IBM Support

How to use a certificate X509 v3 to authenticate a Web service with Rational Application Developer 6.0.1.1

Troubleshooting


Problem

IBM® Rational® Application Developer (RAD) version 6.0.1.1 can use certificate X509 v3 to secure Web Services. This technote provides a step-by-step example that you can follow to do this.

Resolving The Problem

Follow these steps to create the example for using a certificate X509 v3 to authenticate a Web service with RAD 6.0.1.1.

  1. Create a Web service project Client and Server:
    1. Create a Web project named 51644WS.
    2. Add a class like:
      package com.ibm.support.rad.ws;
      public class Test {
       public String ping()
        {return "alive";)}
    3. Right-click on select menu Web Services > Create Web Service.
    4. Check the option "Generate a proxy".
    5. Click Next (the class Test is displayed), click Next again (a Web client project 51644WSClient will be created), click Finish.
  2. Configure the client to send a X509 certificate:
    1. Open the deployment descriptor (web.xml) of the client Web project 51644WSClient.
    2. Open the tab "WS Extension".
    3. In "Request Generator Configuration", add a security token:
      Name=myX509cert
      Type=X509 Certificate token
      Local Name=       http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
      (the "v3" must be added manually)
    4. Open the "WS Binding" to implement the above token.
    5. In "Security Request Generator Binding Configuration", add a token generator: (see project in attachment for the complete configuration)
  3. Configure the server to receive a X509 certificate:
    1. Open the Web services descriptor (webservices.xml) of the server project 51644WS
    2. Open the tab "Extension"
    3. In "Request Consumer Service Configuration Details", add a required security token:
      Name=myX509Cert_srv
      Type=X509 Certificate token
      Local Name=       http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
      Usage=Required       
      (the "v3" in the URL must be added manually)
    4. Open the tab "Binding Configurations"

      ====== the following section is optional ======
      In "Request Consumer Binding Configuration Details", add a Trust Anchor:
      Name=myX509CertTrust
      Key storepass=server
      Key store path=${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks
      Type=JKS

      In "Certificate store list", add a Collection Certificate Store:
      Name=myX509CertStore
      Provider=IBMCertPath
      X509 Path=${USER_INSTALL_ROOT}/etc/ws-security/samples/intca2.cer

      =========end of optional section=========
    5. In "Token Consumer", add a token: *
      (see project in attachment for the complete configuration)
      Name=myX509Cert_Consumer
      Value type=X509 certificate token v3
      Jaas config=system.wssecurity.X509BST
      select Trust any certificate

      =======the following step is optional=======
      *Or select the Trust Anchor and Certificate store list from step 4.
      ========= end optional step=============
  4. Enable security on Websphere Server, RAD and Windows:
    1. From the admin console, Enable the Global Security and use Local OS registry.
    2. Redeploy the FileTransfer application in secure mode.
    3. Also enable the security in RAD.
    4. Add a Microsoft® Windows® user named SOAPRequester (CN name for the key): right-click on My Computer then select Manage > Local Users and Groups.
Note on using the project in the attachment at the bottom of this technote:
  • The WebService client uses the port 9085 to contact the WebService server.
  • A TCP/IP monitor (see Window > Preferences > Internet > TCP/IP monitor) can be used to map the port 9085 to the real TCP port used by the WebService server (9080 or 9081, for examples).


DISCLAIMER
All source code and/or binaries attached to this document are referred to here as "the Program". IBM is not providing program services of any kind for the Program. IBM is providing the Program on an "AS IS" basis without warranty of any kind. IBM WILL NOT BE LIABLE FOR ANY ACTUAL, DIRECT, SPECIAL, INCIDENTAL, OR INDIRECT DAMAGES OR FOR ANY ECONOMIC CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), EVEN IF IBM, OR ITS RESELLER, HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

51644.zip

[{"Product":{"code":"SSRTLW","label":"Rational Application Developer for WebSphere Software"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Services Development","Platform":[{"code":"PF033","label":"Windows"}],"Version":"6.0.1.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSYK2S","label":"Rational Software Architect Designer"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Services Development","Platform":[{"code":"PF033","label":"Windows"}],"Version":"6.0.1.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Services Security","Platform":[{"code":"","label":""}],"Version":"6.0.2.7;6.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
10 September 2020

UID

swg21232201

Page Feedback