发表新帖
发表新帖

How to configure two way SSL connection in Spring WS without using Spring boot and using separate Apache tomcat server?

前端 未结
关注
4 690
Happy的楠姐
Happy的楠姐 2021-02-06 08:16

I need to send a soap request messages in a two way SSL connection security mechanism to a server and also process the Soap response from the server..I am using Spring M

4条回答
  • 迷失自我
    迷失自我 (楼主)
    2021-02-06 08:47

    I can guide you about all the required steps, but there are gaps. Please review my answer so I could provide you the right configuration links

    Two-Way SSL is a TLS connection with client certificate authentication. It it not the same that signing soap request (certificate is used once to authenticate client in TLS (see Two-way SSL clarification), and sign a soap is make a digital signature over the soap body and include it in the soap header)

    You need a lot of things (please check)

    • A server to manage TLS connection. You have selected tomcat. No problem, but in my opinion is simpler to put an apache with reverse proxy

    • An SSL certificate, preferably issued by a trusted entity. If not, you can generate your own certificate, but needs extra configuration in next steps

    • The public key of the SSL certificate (the x509 certificate) to configure the client truststore

    • A client certificate to be authenticated in TLS connection

    • openssl software in order to generate certificates

    • I also recommend using this application (http://portecle.sourceforge.net/)to modify JKS keystores and not a hell

    Configure the server

    1) Generate SSL certificate (server.crt and server.key)

    If you have one, go to 2). If not, follow http://www.akadia.com/services/ssh_test_certificate.html

    openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

    You'll get server.crt and server.key

    2) Convert to PKCS12 (server.pfx) Configuration will be simpler If has provided you a certificate, also will give you a CACert. 

    openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile CACert.crt

    3) Generate a client certificate (client.p12) (extracted from https://gist.github.com/mtigas/952344) Create a Certificate Authority root openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt

     Create the Client Key and CSR
 openssl genrsa -des3 -out client.key 4096
 openssl req -new -key client.key -out client.csr
 # self-signed
 openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

 Convert Client Key to PKCS
 openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

    4) Configure server truststore (truststore.jks)

    Open portecle
New KeyStore -> JKS
Import trusted certificate. Import client.crt and ca.crt
Save as truststore.jks

    5) Configure tomcat SSL with client auth

    https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support Similar to Prashant Thorat answer

    Configure the client

    1) Create client trustore (client-truststore.jks) Open portecle, create a new JKS and include server certificate (server.crt) as trusted (

    2) Create client keystore (client-keystore.jks) Open portecle, create a new JKS and import a key/pair. Use client.p12 or client.crt and client.key. Import also ca.crt

    3) Configure spring I've never done WS spring, but with CXF. It's the same concept You do not need to sign SOAP, you only need a TLS connection with client auth, so no soap configuration needed

    Follow this tutorial https://secinto.wordpress.com/2013/01/21/spring-and-webservices-how-to-use-ssltls-client-authentication/

    the key is

    private void setupTLSSpring() throws Exception {

 ProtocolSocketFactory authSSLProtocolSocketFactory = new AuthSSLProtocolSocketFactory(new URL(
     "file:%PATH_TO_KEYSTORE%/client-keystore.jks"), PASSWORD, new URL(
     "file:%PATH_TO_TRUSTSTORE%/client-truststore.jks"), PASSWORD);

 Protocol.registerProtocol("https", new Protocol("https", authSSLProtocolSocketFactory, 8410));
 }

    EDITED

    If you use a Bank API, probably the bank provides the server with a trusted SSL certificate and a client certificate for authentication ¿It is not like this? in this case forget 'configure server' section

    In 'configure client' step 1, extract the public key from server SSL certificate and import into client-truststore.jks.

    If some step is not suitable for your desired configuration, please detail it

    0 讨论(0)
 看不清?
提交回复
热议问题