Configuring two way SSL for Custom SOAP based JCS Connectors

Document ID : KB000051155
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

A custom SOAP JCS Connector will need to set up SSL communication itself using the certificate configuration information specified in the server_jcs.xml. The certificate information can be accessed from the ConnectorManager.

Solution:

JCS does not directly support two way SSL security for SOAP based custom connectors. So how SSL is configured for a particular connector will depend on the libraries being used to perform the SOAP communication. JCS provides a standard way of configuring which certificates to use and the passwords are needed to access them from their keystores. Below is some example code that shows reading SSL information. The class CertInfo is just used as a convenient wrapper to show reading certificate information in one code location. Actual usage will depend on what is appropriate for the individual connector. An instance of a cryptoService is being used to decrypt the passwords stored in the configuration file.

Notice that the first parameter is a ConnectorManager *not* ConnectionManager. MetaConnector based connectors can retrieve the ConnectorManager by calling:
          ConnectorManager connectorManager = getMetaConnectorType().getConnectorManager();

The CryptoService is configured in the JCS server_jcs.xml file. It can be used by any of the connectors to decrypt information such as passwords for keystores. Here a custom configuration object is created to provide a reference to crypto service. When configured correctly the custom config object is passed into the constructor of the Connector. c.f. server_jcs.xml file line:
          <bean id="cryptoService" class="com.ca.jcs.crypto.legacy.LegacyCryptoService" init-method="activate"/>

Refer to IdentityManager documentation for more details on how to configure metadata.

 
public class CertInfo {
    public static void readCertInfo(ConnectorManager connectorManager, CustomMetaConnectorConfig config) {
        final boolean sslTracing = connectorManager.getConnectorSSLTrace();
        final boolean sslSimple = connectorManager.getConnectorSSLSimple();
        final boolean sslVerifyPeer = connectorManager.getConnectorSSLVerifyPeer();
 
        final String clientCertsFileName = connectorManager.getConnectorClientCertStore();
        final String clientKeystorePwdStr = connectorManager.getConnectorClientCertStorePassword();
        final char[] clientKeystorePwd = config.getCryptoService().decrypt(null, clientKeystorePwdStr);
        final String clientKeystoreType = connectorManager.getConnectorClientCertStoreType();
 
        final String caKeystoreFileName;
        final char[] caKeystorePwd;
        final String caKeystoreType = "PKS";
 
        if (sslVerifyPeer) {
            caKeystorePwd = connectorManager.getLdapsCertificatePassword().toCharArray();  
            caKeystoreFileName = connectorManager.getLdapsCertificateFile();          
        }
          
        // Use the information about certificates to setup SSL depending on SOAP library
    }
}
 
 
/**
 * Add config to custom connector's connector.xml telling it to use a custom config 
 * object that extends the standard one MetaConnectorConfig.
 
 <pre>       
     <property name="defaultConnectorConfig">
         <bean class="com.ca.jcs.spt.CustomMetaConnectorConfig">
             <property name="cryptoService">
                 <ref bean="cryptoService"/>
             </property>
             <!-- other config -->
         </bean>
    </property>
 </pre>
 
 * CryptoService is configured in the JCS server_jcs.xml file.  It can be used by any of the connectors to
 *  decrypt information such as passwords for keystores.  Her a custom configuration object is created to
 *  provide a reference to crypto service.  When configured correctly the custom config object is passed into
 *  the constructor of the Connector.
 *  cf server_jcs.xml file line:
 *   <bean id="cryptoService" class="com.ca.jcs.crypto.legacy.LegacyCryptoService" init-method="activate"/>
 */
public class CustomMetaConnectorConfig extends MetaConnectorConfig
{
    private CryptoService cryptoService;
    public CryptoService getCryptoService()
    {
        return cryptoService;
    }
 
    public void setCryptoService(CryptoService cryptoService)
    {
        this.cryptoService = cryptoService;
    }
}