使用 Axis2/Java 创建 SSL 客户端

Question

I'm trying to connect to the WebService that uses SSL but no success. I use Axis2, I found some usefull article: http://people.apache.org/~dumindu/docs/HowToConfigureSSL.html , but it is for C. In this article they set pathes to SERVER_CERT, KEY_FILE and SSL_PASSPHRASE using axis2.xml or C coding. I tried to change configuration file but this doesn't work for me. If somebody know how to set this parameters from within Java code, let me know.

Answer 1

You may be interested in this answer to a similar question. In particular, Axis 2 seems to be using Apache HttpClient 3.x, according to this document :

If you want to perform SSL client authentication (2-way SSL), you may use the Protocol.registerProtocol feature of HttpClient. You can overwrite the "https" protocol, or use a different protocol for your SSL client authentication communications if you don't want to mess with regular https. Find more information at http://jakarta.apache.org/commons/httpclient/sslguide.html

(You can build your SSLContext from your existing keystore, and configure HttpClient 3.1 using this socket factory .)

Answer 2

I initialized EasySSLProtocolSocketFactory and Protocol instances for different endpoints and register the protocol with unique key like this:

/**
 * This method does the following:
 * 1. Creates a new and unique protocol for each SSL URL that is secured by client certificate
 * 2. Bind keyStore related information to this protocol
 * 3. Registers it with HTTP Protocol object 
 * 4. Stores the local reference for this custom protocol for use during furture collect calls
 * 
 *  @throws Exception
 */
public void registerProtocolCertificate() throws Exception {
    EasySSLProtocolSocketFactory easySSLPSFactory = new EasySSLProtocolSocketFactory();
    easySSLPSFactory.setKeyMaterial(createKeyMaterial());
    myProtocolPrefix = (HTTPS_PROTOCOL + uniqueCounter.incrementAndGet());
    Protocol httpsProtocol = new Protocol(myProtocolPrefix,(ProtocolSocketFactory) easySSLPSFactory, port);
    Protocol.registerProtocol(myProtocolPrefix, httpsProtocol);
    log.trace("Protocol [ "+myProtocolPrefix+" ] registered for the first time");
}

/**
 * Load keystore for CLIENT-CERT protected endpoints
 */
private KeyMaterial createKeyMaterial() throws GeneralSecurityException, Exception  {
    KeyMaterial km = null;
    char[] password = keyStorePassphrase.toCharArray();
    File f = new File(keyStoreLocation);
    if (f.exists()) {
        try {
            km = new KeyMaterial(keyStoreLocation, password);
            log.trace("Keystore location is: " + keyStoreLocation + "");
        } catch (GeneralSecurityException gse) {
            if (logErrors){
                log.error("Exception occured while loading keystore from the following location: "+keyStoreLocation, gse);
                throw gse;
            }
        }
    } else {
        log.error("Unable to load Keystore from the following location: " + keyStoreLocation );
        throw new CollectorInitException("Unable to load Keystore from the following location: " + keyStoreLocation);
    }
    return km;
}   

When I have to invoke the web service, I do this (which basically replace "https" in the URL with https1, or https2 or something else depending on the Protocol you initialized for that particular endpoint):

httpClient.getHostConfiguration().setHost(host, port,Protocol.getProtocol(myProtocolPrefix));
initializeHttpMethod(this.url.toString().replace(HTTPS_PROTOCOL, myProtocolPrefix));

It works like a charm!

Answer 3

Ok so it's >10 years later, but anyways. This could have saved me some time today:)

Create a custom HttpClient with SSLContext:

 public static HttpClient sslEnabledHttpClient(final URL ks, final char[] storePass,
                                                  final URL ts, final char[] tsPass) {

        try {
            //Minimalistic SSLContext.
            final SSLContextBuilder builder = SSLContexts.custom()
                    .loadKeyMaterial(ks, storePass, storePass); 

            if (ts != null) {
                builder.loadTrustMaterial(ts, tsPass);
            }
            final SSLContext sslContext = builder.build();
            return HttpClientBuilder.create().setSSLContext(sslContext).build();
        } catch (final Exception e) {
            throw new RuntimeException(e);
        }
    }

And use that:

// Out of the box Axis2 does not support SSL with client authentication.
// So we need a custom HttpClient.
final HttpClient client = Util.sslEnabledHttpClient(
        this.keyStoreURL, this.keyStorePassword.toCharArray(),
        this.trustStoreURL, this.trustStorePassword.toCharArray());


myStub._getServiceClient().getOptions().setProperty(HTTPConstants.CACHED_HTTP_CLIENT, client);