Monday, April 9, 2012

Calling HTTPS secured service using Java client

Introduction


In previous Blog (http://thejaka-amila.blogspot.com/2012/04/tomcat-axis2-and-https.html) we learnt how to  deploy a service with HTTPS transport. Now my requirement is to call HTTPS secured service using a Java client.

Steps
1. Configure SSL for Tomcat and Axis 2. Follow instructions in [1]
2. Deploy "AddService.aar", i.e. place AddService.aar in $TOMCAT_HOME/webapps/axis2/WEB-INF/services directory
3. Write client program

Writing the client program

So what is the difference between writing a Java client for a normal web service and writing a Java client for HTTPS secure web service ?
The difference is, we need to make our client program prepared for HTTPS handshake and we need to make our client program trust the certificate provided by the server (Tomcat in this case). The Java code which handles SSL connections already capable of handling handshake. But we need to specify where to look for trusted certificate within the client program.

For that we need to specify following bit of code to our client program,


      /**
         * Set SSL trust store parameters.
         */
        System.setProperty("javax.net.ssl.trustStore", "/home/amila/development/apache/rampart-v2-tests/jks/client-jks/client.jks");
        System.setProperty("javax.net.ssl.trustStorePassword", "client");

javax.net.ssl.trustStore points to actual trust store and with javax.net.ssl.trustStorePassword we need to specify the password.

You may find complete code snippet in [2].

References
[1] http://thejaka-amila.blogspot.com/2012/04/tomcat-axis2-and-https.html
[2] Client and Server code - http://people.apache.org/~amilaj/ws-scenarios/https-call/raw-https.zip

Tomcat - Axis2 and HTTPS

My requirement is to configure Axis2 to listen to HTTPS calls. I am using Tomcat as my servlet container. So the question is how to configure Axis2 for HTTPS within Tomcat.

Let TOMCAT_HOME = {Location where you installed Tomcat}

Installation
1. Download Tomcat 7
2. Download latest Axis2 version
3. Install Tomcat 7
4. Drop Axis2 WAR distribution to $TOMCAT_HOME/webapps. 
5. Unzip Axis2 WAR distribution


Now start Tomcat server.
- Go to $TOMCAT_HOME/bin
- Type  > sh startup.sh ;tail -f ../logs/catalina.out (Assuming you are in Unix)


Try accessing http://localhost:8080/axis2
You should see Axis2 home page. There you will see links to list services, validate installation and to administer installation.


Now try to access HTTPS URL - https://localhost:8080/axis2 Oops !! This will say the secure connection failed. In FireFox you will get an error code "ssl_error_rx_record_too_long".


Inherently you cannot have a single port for HTTPS and HTTP. In above we were trying to access HTTPS URL from HTTP port. Server does not have a valid certificate to provide in that URL. Therefore browser truncates the connection, saying "ssl error"


So what is the port which HTTPS runs ? This we havent configured yet.


Configuring SSL for Tomcat
Step 1 - Creating self signed certificates and keystores

Type following in a command line
keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.jks -keysize 2048

Answer the questions prompted.

Step 2 - Making configuration changes

1. Go to Tomcat configuration directory (E.g :- ~/development/Tools/webservers/apache-tomcat-7.0.23/conf)
2. Open server.xml
3. Uncomment following configurations,

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

4. Specify above created Keystore files

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               keystoreFile="/home/amila/development/apache/rampart-v2-tests/jks/tomcat-jks/tomcat.jks" keystorePass="tomcat" keyPass="password"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

Now we configured SSL for Tomcat on port 8443. Lets try accessing https://localhost:8443. You should see Tomcat page. Now try accessing https://localhost:8443/axis2/. You will also see Axis2 home page. OK, so far so good. Now try to list services in Axis2 - https://localhost:8443/axis2/services/listServices.

Hmm... Strangely you will not see any services. List services page may depict an "Internal Server Error".
The reason for this behavior is we have not configured HTTPS transport in Axis2 level. We only configured Tomcat. Inorder for Axis2 to be fully functional on HTTPS we also need to configure HTTPS transport in axis2.

Configuring HTTPS in Axis2

Steps
1. Go to $TOMCAT_HOME/webapps/axis2/WEB-INF/conf
2. Open axis2.xml
3. Locate transportReceiver - By default you will see only HTTP transport receiver
4. Configure HTTPS transport receiver and ports

i.e. Modify HTTP transport receiver with port parameter and add HTTPS transport receiver, as follows;

  <transportReceiver name="http"
                       class="org.apache.axis2.transport.http.AxisServletListener">
        <parameter name="port">8080</parameter>
    </transportReceiver>

    <transportReceiver name="https"
                       class="org.apache.axis2.transport.http.AxisServletListener">
        <parameter name="port">8443</parameter>
    </transportReceiver>

Now you should be able to list services through - https://localhost:8443/axis2/services/listServices.

More Reading
[1] Java Keystores - http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
[2] Apache Axis2 - http://axis.apache.org/axis2/java/core/
[3] Tomcat - http://tomcat.apache.org/