", targetNamespace = "http://ibm.com/ws/jaxws/transport/security/", wsdlLocation = "https://localhost:8020/TransportSecurityProvider/unauthorized/EmployStatelessService?wsdl") public class SayHelloStatelessService extends Service {...}
- Use the @WebServiceRef annotation to
inject the web service into the servlet. For example, the TestJaxWsTransportSecurityServlet.
@WebServiceRef(name = "service/SayHelloPojoService") SayHelloPojoService pojoService; @WebServiceRef(name = "service/SayHelloStatelessService") SayHelloStatelessService statelessService;
- Configure the client application in the server.xml file.
Parent topic: Securing web services at the transport level


http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=twlp_sec_ws_ssl
File name: twlp_sec_ws_ssl.html