Tag Archives: Web Services

WS Security using Axis2 and Rampart

Posted on by
1

Currently in a project that requires signing all Web Service requests with a trusted certificate, I thought it would be easy to configure Axis2/Rampart to do what is required. It turned out to be a small headache!

At first I had some problems understanding the concepts, but after all those documents I went through diagonally, I think the following is correct:
In order to sign a message you need two things:

  • The signature (or a reference to it) used to sign the content
  • The results of the signing, called “digest

What you pass in the signature part is the public key of your signature, while you sign it with your private key; it always works like that, but you have to remember it before entering into troubles. 

I thought I would start from the technology and then gradually build what is missing.

I installed axis2 version 1.4 and – originally – rampart version 1.1; currently the axis2 project refers to v.1.1 of rampart. So you have to download axis2 from http://ws.apache.org/axis2/download.cgi and rampart from http://ws.apache.org/rampart/download.html. The axis2 project mixes the versions and sometimes talks about 1.3, others about 1.1 of rampart. Just use the second link to be sure. After lots of hours I realised versions are only compatible when they match to the third versioning item, e.g. axis2 v.1.1.1 is not compatible with Rampart 1.1!
Just download and expand the compressed files in the respective directories.

As you will immediately notice in the Release note of Rampart 1.4, they no longer support Bouncy castle jars, which are though required for the system to work. Download just the jar you need for your JDK, mine being 1.5 I downloaded from this jar http://www.bouncycastle.org/download/bcprov-jdk15-140.jar. You have to add it to your axis2 library.

You MUST update the java security file, but adding the following line to java.security file which can be found in JRE’s lib/security directory as the last line.
security.provider.X=org.bouncycastle.jce.provider.BouncyCastleProvider

You also have to copy a few jars and modules from Rampart to Axis2 and you can do that with the ant build.xml file found in the samples subdirectory.

Finally, make sure your client and service provider have access to the Axis2 lib, containing all the necessary jars we copied above. To help you run the samples, you need to set the environment variable AXIS2_HOME to the directory where you uncompressed the axis2 download.

Then, try running the samples in the samples/basic directory. I can’t promise it will work as indicated, as I managed to have them run after lots or reinstalls and downloads of various versions; if it doesn’t, please let me know and I’ll try to update this post with the correct steps.

You run the server with ant service.01 and the client with ant client.01. Be careful, the step above you declared the security provider has to be done for the JDK/JRE used by ant!!! If you have multiple JRE/JDKs installed, make sure you know which one is used by the ant script and update the security provider for that one.

As it is recommended in the various readme files, I strongly suggest using tcpmon (http://ws.apache.org/commons/tcpmon/download.cgi) inbetween the client and the server; just looking at the exchanged messages is better than following the best course of web services :-) Put then the client port to 9080 by changing the entry  <property name=”client.port” value=”9080″/> in the build.xml file in samples/basic and start the tcpmon to listen to 9080 and redirect to localhost:8080 (where the server listens).

Tomorrow, I’ll continue with the client side of a real application and how to solve the certificates problems! Stay tuned.