Securing Axis2/C Web Services with SSL

Axis2/C has strong support for message level web services security. It also provides wire level protection between web services and its clients. In this guide I do not detail basics of Axis2/C web services. You can refer for them else where. WSO2 Oxygen Tank is a good place for you to refer. Here are the steps.

1. Make sure your Apache2 web server is installed with mod_ssl module support.

2. Configure and install Axis2/C with ssl support

3. Configure your Apache2 server with ssl support

4. Configure your clients to access secured web service.

Following are the steps in detail

1. Install Apache2 with ssl support:

Make sure that your Apache2 server is installed with mod_ssl support. Here is how to check your installed modules.

httpd -l

If your Apache2 server does not already have mod_ssl  module support you may need to configure it again and install.

Here is an example configuration.

%./configure --prefix=/usr/local/apache2  --enable-ssl --enable-setenvif  --enable-mods-shared="mod_log_config mod_status mod-mime mod-dir"

2. Configure and install Axis2/C with SSL support:

First you need to install openssl dev package. In Ubuntu and Dabian related distros you can install it by

%sudo apt-get install libssl-dev

%sh configure --prefix=${AXIS2C_HOME} --enable-openssl=yes --with-apache2=/usr/local/apache2/include

%make
%make install
3. Configure Apache2 server for ssl support:
You need to create certificates for your server. Here I just show you the command how
to create a self signed certificate for testing purposes. A detailed explanation on
creating your certificates with certificate authorities please refer to

http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert

%openssl req -new -x509 -nodes -out server.crt -keyout server.key

In httpd.conf Add the virtual host entry for https server as following
Note that you need to replace ‘localhost’ with your running server name
and replace the paths with the paths to above generated key/certificates.

<VirtualHost localhost:443>
DocumentRoot “/usr/local/apache2/htdocs”
SSLEngine on
SSLCertificateFile /usr/local/apache2/damitha-cert/server.crt
SSLCertificateKeyFile /usr/local/apache2/damitha-cert/server.key
</VirtualHost>

You can test your ssl enabled server with the following command
%openssl s_client -connect localhost:443

4. Configure your Axis2/C client to support ssl

Create the client certificates to access your secured web service as following

%echo |\
openssl s_client -connect localhost:443 2>&1 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > client_cert.pem

Remember to replace the ‘localhost’ in the above command with your secured
server url

Now to send ssl secured messages using your Axis2/C client uncomment the
following https related entries in axis2.xml

<transportReceiver name=”https”>
<parameter name=”port” locked=”false”>6060</parameter>
<parameter name=”exposeHeaders” locked=”true”>false</parameter>
</transportReceiver>

<transportSender name=”https”>
<parameter name=”PROTOCOL” locked=”false”>HTTP/1.1</parameter>
</transportSender>

<parameter name="SERVER_CERT">/path/to/ca/certificate</parameter>
Remember to replace the server certicate path with the path to the client certificate created above.
Now you are good to go with your secured Axis2/C web services.

Read Full Post »

Logic

Of all Mathematics I learned at my undergraduate courses I value most the simple but powerful two logics which I consider are very useful in understanding the world.
They are,

1. x ⇒ y (x implies y or if x then y)
2. x ⇔ y ( x if and only if y)

These two logics apply in most of the things we see/hear in our every day life. To understand them one need not have great learning on Mathematics or Logic. It is very intuitive, yet very subtle in their application. Some times it may seem too simple. But when you think carefully you understand that you need to be very careful in applying them with facts.

First simply mean that if x is true then y must be true. It is that simple. The only fact we know is that if x is true then y must be true. Take x and y to be any two facts that you face in life. For example let x be the fact that you buying product O from company M and y be the fact that you get discount in buying O.

So here our expressed logic is

If you buy O from M then you will get discount.

This could be any marketing propaganda that you are targeted at in your every day life. So what do you think?. What if you don’t buy O?. Then you won’t get discount?. The answer is, If you don’t buy from M, there is no more implication about your discounts with regard to buying from M. Of course you may still get discount by buying from some other company. May be not. We cannot come to any precise conclusion about your discounts from the given logic.

x ⇒ y is not equalent to (not x) ⇒ (not y). But sadly this is something that most people take without giving proper heed to the facts.

But here is an equivalent logic

x ⇒ y  is equivalent to (not y) ⇒  (not x)

So under the context of our example we can say that

If you are not getting discount in buying your O  then you haven’t bought O from M. Yes this is true.

So what if x ⇒ y and (not x) ⇒ (not y) are both given as true logic?

Look carefully. (not x) ⇒ (not y) is equivalent to

(not (not y)) ⇒ (not (not x)). What does that mean?. It is simply y ⇒ x.

So we have both x ⇒ y and y ⇒ x. In other words x if and only if y. This logic is defined with the symbol x ⇔ y.

So when this apply to our example it says

If you buy O from M then you get discount and if you get discount then you have bought it from M. So in this case it is to be understood that only M company gives discount for O and no other company in this world give a discount for O. If some company express such logic it should be taken as very strong claim. You get discount for product O if and only if you get O product from our company.

When reading anything, hearing anything I tend to think precisely along these logics. In that way I believe I get no more than it really mean, and no less than it really mean. This result in very little chance of getting cheated at least.

Read Full Post »