Configuring SSL with Client Authentication
On the server side, you can configure the Software AG Web Server based on Apache Tomcat to use a client certificate to encrypt the transferred data using either of the methods below.
Go to the
Software AG_directory /profiles/CTP/configuration/com.softwareag.platform.config.propsloader directory and open the com.softwareag.catalina.connector.https.pid-
port.propertiesfile. Set the clientAuth property to true, and set the keystore and truststore properties.
Configure the truststore location of the
Software AG Runtime by starting it with the corresponding Java system property. If the truststore properties are not set in your configuration,
Software AG Web Server based on Apache Tomcat uses the default Java trusted authority keystore. Specify these options in the
Software AG_directory /profiles/CTP/configuration/config.ini file and then start
Software AG Runtime:
javax.net.ssl.trustStore=full_path_to_truststore.jks
javax.net.ssl.trustStorePassword=password
Use the settings in the following table to configure the truststore properties in the HTTPS connector.
Property | Description |
truststoreFile | Truststore file to use to validate client certificates. |
truststorePass | Password to use to access the truststore. The default ils keystorePass. You can add @secure in front of truststorePass. |
truststoreType | Add this property if you are using a different format for the truststore than for the keystore. |
Below is an example connector configuration.
clientAuth=true
sslProtocol=TLS
SSLEnabled=true
keystoreFile=C:\my_key/truststore.jks
truststoreFile=C:\my_key/truststore.jks
truststorePass=password
truststoreType=type
enabled=true
port=10011
keystorePass=password
keyAlias=key_alias
scheme=https
enableLookups=false
secure=true
alias=defaultHttps
maxSpareThreads=75
maxThreads=150server=SoftwareAG-Runtime
keystoreType=JKS
disableUploadTimeout=true
description=Default HTTPS Connector
algorithm=SunX509
minSpareThreads=25
acceptCount=100
maxHttpHeaderSize=8192
On the client side, you can use a client certificate with the Web Services Stack client, although additional work is needed to use the Java 1.4 -compatible HTTP sender with Jakarta Commons HttpClient. To make Commons HttpClient use a client certificate for the encryption, you must register a new HTTPS socket factory since the default one does not handle the case with the client certificate. Commons HttpClient does not provide the appropriate socket factory implementation, but you can use AuthSSLProtocolSocketFactory in the commons-httpclient-contib package that is part of the commons-httpclient project. You can set this as follows:
IWSStaxClient client = ......
ProtocolSocketFactory socketactory =
new AuthSSLProtocolSocketFactory(new File("keystore.jks").toURL(),
"keystorePassword", new File("truststore.jks").toURL(),
"truststorePassword");
Protocol authhttps = new Protocol("https", socketactory, 8443);
client.getWSOptions().setProperty(HTTPConstants.CUSTOM_PROTOCOL_HANDLE, authhttps);