Tomcat Configuration WebService HTTPS for SSL single-way authentication

Recently, a Web service service was published on the project using Tomcat, and the customer required SSL security technology to implement HTTPS to provide the service interface, the following is a backup.

One, one-way certification

1. First use the Keytool tool to generate a server-side KeyStore file, Keytool tool implementation to confirm that the machine is configured with the JDK environment variables, if not, need to go to the JDK's current directory to execute commands

Keytool-genkey-alias webservice_server-keystore server.keystore-keyalg rsa-keysize 4096-storetype JKS

2. Export the server-side RSA certificate and import the certificate into the client Truststore file, the Truststore file is used by the client to authenticate to the server

Keytool-export-alias webservice_server-file webserviceserver.cer-storepass 123456a? -keystore Server.keystore-storetype JKS

Keytool-import-file webserviceserver.cer-storepass 123456a? -keystore Client.truststore-alias Serverkey-noprompt

3. Configure the following in the Conf/server.xml file in the Tomcat root directory to comment

<connector port= "8443" protocol= "http/1.1" maxthreads= "" "minsparethreads=" maxsparethreads= "75"

Enablelookups= "false" disableuploadtimeout= "true" sslenabled= "true"

acceptcount= "debug=" 0 "scheme=" https "secure=" true "Clientauth=" true "keystorefile=" Server.keystore " keystorepass= "Password" sslprotocol= "TLS"/>

4. Deploy the Axis service, do not write here how to deploy, directly start Tomcat view WSDL

  https://localhost:8443/ws/services/axisWS.Test?wsdl

The above steps complete the server configuration, the following is how the client calls

5. Client calling Code

public static void Main (string[] args) {try {String endpoint = "Https://localhost:8443/eomsWS/services/axisWS.Test"
			;
			1. Create a service object and create a service service = new service () from the class that comes with axis;
		 URL url = new URL (endpoint);    //through the construction of the URL class to the Wsdlurl address to create a URL object    //2. To create a caller object for a service method call, set the properties of the calling object
			) Service.createcall ();
			Configure the client Truststore file path System.setproperty ("Javax.net.ssl.trustStore", "E:/keystore/client/client.truststore");
			Sets the URL property of the request to the Call Object Call.settargetendpointaddress (URL);
			String serviceName = "SayHello";
			Sets the calling method Name property to the Call Object Call.setoperationname (New QName ("http://loushang.ws", ServiceName));
			Set the parameter name, parameter type, parameter mode call.addparameter ("param", xmltype.xsd_string, parametermode.in) for the call object.
			Sets the return value type of the calling method Call.setreturntype (xmltype.soap_string);
			4. Call WebService String param = "1222222" via the Invoke method; string res = (string) call.invoke (new object[] {param});//Invoke Service method System.out.println (RES);
		} catch (Serviceexception e) {e.printstacktrace ();
		} catch (Malformedurlexception E1) {e1.printstacktrace ();
		} catch (RemoteException e) {e.printstacktrace ();
 }

}

6. Run the code if the interface output result indicates that the connection was successful.

Two, two-way certification

Two-way authentication the process of generating a client keystore and importing the client certificate RSA file into a server-side Truststore file, in the following steps:

1. Generate the client KeyStore KeyStore file after one-way authentication 1, 2 steps

Keytool-genkey-dname "Cn=webservice_client, Ou=jn, O=jn, L=jn, S=jn, C=CN"-storepass 123456a? -keystore client.keystore-keyalg rsa-keypass 123456a?

2. Export the client-side RSA certificate and import the certificate into the service-side Truststore file, which is used by the server to authenticate the client side

Keytool-export-file webserviceclient.cer-storepass 123456a? -keystore Client.keystore

Keytool-import-file webserviceclient.cer-storepass 123456a? -keystore Server.truststore-alias Clientkey-noprompt

3. Add Truststorefile and Truststorepass to connector in Conf/server.xml under Tomcat and configure 3 additions in one-way authentication

4. Modify the client calling code

	To configure the client truststore validation file path

System.setproperty ("Javax.net.ssl.trustStore", "E:/keystore/client/client.truststore");

Configure the server-side truststore to verify file paths

System.setproperty ("Javax.net.ssl.keyStore", "E:/keystore/client/client.keystore");

5. Restart the Tomcat test code.

Bibliography Path:

http://www.ibm.com/developerworks/cn/webservices/ws-secaxis1/