Thanks to several posts in this forum, I am able to invoke a web service operation over HTTPS. However, because I'm a total security novice, it took a lot of fumbling to get it set up. For the sake of other novices, here's what I did. Please let me know if anything here is wrong, misleading, or unnecessary.
Note 1: I had previously set up a certificate for Tomcat but had used my first and last name as the certificate's CN (common name). However, other forum posts indicate that the SSL handshaking will not work correctly from a Java program unless the certificate's CN is the hostname or IP address of the server (it sounds like the IP address is often better because it prevents problems with virtual host names). So I deleted my old Tomcat certificate (alias "tomcat") and generated a new one.
Note 2: I only tested this on one system, using "localhost" as the server name.
Note 3: keytool, Java's standard tool for keystore and certificate management, uses your home directory as the default location for keystore files. The default password is "changeit"
Setting up JAX-RPC security: part 1: generate keystores and certificates
1. delete old tomcat certificate (only if you generated a tomcat certificate before):
keytool -delete -storepass changeit -alias tomcat
2. add new tomcat certificate, valid for one year. IMPORTANT: when prompted for first and last name,
use either your server's hostname or IP address
keytool -genkey -alias tomcat -keyalg RSA -validity 365
3. export server certicate to a file
keytool -export -alias tomcat -file tomcat-server.cer
4. generate client keystore (the "truststore"):
keytool -genkey -alias tomcat-client -keyalg RSA -keypass changeit
-storepass changeit -keystore C:\mycerts\WSCerts.keystore
5. imported server's certificate in client's keystore
keytool -import -v -trustcacerts -alias tomcat-server -file tomcat-server.cer
-keystore C:\mycerts\WSCerts.keystore -keypass changeit -storepass changeit
Setting up JAX-RPC security: part 2: modify your client code:
serviceStub = getServiceProxy(); // get Service stub implementation
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
System.setProperty("javax.net.ssl.trustStore",
"c:/mycerts/WSCerts.keystore");
System.setProperty("java.protocol.handler.pkgs" ,
"com.sun.net.ssl.internal.www.protocol");
java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
((Stub)serviceStub)._setProperty(ENDPOINT_ADDRESS_PROPERTY,
"https://localhost:8443/mycontext/MySecureService");
serviceStub.serviceMethod(...); // invoke service operation as usual
The Tomcat docs "SSL Config HOW-TO" gives the details on setting up SSL in Tomcat.
Thanks to all those who posted this info previously.
Mike