Contents |
Configuring A Secure Connection On Axiom
You need a Java keystore that contains your SSL certificate(s). You reference this in your axiom-config.xml and add a section like this one
<Call name="addListener">
<Arg>
<New class="org.mortbay.http.SunJsseListener">
<Set name="Port">8443</Set>
<Set name="PoolName">http</Set>
<Set name="Keystore"><SystemProperty name="jetty.home" default="."/>/keys/keystore</Set>
<Set name="Password">s1t3w0rx</Set>
<Set name="KeyPassword">s1t3w0rx</Set>
<Set name="NonPersistentUserAgent">MSIE 5</Set>
</New>
</Arg>
</Call>Just change the keystore location, password, and port number and you should be good to go.
If you are using an Axiom instance based on Jetty 6 (releases 3.0.22 and later, and 3.1.x), then you will want to use this XML instead:
<Call name="addConnector">
<Arg>
<New class="org.mortbay.jetty.security.SslSocketConnector">
<Set name="Port">443</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="keystore"><SystemProperty name="jetty.home" default="."/>/keys/keystore</Set>
<Set name="password">s1t3w0rx</Set>
<Set name="keyPassword">s1t3w0rx</Set>
</New>
</Arg>
</Call>Creating a Keystore
$ /cygdrive/c/Program\ Files/Java/jdk1.6.0_02/bin/keytool.exe -[some command] -keystore keystore
Enter keystore password: siteworx
Re-enter new password: siteworx
...
The above creates a key inside the keystore you specified,-keystore keystore, with the credentials you entered. If you do not have a key/cert already then you will want this information to be accurate. However, you can import certs as you will see below.
As a side note, you don't need a keystore explicitly. In fact, you'll find you cannot create a keystore without a command first specified. If one does not exist, it will be created for you in the process of whatever you are doing should you use the -keystore command.
Importing a Certificate
$ /cygdrive/c/Program\ Files/Java/jdk1.6.0_02/bin/keytool.exe -importcert -keystore keystore -file /axiom_releases/3_0_8/keys/www_somesite_com.crt
Enter keystore password: siteworx
Re-enter new password: siteworx
Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Serial number: 5a9d823d7980d6d4a93efc2d606dce5c
Valid from: Sun Mar 04 19:00:00 EST 2007 until: Wed Mar 04 18:59:59 EST 2009
Certificate fingerprints:
MD5: 48:45:F0:EA:F1:03:93:95:B9:39:2A:F6:9D:3C:76:61
SHA1: 27:9E:1C:2C:8E:AE:8F:EB:7A:A5:5D:2F:50:9E:7B:96:1E:B6:4E:23
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.thawte.com]
]
#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.thawte.com/ThawteServerPremiumCA.crl]
]]
#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
Trust this certificate? [no]: y
Certificate was added to keystoreTo import a certificate into a keystore you can do the above. The text that follows the command just verifies that the CA is who you expect.
Keytool
The following is the output from running keytool without parameters. It should give you a basic idea of what you can do with this utility.
$ /cygdrive/c/Program\ Files/Java/jdk1.6.0_02/bin/keytool.exe
keytool usage:
-certreq [-v] [-protected]
[-alias <alias>] [-sigalg <sigalg>]
[-file <csr_file>] [-keypass <keypass>]
[-keystore <keystore>] [-storepass <storepass>]
[-storetype <storetype>] [-providername <name>]
[-providerclass <provider_class_name> [-providerarg <arg>]] ...
[-providerpath <pathlist>]
-changealias [-v] [-protected] -alias <alias> -destalias <destalias>
[-keypass <keypass>]
[-keystore <keystore>] [-storepass <storepass>]
[-storetype <storetype>] [-providername <name>]
[-providerclass <provider_class_name> [-providerarg <arg>]] ...
[-providerpath <pathlist>]
-delete [-v] [-protected] -alias <alias>
[-keystore <keystore>] [-storepass <storepass>]
[-storetype <storetype>] [-providername <name>]
[-providerclass <provider_class_name> [-providerarg <arg>]] ...
[-providerpath <pathlist>]
-exportcert [-v] [-rfc] [-protected]
[-alias <alias>] [-file <cert_file>]
[-keystore <keystore>] [-storepass <storepass>]
[-storetype <storetype>] [-providername <name>]
[-providerclass <provider_class_name> [-providerarg <arg>]] ...
[-providerpath <pathlist>]
-genkeypair [-v] [-protected]
[-alias <alias>]
[-keyalg <keyalg>] [-keysize <keysize>]
[-sigalg <sigalg>] [-dname <dname>]
[-validity <valDays>] [-keypass <keypass>]
[-keystore <keystore>] [-storepass <storepass>]
[-storetype <storetype>] [-providername <name>]
[-providerclass <provider_class_name> [-providerarg <arg>]] ...
[-providerpath <pathlist>]
-genseckey [-v] [-protected]
[-alias <alias>] [-keypass <keypass>]
[-keyalg <keyalg>] [-keysize <keysize>]
[-keystore <keystore>] [-storepass <storepass>]
[-storetype <storetype>] [-providername <name>]
[-providerclass <provider_class_name> [-providerarg <arg>]] ...
[-providerpath <pathlist>]
-help
-importcert [-v] [-noprompt] [-trustcacerts] [-protected]
[-alias <alias>]
[-file <cert_file>] [-keypass <keypass>]
[-keystore <keystore>] [-storepass <storepass>]
[-storetype <storetype>] [-providername <name>]
[-providerclass <provider_class_name> [-providerarg <arg>]] ...
[-providerpath <pathlist>]
-importkeystore [-v]
[-srckeystore <srckeystore>] [-destkeystore <destkeystore>]
[-srcstoretype <srcstoretype>] [-deststoretype <deststoretype>]
[-srcstorepass <srcstorepass>] [-deststorepass <deststorepass>]
[-srcprotected] [-destprotected]
[-srcprovidername <srcprovidername>]
[-destprovidername <destprovidername>]
[-srcalias <srcalias> [-destalias <destalias>]
[-srckeypass <srckeypass>] [-destkeypass <destkeypass>]]
[-noprompt]
[-providerclass <provider_class_name> [-providerarg <arg>]] ...
[-providerpath <pathlist>]
-keypasswd [-v] [-alias <alias>]
[-keypass <old_keypass>] [-new <new_keypass>]
[-keystore <keystore>] [-storepass <storepass>]
[-storetype <storetype>] [-providername <name>]
[-providerclass <provider_class_name> [-providerarg <arg>]] ...
[-providerpath <pathlist>]
-list [-v | -rfc] [-protected]
[-alias <alias>]
[-keystore <keystore>] [-storepass <storepass>]
[-storetype <storetype>] [-providername <name>]
[-providerclass <provider_class_name> [-providerarg <arg>]] ...
[-providerpath <pathlist>]
-printcert [-v] [-file <cert_file>]
-storepasswd [-v] [-new <new_storepass>]
[-keystore <keystore>] [-storepass <storepass>]
[-storetype <storetype>] [-providername <name>]
[-providerclass <provider_class_name> [-providerarg <arg>]] ...
[-providerpath <pathlist>]