webservices SSL（https）

Question

If i have a webservice over https ( https://mywebservice/myservice ) that means that i need to have a certificate to connect to this webservice, right?

Something like this:

Java HTTPS client certificate authentication

I don´t understand this point, assuming that my first question is correct, why can i connect to a webservice using soapUI 3.5 (and i don't have configuration "SSL Setting") but i always have a error if i communicate using Java (Axis 2 1.6.1) (i already try basic auth, with a lot variants and my request is very similar to the SOAP request(in soapUI)).

And why do i see in SOAPUI logs "INFO [HttpClientSupport$Helper] Updating keyStore.." if i don´t have certificates?

And if i have in my SOAP UI Request Information on "SSL Info", what´s the meaning?

I hope you understand my point.

Thanks a lot.

Answer 1

There are two situations with SSL.

One is one-way certificates, in which case you connect to the server via https and the server provides a public version of it's certificate to the client (in this case soapui). For this to work SoapUI needs to know the root certificate (if it is at the end of a certificate chain) or the actual certificate (if it is a self-signed certificate).

In rare situations where two-way certificates are used one-way is still the same as above, but in the other direction the client provides a certificate to authenticate itself. In this case the server must know of the certificate to be able to approve it.

Unless case your web-service is expecting a certificate for authentication then it is most likely that it is simply a case of one-way certificates as described above, and then it is best to determine whether it is a self-signed certificate or the end of a certificate chain.

Use either openssl on unix/linux systems or open the certificate in your browser on any system after connecting to the webservice to get more details on the structure of the certificate received.

Depending on your client you are using will depend on how you correct the situation, but for soapui for example you would add the root certificate to the cacerts file in the java version used to invoke soapui.