How do I use self signed certificate in Axis2 Java client?

Solution 1

Thanks @Jcs

This is how I solved the problem. When I tried opening the webservice URL in a browser, it asked for client certificate. This means, because I had already imported server certificate in jssecacert in jvm, my client was missing the client certificate. So, instead of setting javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties I set javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword properties and it is working fine. I missed before the fact that the private key and certificate are imported into the keystore. ImportKey are basically client identity which I received long back from someone saying those are server certificates. That was misleading me. So, let me summarize the solution if someone is looking for it.

1. Download server certificate and import into JVM cacerts or jssecacerts on system path. I used this post.

2. Open webservice URL in a browser and if it asks for client certificate it means server is set to expect certificate from client. In case of self signed certificate you must already have self signed certificate from server. Import these in a keystore and set the system properties for key store and not the trust store before actually making call to web service as shown below. This is because you already have imported server certificate into client trust store (cacerts).

Code:

MySoap12Stub stub = (MySoap12Stub) new MyLocator().getMySoap12(new java.net.URL(WSUrl));

System.setProperty("javax.net.ssl.keyStore", "certs/keystoreQA.Importkey");
System.setProperty("javax.net.ssl.keyStorePassword", "importkey");

In addition in my case, server is expecting user token and password set into SOAP headers. This is how I set this into SOAP headers:

((Stub) stub).setHeader(HeaderHandler.getSecurityHeader(User, password));

public class HeaderHandler {

    public static SOAPHeaderElement getSecurityHeader(String user,String password) throws Exception {
        SOAPHeaderElement wsseSecurity = new SOAPHeaderElement(new PrefixedQName(
            "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd",
            "Security", "wsse"));
        wsseSecurity.setActor(null);
        wsseSecurity.setMustUnderstand(true);

        SOAPElement usernameToken = wsseSecurity.addChildElement("UsernameToken", "wsse");
        usernameToken.setAttribute("xmlns:wsu","http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
        SOAPElement username = usernameToken.addChildElement("Username", "wsse");
        username.addTextNode(user);

        SOAPElement password = usernameToken.addChildElement("Password", "wsse");
        password.setAttribute("Type","http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText");
        password.addTextNode(password);
        return wsseSecurity;
    }
} 

I hope this explains in details how to use self signed certificates and WSSE user token and password in axis2 client calling web services over https using usertoken and password.

Cheers! good to go now.

Solution 2

On the client side, you do not need the certificate private key to trust the server. Since you wrote in your question that you imported the certificate and key in keystore.ImportKey I think that they have been imported as a PrivateKeyEntry (you can verify with keytool the type of entries in the keystore).

However if you want to use the certificate as a trust anchor you should import the certificate as a TrustedCertificateEntry. It can be achieved with keytool:

keytool -importcert -trustcacerts -alias myTrustAnchor -file /path/to/cert.crt -keystore /path/to/keystore

Then you can configure the truststore in your application:

System.setProperty("javax.net.ssl.trustStore","/path/to/keystore");

Author by

Admin

Updated on June 04, 2022