The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

ssl for java webservice with non-java client

We have decided to use SSL as a security mechanism for a web service in Java. For now we have decided not to use the WS-Security stack. the webservice is axis2 depolyed with aar files and the webserver could be any java app server. As far as I understand the way to do it is to use the keytool and the jks file for certificate storage, which can be configured in the server.xml of the app server, and if it is a java client it will basically be exported to the java client which wil get the certificate from keystore.
Our clients will be non-java and could be C++, powerbuilder, or perl.I understand they come with ssl libraries, but these would not understand the keystore generated by the keytool in java. How to take care of these scenarios?
tomcat6 has an openSSL implementation using APR and there is an openSSL c++ library so this combination will work - tomcat6 + openssl and C++ client with openssl lib.
But what about other scenarios? with other app server like oracle application server and say a perl client?
If we use keystore in JSEE are we stuck with Java clients?
Wednesday, December 31, 2008
No, you aren't stuck. They just need to be configured with an equivalent certificate-store mechanism. What that is I don't know and varies by language. So for example, if you wanted to use a Powerbuilder client, you would export your certificate (in a common format) from your server's Java keystore file and install it wherever Powerbuilder's SSL implementation is going to look for it. It's the same story for client side authentication certificates as well (should you choose to use them).

Think of it this way: a browser is a client application that can support SSL right? Each browser is potentially written in a different language and has its own browser-dependent way of storing certificates. Your situation is really no different.
Wednesday, December 31, 2008

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz