How to use wsimport when the server expects a client certificate?

Question

How to use wsimport when the server expects a client certificate?

I have a web service using SSL mutual authentication. I can access it only in the browser when I have the client certificate installed.

I need to have access to this using wsimport to generate Java code to access the service.

How do I configure my credentials so that I can access the url using wsimport ?

Here is an example of what I'm trying, but this time is due to the impossibility of authentication.

wsimport ./sample.wsdl -p com.company.ws.sample -Xnocompile -d ./src -extension -keep -XadditionalHeaders

Thanks for any help

Edit:

This is what wsimport prints. WSDL is definitely valid, and at this point the question is how to pass my credentials for authentication:

 wsimport https://wsdl.location.com?WSDL -p com.company.ws.sample -Xnocompile -d ./src -extension -keep -XadditionalHeaders parsing WSDL... [ERROR] Received fatal alert: handshake_failure Failed to read the WSDL document: "https://wsdl.location.com?WSDL", because 1) could not find the document; /2) the document could not be read; 3) the root element of the document is not <wsdl:definitions>. [ERROR] failed.noservice=Could not find wsdl:service in the provided WSDL(s): At least one WSDL with at least one service definition needs to be provided. Failed to parse the WSDL.

+7

java web-services jax-ws wsimport

Cuga Aug 7 '12 at 14:36

source share

3 answers

I managed to do this by setting the _JAVA_OPTIONS environment variable with all the additional system properties to go through; as a Windows batch file, it looks like this:

 setlocal set _JAVA_OPTIONS=%_JAVA_OPTIONS% -Djavax.net.ssl.trustStore="%JAVA_HOME%\jre\lib\security\cacerts" -Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.keyStorePassword={...passwordForThePFX...} -Djavax.net.ssl.keyStore=r:\cert.pfx wsimport -s . -verbose https://your.host.name/path/to/service?wsdl endlocal

For common sense, Java options in the long string "set":

 -Djavax.net.ssl.trustStore="%JAVA_HOME%\jre\lib\security\cacerts" -Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.keyStorePassword={...passwordForThePFX...} -Djavax.net.ssl.keyStore=R:\cert.pfx

You may or may not need to configure trustStore ; I should have, since I have several installations, and Java is collecting the wrong cacerts file for me.

Similarly, you will not need keyStorePassword if the keystore is not password protected. As for keyStoreType , you need to specify this if you are not accessing the Java keystore.

Ultimately, the only "required" option is keyStore , which determines where the client certificate and keys live (and it is only required if the client certificate is not located in any of the main Java certificate stores). As shown above, the above example refers to a client certificate in a PFX file generated by exporting it from a Windows certificate store.

+3

Chris j Oct 14 '13 at 15:29

source share

It was much easier for me (no need to play with -D, classpath, ...) so that:
1. download wsdl via ssl using your browser (install the certificate in the default browser by double-clicking on the keystore) or even easier using soapUI (install the keystore through config / ssl), which displays the contents of wsdl
2. run wsimport against the loaded wsdl
What all.

+2

Marc t Oct 28 '14 at 8:28

source share

David silva · Accepted Answer · 2012-11-29T16:31:39+0000

You can directly call the WsImport Java class ( source ) and add the necessary arguments to the JVM for Java, which know where to look for client certificates.

Something like

 java -classpath C:\jdk160_29\lib\tools.jar -Djavax.net.ssl.trustStore=c:\jdk160_29\.mykeystore com.sun.tools.internal.ws.WsImport https://host:8443/Webservice?wsdl -p com.test -s ./src"

gotta do the trick.

How to use wsimport when the server expects a client certificate?

More articles: