Wednesday, February 11, 2004

Securing a Web Service - Server SSL

Next on my list of tasks, after a bit of a layoff blogging due to a mixture of too many things on the go at work, not having Radio Userland on Linux, travel and a cold this week (excuses excuses!), is turning on SSL.  As I am using  OC4J 9.0.4 standalone, I will be using JDK 1.4.1 for this.  The nice part of JDK 1.4.1 is it comes with Java Secure Socket Extension (JSSE) built in - I can quickly generate server and client test certificates and keystores. 

Before getting to my simplified view of SSL in an OC4J world, be aware there is some great documentation outlining this in the OC4J StandAlone Users Guide.   I will provide a simple use case of it. 

First you need to generate a keystore for your server:

<JAVA_HOME>\jre\bin\keytool -genkey -alias oc4j-sv -dname "CN=localhost, OU=STJPG O=Oracle L=Redwood Shores, S=CA, C=US" -keyalg "RSA" -keystore server.keystore -storepass welcome -keypass welcome

where <JAVA_HOME> is where you JDK 1.4.1 is installed.  Note the common name (CN), organizational unit (OU), organization (O), location (L), state (S) and country (C) are just whatever I want as this is just a test environment.  In real life I would use a certificate authority (like the new one in OracleAS 10g) or purchase through Verisign, Thawte etc.

Once you have done this you need to configure OC4J to use this.  The first thing you typically do is create a copy, of http-web-site and call it something appropriate as it will be the configuration of your SSL web site.  I will call it secure-web-site.xml, contents shown in [1].  Note two things about it - first the "secure=true" tag in the <website> element telling it you will be using SSL and then the <ssl-config> element defining where the keystore file is located and the password you used to set it up.  This bit of doc describes this in more detail.

Next, you have to configure the website of OC4J to use the new improved and configured secure-web-site.xml rather than the old non-SSL http-web-site.xml. This is a quick edit of server.xml, updating the <web-site> element to point the the correct file.  See [2].

Re-start OC4J and you are in business.  It will now work by going to https://localhost:4443
(assuming you chose 4443 in your secure-web-site.xml). Note when you go there via a browser you will get a popup window indicating that you are going to a site whose certificate you have not chosen to trust.  Just click on Yes so you can test it out.  If you have been following the preceding set of examples, you can now run the Web service from its endpoint home page over SSL.

The part that gets more interesting of course, is now how do I change my Web services client to use JSSE generically rather than Oracle's SSL libraries.  Most folks find it relatively easy to get this far, but then the next step always is - and then just use JSSE to call the Web service. 

It turns out this isn't hard, but where the documentation exists ... good question.  Next entry - hopefully in a shorter timeframe than the last one :-)

Extra note:  Check out the musings of my colleague Steve Button who has revived his blog and is on a bit of a tear on JMX which he manages in OC4J.

[1]

<?xml version="1.0"?>
<!DOCTYPE web-site PUBLIC "-//Oracle//DTD OC4J Web-site 9.04//EN" "http://xmlns.oracle.com/ias/dtds/web-site-9_04.dtd">

<web-site port="4443" secure="true" display-name="OracleAS Containers for J2EE HTTP Web Site">
 <default-web-app application="default" name="defaultWebApp" />
 <web-app application="default" name="dms0" root="/dms0" />
 <web-app application="default" name="dms" root="/dmsoc4j" />
 <web-app application="default" name="admin_web" root="/adminoc4j" />
 <access-log path="../log/http-web-access.log" />
 <ssl-config factory="com.evermind.ssl.JSSESSLServerSocketFactory" keystore="../../server.keystore" keystore-password="welcome">
  <property name="keyStore.password.obfuscated" value="welcome" />
  <property name="provider" value="com.sun.net.ssl.internal.ssl.Provider" />
 </ssl-config>
</web-site>


[2]
<?xml version="1.0"?>
<!DOCTYPE application-server PUBLIC "-//Oracle//DTD OC4J Application-server 9.04//EN" "http://xmlns.oracle.com/ias/dtds/application-server-9_04.dtd">

<application-server application-directory="../applications"
 deployment-directory="../application-deployments"
 connector-directory="../connectors"
>
 <rmi-config path="./rmi.xml" />
 <jms-config path="./jms.xml" />
 <log>
  <file path="../log/server.log" />
 </log>
 <transaction-config timeout="30000" />
 <java-compiler name="javac" in-process="false" extdirs="C:\Program Files\Java\j2re1.4.1_03\lib\ext" />
 <global-application name="default" path="application.xml" />
 <application name="Workspace2-Project1-WS" path="../applications/Workspace2-Project1-WS.ear" auto-start="true" />
 <global-web-app-config path="global-web-application.xml" />
 <web-site path="./secure-web-site.xml" />
 <cluster  id="140501332961216" />
</application-server>



comment []
10:40:34 PM    


© Copyright 2004 Mike Lehmann .
Last update: 4/6/2004; 12:11:58 AM .

Click here to visit the Radio UserLand website. Valid CSS! Subscribe to "Lehmann Blogger" in Radio UserLand. Click to see the XML version of this web page. Click here to send an email to the editor of this weblog.