[jboss-user] [JBossWS] - Re: SOAP over HTTPS?

[DrHok]

"DrHok" wrote : I would like to change an existing SOAP interface to a JBoss(4.0.2)-based webservice from HTTP to HTTPS, in order to ensure both privacy and integrity of data. 
  | 
  | But how do I do it?


Actually it turned out to be easier than I thought (on JBoss 4.0.2):

1. Uncomment and edit the SSL/TLS Connector section in server/default/deploy/jbossweb-tomcat55.sar/server.xml.

2. Generate a server key pair using keytool, see http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html.

3. Export the public key and import it on the client, also using keytool.

Then, if the ws client uses https://server:8443/... instead of http://server:8080/..., SOAP goes over TLS.

The WSDL doesn't need to know about TLS.

Note: I think my description of activating TLS is accurate, but I can't guarantee that it works. I guessed the first two steps by diffing a virgin jboss-4.0.2.zip with a running AS where TLS was activated by someone else. I might have missed some details of the configuration.

"DrHok" wrote : Will this cause a significant delay and load on the AS?

I made a performance comparison between TLS on and off, and surprisingly the effect of TLS is really small.

Neither the response times nor the load on the AS changed much (roughly +10%).

However, the network latency might increase if client and server are further apart in terms of IP hops (I tried up to 3), because sending a SOAP request and receiving a response over TLS requires 6 packet round-trips instead of 3 without TLS.


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3966920#3966920

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3966920