XMLRPCSERVER, Mutual TLS

We have standalone instances of XMLRPCSERVER for managing communications from NATURAL to web services. We need to use a web service that requires mutual TLS authentication. How do you configure XMLRPCSERVER to present a client certificate when requested by the target service?

Hello James,

I think it is sufficient to set the Java system properties javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword in the batch script which calls the XML RPC Server.

Hi Rolf. Thank you. I have a standalone instance on my desktop in Windows. It works successfully with client auth, just as you described.
I also have a standalone instance in UNIX. That is where we run our actual TEST and PROD instances so that is where I need it to work It is essentially the same configuration and uses a similar script and keystores and keys. Having struggled with it for a day, I cannot get it to work with the client auth service. I get the error below. There must be something different about the UNIX environment. We use the JVM supplied by Software AG. I guess I can open a support ticket, but is there a way to get a more detailed trace that might indicate the SSL problem. I feel like the runtime might be ignoring the keystore it is being pointed to.
James.

2018-02-21 09:03:23.699> EntireX-*orker-1( CP:HTTPTransport.invoke() I:SendReceive Exception: com.softwareag.wsstack.client.api.WSClientException: org.apache.axis2.AxisFault: Received fatal alert: bad_certificate
at com.softwareag.wsstack.client.impl.WSOperationClientImpl.execute(WSOperationClientImpl.java:68)
at com.softwareag.entirex.xml.rt.HttpTransportImpl.sendReceive(HttpTransportImpl.java:654)
at com.softwareag.entirex.xml.rt.TransportHandler.sendReceive(TransportHandler.java:212)
at com.softwareag.entirex.xml.rt.MessageHandler.processRPCMessage(MessageHandler.java:125)
at com.softwareag.entirex.xml.rt.XMLRPCServerRPCMessageHandler.processMessage(XMLRPCServerRPCMessageHandler.java:152)
at com.softwareag.entirex.aci.ServerRPCMessage.doNonConversation(ServerRPCMessage.java:56)
at com.softwareag.entirex.aci.ServerWorker.run(ServerWorker.java:185)
Caused by: org.apache.axis2.AxisFault: Received fatal alert: bad_certificate
at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
at org.apache.axis2.transport.http.AxisRequestEntity.writeRequest(AxisRequestEntity.java:98)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:622)
at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:193)
at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:75)

Hi James,

you can use -Djavax.net.debug=all to see all SSL activity of the JVM.

Thank you again. I already have that parameter set, but the only part of the trace that indicates there is any problem is what I posted. The trace level is SUPPORT.
James.

Thank you again. I already have that parameter set, but the only part of the trace that indicates there is any problem is what I posted. The trace level is SUPPORT.
James.

You have to set the parameters in the batch script as below; note the " characters.

SSLV="-Djavax.net.ssl.keyStore=/opt/softwareag/RPC/keys.jks -Djavax.net.ssl.keyStorePassword=yourpassword -Djavax.net.ssl.trustStore=/opt/softwareag/RPC/cacerts"
export SSLV

The Java SSL trace is not written to the log file, it goes to stdout.

Here is my full startup script:-
cd /opt/WebApps/XMLRPCSERVERDELUNIX $0
SSL="-Djavax.net.ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl -Djavax.net.ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl -Djavax.net.ssl.keyStore=/opt/WebApps/XMLRPCSERVERDELUNIX/EntireX/xmlfirewallsupport.jks -Djavax.net.ssl.keyStorePassword=[password omitted]-Djavax.net.ssl.trustStore=/opt/WebApps/XMLRPCSERVERDELUNIX/EntireX/ExxCACert.jks -Djavax.net.ssl.trustStorePassword=[password omitted] -Djavax.net.debug=all"
CLASSPATH=".:/opt/WebApps/XMLRPCSERVERDELUNIX/EntireX/classes/entirex.jar:/opt/WebApps/XMLRPCSERVERDELUNIX/WS-Stack/lib/wsstack-client.jar:/opt/IBM/WebSphere/AppServer/plugins/com.ibm.ws.security.crypto.jar"
echo $CLASSPATH
/opt/WebApps/XMLRPCSERVERDELUNIX/jre18/bin/java “$SSL” -Dentirex.sdk.default.trace.propertiesfile=entirex.trace.properties -classpath “$CLASSPATH” com.softwareag.entirex.xml.rt.XMLRPCServer -p entirex.xmlrpcserver.properties -c entirex.xmlrpcserver.configuration.xml
exit 0

Try changing the parameters so the default SSL implementation of the JVM is used.
Remove
-Djavax.net.ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
-Djavax.net.ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
/opt/IBM/WebSphere/AppServer/plugins/com.ibm.ws.security.crypto.jar

Hi Rolf. Since it’s evidently an SSL problem, I had tried that already but it will not run without any one of those. Without them I just get class not found errors. It was many years ago, but I think I added those on the advice of Software AG support when we were trying to get this running. I think I’m using the JVM supplied by Software AG. Where should the default SSL implementation be and how can I make the service use it?

Hi James,
I see that you opened a support ticket. So let’s continue this via support.

OK Rolf. Thank you for your assistance so far,
James.