Web Service Request using Certificate

[Sosy]

Hello everybody,
I'm having a hard time making Composer's Web Service block work properly.

I always perform successfully Web Service requests using the Web Service block. In those cases properties are set as follow:

ALIAS
- Name: myWS
EXCEPTIONS
- Exceptions: error.badfetch, error.com.genesyslab.composer.webservice.badFetch
INFORMATION
- Service URL: https://192.168.xx.xx/myWS/myWS?wsdl
INVOKING CONFIGURATIONS
- Available Services: myWS_Service
- Bindings: SOAP11port
- Operations: inquirySomethingBySomething
- Service End Point Variable: Variable(URL_endpoint_myWS)
- Use Protocol: SOAP
SECURITY
- Authentication Type: Anonymous
SOAP MESSAGE GENERATION
- Custom SOAP Envelope: Custom SOAP Message (myWS_request)
WEB SERVICE OUTPUT
- Output Result: output(WebServiceRespondeMessage=myWS_response)

Now I have to perform a request to a Web Service that needs a mutual authentication.
When the request is made through SoapUI I simply put the path for the certificate (.p12) in the "SSL Setting" tab (preferences).
Everything works fine here.
When it comes to Composer, however, I can't really find a way to include the certification in the request and I always get the following error (MCP log):

var myWS_response = {'errorMsg':'Mismatched close taghr at character 70 of The element type "hr" must be terminated by the matching end-tag "</hr>".'};

I found out that this come from the WS Response when there's no certificate (from SoapUI response with no certificate):

<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx</center>
</body>
</html>


In this case properties are set as follow:

ALIAS
- Name: myWS
EXCEPTIONS
- Exceptions: error.badfetch, error.com.genesyslab.composer.webservice.badFetch
INFORMATION
- Service URL: https://192.168.xx.xx/myWS/myWS?wsdl (<- WS that requires no certificate)
INVOKING CONFIGURATIONS
- Available Services: myWS_Service
- Bindings: SOAP11port
- Operations: inquirySomethingBySomething
- Service End Point Variable: Variable(URL_endpoint_myWS) (<- same WS that requires certificate)
- Use Protocol: SOAP
SECURITY
- Authentication Type: SOAP Digital Signature Authentication
SOAP DIGITAL SIGNATURE
- Certificate Alias: myCertAlias
- Certificate Or Key Store Location: C:\myFolder\Composer\composer_workspace\myProject\Resources\certificate.p12
- Key Algrithm: RSA
- Key Store Password: myPws
SOAP MESSAGE GENERATION
- Custom SOAP Envelope: Custom SOAP Message (myWS_request)
WEB SERVICE OUTPUT
- Output Result: output(WebServiceRespondeMessage=myWS_response)

What am I doing wrong?

Here's what I've tried by now:

- Converted certificate from .p12 to .jks, modified tomcat server.xml this way:
   <Connector port="8443"
         protocol="org.apache.coyote.http11.Http11Protocol"
            maxThreads="150"
         SSLEnabled="true"
         scheme="https"
         secure="true"
            clientAuth="false"
         sslProtocol="TLS"
         keystoreFile="C:\myFolder\Composer\composer_workspace\myProject\Resources\certificate.jks"
         keystorePass="myPsw"
         keyAlias=myCertAlias"
         keystoreType="JKS"         
                  />

- Upgraded my Composer version to 8.1.5 from 8.1.410 to enable Trust Store Location field, putting there there certificate.jks path and password

Thank you for any advice!

[cavagnaro]

Well
What is the name of the server on that certificate created for?
If you open it in a browser, what security error do you get?

[Sosy]

Hi Cavagnaro! Thanks for your reply!

If I open it in browser I get no error and I think it's because the certificate is installed on local machine (via MMC).

I only get the error when I try to send the request through Composer.

What can the issue be? Do you think could be something related to Tomcat (i.e. no mutual autentication enabled) or
could be just something related to a bad Web Service block configuration on Composer?

What I cannot explain myself is why SoapUI works fine while Composer is not...

Let me know if you need more info.

Thanks!

[cavagnaro]

Well...SoapUI will use your Windows certificates storage, so that is why it works.
Now, Tomcat will use Java's one. If your certificate was self generated then you may wanna seek on how to add that certificate to trusted store of Java certs.
Search for InstallCert java command

[Kubig]

Configure truststore on Tomcat level which will containing the trusted CA and perhaps certs in chain related to the servers you need to communicate with

[René]

Hi,

Based on your first post, you added certificate to SOAP Digital Signature section which is not related to HTTPS at all. It is related to signature of SOAP message body.

You must configure certificate in HTTPS Server Authentication section (added in Composer 8.5.450.33)

BTW I'm not sure that mutual TLS will work even with correct configuration as I haven't found anything about this functionality being supported...

R.

[Sosy]

Hi guys! Thank you for all your replies!

I have to admit it... I'm pretty lost 

Following your advices and searching on the net I tried to better understand what's going on but I can't still figure it out...

Here's what I was able to understande:

An IRD application (client#1) makes a call to a GVP application deployed on tomcat (server#1).
The GVP application (client#2) has to make a call to a Web Service (nginx, server#2) via mutual authentication.

The communication between client#1 and server#1 is NOT in mutal authentication so I assume that the clientAuth parameter must be set to false on the server.xml file located in C:/Tomcat 7.0/conf/ since if set to true tomcat would wait for a certificate that do not exist (as a matter of fact if I call the RP where my IRD strategy is loaded on all I hear is a "beep" sound and no call to the GVP application is made).

Next, the communication between client#2 and server#2 has to be in mutual authentication. Client provided me with the (.p12) file. This file must be contained in the tomcat truststore, while the tomcat keystore must contain the tomcat certificate that it has to present to the server#2 (if I need to create this certificate or if it already exists is not clear because the environment is not managed by us, I will investigate). The certificate stored in the tomcat keystore MUST be contained in the server#2 trustore and the client authentication must be enabled in the nginx configuration... is that right?

Then, when and if everything will be set properly, what about Composer? Do I need to set the HTTPS Server Authentication section (as said by Renč) or the configuration made on tomcat would do the work?

[René]

Hi Sosy,

You mixed up a few things
- Client authentication is (generally) about password required to access the website
- TLS mutual authentication is about client having certificate to establish secure (TLS) connection with the web server

You're after the second option if I do understand you correctly.

It means, you have to convert received .p12 certificate to keystore format and set reference to this store in HTTPS Server Authentication section of WebRequest block.

R.