Since security is king in my corp-rat world, standards dictate that my public web services be accessed via mutual authentication SSL. The extra steps this handshake requires can be tedious: exchanging certs, building keystores, configuring connections, updating encryption JARs, etc. So when helping developers of a third party app call in, it’s useful to provide a standard tool as a non-proprietary point of reference.
This week I decided to use soapUI to demonstrate calls into my web services over two-way SSL. The last time I did something like this, I used keytool and openssl to build keystores and convert key formats. But this go ’round I stumbled across this most excellent post which recommends the user-friendly Portecle tool, and steps through the soapUI setup.
Just a few tips to add:
- SoapUI’s GUI-accessible logs (soapUI log, http log, SSL Info, etc.) are helpful for diagnosing common problems, but sometimes you have to view content in bin\soapui-errors.log and error.log. Take a peek there if other diags aren’t helpful.
- SoapUI doesn’t show full details of the server/client key exchange. You can get more detailed traces with the simple curl -v or curl –trace; for example:
curl -v -E mykey.pem https://myhost.com/myservice
- When exporting public and private key pairs, use JDK 1.6 with the “unlimited strength” JCE updates. Darn those cryptography export restrictions.