Loading ...
Sorry, an error occurred while loading the content.

1905Re: [soaplite] SOAP and SSL Client Certificates

Expand Messages
  • simon.fairey@ft.com
    Oct 7, 2002
    • 0 Attachment
      I have to then ask how people currently go about deploying secure soap services. Guess I better go and trawl the web and newsgroups a bit :-)

      Thanks for the reply.


      John Hartnup <john@...>

      07/10/2002 14:52
      Please respond to John Hartnup

              To:        simon.fairey@...
              cc:        soaplite@yahoogroups.com
              Subject:        Re: [soaplite] SOAP and SSL Client Certificates

      On Mon, Oct 07, 2002 at 04:12:33PM +0000, simon.fairey@... wrote:
      > Hi,
      > I'm going to be providing some simple functions to a client via an Apache
      > mod_soap setup. There is also a requirement to use client side
      > certificates. Now I think I have my server set up correctly and when I try
      > to acces (using SOAP::Lite) a simple hello msg via https it seems to work
      > fine with no demands for a client side certificate?
      > Assuming my apache is set up properly then my question would be how do you
      > tell your SOAP client perl script what certificate to use when accessing
      > an SSL enabled service?
      > I'm assuming I'm not barking up the wrong tree, I have the Programming Web
      > Services with SOAP book and am working through it but have yet to find
      > much info on SOAP and SSL. Should I be using something like SAML, briefly
      > skimmed it in the book and now think I might go back and read it in more
      > detail!!

      My undersanding (and I look forward to being corrected on this) is that in
      general SOAP client toolkits do not cater for HTTPS client authentication.

      One reason might be that WSDL doesn't provide a mechanism (to my limited
      knowledge) to descibe a service which requires authentication.

      Another reason is that the community hasn't decided yet whether HTTPS is the
      right way to go about SOAP security. After all, the lifecycle of a SOAP message
      isn't limited to a single hop, but SSL only protects the first hope from HTTPS
      client to HTTPS server.

      It looks as if WS-Security, or one of its competitors, where the SOAP body
      consists of an encrypted element, and the SOAP header contains security
      elements (certificates, tokens, signatures etc.) might be the way security gets
      done in the future, but at the moment there is no widely accepted way to do it,
      and certainly none that is widely implemented in a toolkit.

      You'll have to accept that whatever you implement today will probably never be
      "standard", and that if that's important to you, you'll need to re-implement to
      comply with whatever standard emerges, whenever that happens.

      OTOH, someone please tell me I'm wrong, because I have a service I'd love
      to deploy, which requires strong security.


      "Feel free to browse, but try not to carouse. Hoho"

      This email may contain confidential material. If you were not an
      intended recipient, please notify the sender and delete all copies.
      We may monitor email to and from our network.
    • Show all 9 messages in this topic