Home
ESB
Monitor
Registry
SOAP Client
SOA Model
Support
Downloads
About

Tutorial: SSL for unsecured Web Services

requires version 1.4.1 or above

This tutorial describes how to secure a unsecured Web Service with encryption using SSL. In the tutorial we use a public sample service for banking codes. In figure 1 you can see the deployment we want to setup. Between the client and Membrane there is a secure SSL tunnel. Membrane terminates the SSL tunnel and connects to the server using plain unsecured HTTP. This setup is useful if you have unsecured Web Services that you want to expose over the internet in a secure way.

SSL Encryption for unsecured Server
Figure 1: SSL Encryption for unsecured Server

Creating a Service Proxy for Incomming SSL Connections

Startup Membrane Monitor first. Create a new service proxy by clicking on the green Add button.

Add a Service Proxy in Membrane Monitor
Figure 2: Add a Service Proxy in Membrane Monitor

Then choose Advanced Service Proxy and click Next. Figure 3 shows the first page of the wizard. Specify the default SSL port 443 as listen port. Next change HTTP Method to <<All methodes>>.

Service Proxy Configuration for incoming SSL/HTTPS Requests
Figure 3: Service Proxy Configuration for incoming SSL/HTTPS Requests

Checkbox for Secure Connection is disabled if keystore location and password are not specified. To configure the keystore for SSL and enable checkbox for secure connection click on the link Security Preferences Page.

Now the Security SSL/TLS preference page pops up.

Keystore Configuration

For this tutorial we do not need to specify a truststore. You need a truststore if you want to authenticate a client or a targetservice by X.509 certificates. To secure a server with SSL, a keystore containing a private key is needed. Because Membrane is acting as server, it needs a prepared keystore too. You can create a keystore using the keytool. Keytool is provided by the Java SDK.

Keystore Configuration
Figure 4: Keystore Configuration

For this tutorial we use a sample keystore that is provided by the Membrane Monitor distribution. To use this keystore click on the browse icon on the right side and choose the following file:

../membrane-monitor-XXX/configuration/membrane.jks

Default keystore password is secret, type it in the text field labeled "Password:" and than click on OK to close the preferences dialog. Now you can click on Next in the Add Rule wizard.

Target Server

After we have done the configuration for inbound connections we have to configure the target. Because the router should not use encryption to talk to the service we are not choosing Secure Connection. As target host we use thomas-bayer.com and the well known port for HTTP 80. Then we click on Finish.

The Targethost of the BLZ Service
Figure 5: The Targethost of the BLZ Service

Testing the Setup

Open the following URL in your browser. Be careful to use https for SSL and not http.

https://localhost

We do not need to specify a port number because we use the well known port for SSL 443.
Now your browser should show you a warning that the connection is untrusted. This warning is shwon because the sample certificate in the membrane.jks keystore is selfsigned. That's fine for the tutorial but for production you should obtain a SSL certificate created for your domain. If the SSL certificate is issued by a major certification authority there should be no warning.

In this tutorial we are using Firefox, but you can use of course other browsers like Internet Explorer or Google Chrome. If you are not using Firefox the screens are different from those in this tutorial. To go on click on I understand the Risks.

Untrusted Certificate Warning
Figure 6: Untrusted Certificate Warning

Next the following text is shown. Click on Add Exception... now, but remember you should only add an exception if you know a good reason.

Exception for the Server Certificate
Figure 7: Exception for the Server Certificate

In the following dialog remove the tick for Permanently store this exception to avoid any risks. Then click on View....

Add Security Exception
Figure 8: Add Security Exception

In the screenshot below you can see that the subject this certificate is issued to is the same as the issuer. It is a selfsigned certificate. Click on Close and then on Confirm Security Exception.

The content of the Sample Certificate
Figure 9: The content of the Sample Certificate

Using the Web Service over SSL

Next get the WSDL of the banking code by clicking on

https://localhost/axis2/services/BLZService?wsdl

Now you can create a Web Services client with your favorite toolkit and invoke the sample service over SSL.
Besides this setup there are more possibilities to secure Web Services with SSL and Membrane.

SSL with Membrane Router

You can save a Membrane Monitor configuration containing SSL rules to a file and then use it together with the non-GUI tool Membrane Router.