Skip to main content

Summary This article clarifies the steps needed for porting HTTPS secured applications from Artix 5.5 JAX-RPC to Artix 5.6 Java JAX-WS.
Article Number 34339
Environment Artix 5.5 JAX-RPC Artix 5.6 JAX-WS All Supported Operating Systems
Question/Problem Description What steps are necessary to port security configuration settings from an Artix JAX-RPC based application to an Artix JAX-WS application?
Clarifying Information When porting Artix JAX-RPC based applications to Artix JAX-WS applications developers are facing with different configuration mechanisms. Artix JAX-RPC uses a proprietary configuration file, Artix JAX-WS uses an XML based Spring configuration file.

The two Artix distributions also use different certificate formats. Artix JAX-RPC uses PEM and PKCS12 formats, whereas Artix JAX-WS uses JKS formats.

This article clarifies the necessary steps in porting the HTTPS security configuration settings from Artix JAX-RPC to Artix JAX-WS applications by using the HTTPS samples shipped with Artix 5.5 JAX-RPC and Artic 5.6 JAX-WS.
Error Message
Defect/Enhancement Number
Cause
Resolution The Artix 5.5 JAX-RPC sample provided in
    c:\\xxx\\artix_5.5\\cxx_java\\samples\\security\\https
specifies the security settings in the https.cfg configuration file in the following scopes:

https {
    client {
        plugins:at_http:client:use_secure_sockets="true";
        plugins:at_http:client:trusted_root_certificates = "c:\\xxx\\artix_5.5/cxx_java/samples/security/certificates/openssl/x509/crl_ca/X509CA/ca/new_ca.pem";
        plugins:at_http:client:client_certificate = "c:\\xxx\\artix_5.5/cxx_java/samples/security/certificates/openssl/x509/crl_ca/X509CA/certs/crltestcert1.p12";
        plugins:at_http:client:client_private_key_password = "testaspen";
    };

    server {
        plugins:at_http:server:use_secure_sockets="true";
        plugins:at_http:server:trusted_root_certificates = "c:\\xxx\\artix_5.5/cxx_java/samples/security/certificates/openssl/x509/crl_ca/X509CA/ca/new_ca.pem";
        plugins:at_http:server:server_certificate = "c:\\xxx\\artix_5.5/cxx_java/samples/security/certificates/openssl/x509/crl_ca/X509CA/certs/crltestcert1.p12";
        plugins:at_http:server:server_private_key_password = "testaspen";
    };
};

In the following the Key and Certificate Management Tool (keytool) shipped with the JDK is being used for managing the keystore (database) of cryptographic keys, X.509 certificate chains, and trusted certificates.

1) Print out details about the above new_ca.pem trusted certificates:
    keytool -printcert -file c:/xxx/artix_5.5/cxx_java/samples/security/certificates/openssl/x509/crl_ca/X509CA/ca/new_ca.pem

2) Import the above certificate into a new truststore called truststore.jks protected with password "password":
    keytool -importcert -file c:/xxx/artix_5.5/cxx_java/samples/security/certificates/openssl/x509/crl_ca/X509CA/ca/new_ca.pem -trustcacerts -keystore truststore.jks -storepass password -v

Trust this certificate by confirming with "yes":
Trust this certificate? [no]: yes
Certificate was added to keystore
[Storing truststore.jks]

3) Print out the details of the PKCS12 certificate:
    keytool -list -v -keystore c:/xxx/artix_5.5/cxx_java/samples/security/certificates/openssl/x509/crl_ca/X509CA/certs/crltestcert1.p12 -storetype pkcs12

Search for the alias name from the output above. E.g
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: cert for crl test
Creation date: 29-Aug-2012
Entry type: PrivateKeyEntry

This alias name is needed in the next step when converting the PKCS12 client certificate to JKS format.

4) Convert the PKCS12 client certificate to JKS format into a file called client.jks:
    keytool -importkeystore -srcstoretype pkcs12 -srckeystore c:/xxx/artix_5.5/cxx_java/samples/security/certificates/openssl/x509/crl_ca/X509CA/certs/crltestcert1.p12 -deststoretype jks -destkeystore client.jks -srcalias "cert for crl test" -destalias "cert for crl test" -srckeypass testaspen -destkeypass password

5) Convert the PKCS12 server certificate to JKS format into a file called server.jks:
    keytool -importkeystore -srcstoretype pkcs12 -srckeystore c:/xxx/artix_5.5/cxx_java/samples/security/certificates/openssl/x509/crl_ca/X509CA/certs/crltestcert1.p12 -deststoretype jks -destkeystore server.jks -srcalias "cert for crl test" -destalias "cert for crl test" -srckeypass testaspen -destkeypass password

The srckeypass is specified in the Artix 5.5 JAX-RPC config with variables with
plugins:at_http:client:client_private_key_password = "testaspen";
plugins:at_http:server:server_private_key_password = "testaspen";

The above steps will generate the new truststore called truststore.jks, the client certificate client.jks, and the server certificate server.jks.

The above new certificates and the truststore can now be copied to the certificates directory in Artix 5.6 sample
    c:\\xxx\\artix_5.6\\samples\\cxf\\wsdl_first_https\\certs
and specified in the client and server Artix JAX-WS applications in the Spring configuration as follows:

Client side (WibbleClient.xml):

  <http:conduit name="{http://apache.org/hello_world_soap_http}SoapPort.http-conduit">
    <http:tlsClientParameters disableCNCheck="true">
      <sec:trustManagers>
          <sec:keyStore type="JKS" password="password" file="certs/truststore.jks"/>
      </sec:trustManagers>
      <sec:keyManagers keyPassword="password">
           <sec:keyStore type="JKS" password="password" file="certs/client.jks"/>
      </sec:keyManagers>
      <sec:cipherSuitesFilter>
        <!-- these filters ensure that a ciphersuite with
          export-suitable or null encryption is used,
          but exclude anonymous Diffie-Hellman key change as
          this is vulnerable to man-in-the-middle attacks -->
        <sec:include>.*_EXPORT_.*</sec:include>
        <sec:include>.*_EXPORT1024_.*</sec:include>
        <sec:include>.*_WITH_DES_.*</sec:include>
        <sec:include>.*_WITH_NULL_.*</sec:include>
        <sec:exclude>.*_DH_anon_.*</sec:exclude>
      </sec:cipherSuitesFilter>
    </http:tlsClientParameters>
   </http:conduit>

Server side (CherryServer.xml):

  <httpj:engine-factory>
   <httpj:engine port="9001">
    <httpj:tlsServerParameters>
      <sec:keyManagers keyPassword="password">
           <sec:keyStore type="JKS" password="password" file="certs/server.jks"/>
      </sec:keyManagers>
      <sec:trustManagers>
          <sec:keyStore type="JKS" password="password" file="certs/truststore.jks"/>
      </sec:trustManagers>
      <sec:cipherSuitesFilter>
        <!-- these filters ensure that a ciphersuite with
          export-suitable or null encryption is used,
          but exclude anonymous Diffie-Hellman key change as
          this is vulnerable to man-in-the-middle attacks -->
        <sec:include>.*_EXPORT_.*</sec:include>
        <sec:include>.*_EXPORT1024_.*</sec:include>
        <sec:include>.*_WITH_DES_.*</sec:include>
        <sec:include>.*_WITH_NULL_.*</sec:include>
        <sec:exclude>.*_DH_anon_.*</sec:exclude>
      </sec:cipherSuitesFilter>
      <sec:clientAuthentication want="true" required="true"/>
    </httpj:tlsServerParameters>
   </httpj:engine>
  </httpj:engine-factory>
Workaround
Notes For further details please ensure to consult the Artix 5.5 JAX-RPC and Artix 5.6 JAX-WS samples provided in, e.g.
    c:\\xxx\\artix_5.5\\cxx_java\\samples\\security\\https
    c:\\xxx\\artix_5.6\\samples\\cxf\\wsdl_first_https

as well as the Artix 5.5 Security Guide, C run-time and  the Artix 5.6 Security Guide
Attachment

Created date: 29 August 2012
Last Modified: 12 February 2013
Last Published: 29 August 2012
First Published date: 29 August 2012

#KnowledgeDocs
#Orbix
Terms & ConditionsAccessibility statement