0

I am trying to do a simple test of SSL on Tomcat. I added the following to my server.xml:

<Connector port="8444"
  protocol="HTTP/1.1"
  SSLEnabled="true"
  maxThreads="150"
  scheme="https"
  secure="true"
  clientAuth="false"
  sslProtocol="TLS"
  keystoreFile="<path to my .jks file>"
  keystorePass="<pass to my .jks file>" />

The keystore was generated using the following: 

keytool -genkey -alias MyKeyStore -keyalg RSA -keystore <path to my .jks file>

Now, after doing this, I am able to use SoapUI to make a request to localhost:8444/ and hit a breakpoint in my web service. This is not what I was expecting. Per my understanding, SoapUI should also need to know about the keystore to validate the server's certificate. Otherwise, anyone can call the service, which defeats the purpose of SSL / HTTPS. Furthermore, shouldn't SoapUI also have a certificate / keystore which the server validates?

I am trying to do this so I can figure out how to write a java client that authenticates correctly to a web service set up behind SSL, but based on what I am seeing, I haven't set up the web service correctly, so I can't move on to the next step.

Apologies in advance if there is something basic I am misunderstanding about SSL / HTTPS. This is my first time working with it.

Summary: Why is SoapUI allowed to send a request over SSL / HTTPS without having any information about the web service's certificate / keystore? How can I set up Tomcat so that only clients which know about my certificate can send requests?

nhouser9
  • 6,730
  • 3
  • 21
  • 42
  • If you want to restrict the WebService access to some clients only, you need an authentication mechanism. This can be user/password challenge, IP based authorization, or if you want to use SSL for that client certificate. The primary goal of SSL is to encrypt the traffic, and in most of cases to allow client to identify the server (based on the server certificate). – Eugène Adell Mar 22 '18 at 06:16
  • "*How can I set up Tomcat so that only clients which know about my certificate can send requests?*". This is not Tomcat's problem. Only the client that connects can choose whether or not to verify the certificate of the server it connects to. – Bruno Mar 22 '18 at 12:19
  • @Bruno While I understand what you are saying, the entire purpose of this exercise is to gain understanding about a client who indeed has their web services set up in such a way that we need a certificate to call into them. So I know for a fact that the web service verifying the calling client is a thing that is possible, and that's what I need to figure out how to do. – nhouser9 Mar 22 '18 at 14:22
  • @Bruno Also, I thought SSL / HTTPS entailed some kind of encryption... How can traffic be encrypted if the client doesn't have any public or private key? – nhouser9 Mar 22 '18 at 14:28
  • "*How can traffic be encrypted if the client doesn't have any public or private key?*" You seem to be confused about how SSL works. The private/public keys are only used for authentication (and to establish the shared secret used during the communication) (see [this](https://stackoverflow.com/a/9318024/372643) for example, although I'm sure there's other better answers to describe the process). There are two problems here (...) – Bruno Mar 22 '18 at 14:42
  • (A) The client that connects to your server doesn't seem to mind a certificate it doesn't know, so it was configured to ignore certificate verification (or wasn't set up properly), which isn't good. (B) You seem to want to use client-certificate authentication (in which case the client presents a certificate to authenticate itself): for that you also need to set the trust store and set `clientAuth=true`. You may be interested in [this](https://stackoverflow.com/a/26888423/372643). – Bruno Mar 22 '18 at 14:43
  • @Bruno well... now I enabled client auth, which does seem to prevent me from connecting. of course now using the cert in soapui to actually send a request doesn't work, but I guess that's another question... – nhouser9 Mar 22 '18 at 15:26
  • That's a different thing. Either way, you need to make sure your client verifies the server cert, so I'd suggest getting it to work/fail with clientAuth=false first, making sure that if your server cert (or its CA) isn't in the client's truststore first (to make it fail) and only then try clientAuth=true. – Bruno Mar 22 '18 at 15:36
  • @Bruno thanks. if you want to summarize these comments as an answer I will accept it – nhouser9 Mar 22 '18 at 16:31

0 Answers0