Creating a Secure Web Service
This cookbook entry describes changes to client and server configurations needed to secure communications using OpenSSL calls.
The sample web service used builds off the insurance example. Simple web services are found in
Getting Started: Web services in 1 Hour. The basic structure of these examples is to create and deploy a web service in separate server and client images on a single machine and to invoke operations from the client image.
This cook book entry was originally tested on a web service using RPC literal encoding and exchanging complex data types. The operation ratePolicy was used to invoke the service for policy number 29467810.
If you first make an unsecure web service request, you will need to close the Smalltalk client and server images before you make the changes to make a secure one using OpenSSL. The security files used are the ones shipped with VAST Platform. The changes involved to the web service take place in the WSDL and in the transport layer configuration. A custom transport configuration is created and registered to enable secure communications.
Modifications for Security
Security Files
These are shipped with version 12.0.0 in the <varoot>/samples/ssl directory. They should be copied to the director(ies) in which the client and server Smalltalk images are started.
•ssl/vast_ca.pem
•ssl/vast_client.pem
•ssl/vast_client_key.pem
•ssl/vast_server.pem
•ssl/vast_server_key.pem
vast_ca.pem is the certificate authorization file. The certificates are found in vast_client.pem and vast_ server.pem. Each certificate contains a public key. The private keys are found in vast_client_key.pem and vast_server _key.pem.
Modification to WSDL
The high level concrete definition of the web service implementation is in ‘SstWSInsurancePolicyInterface.wsdl’. The URL of the web service is changed from ‘http:’ to ‘https:’ in order to make it secure.
Modify ‘SstWSInsurancePolicyInterface.wsdl’ and change the location URL from http to https.
<port name="SstWSInsurancePolicyInterfacePort" binding="vastif:SstWSInsurancePolicyInterfaceBinding">
<soap:address location="https://vasthost:7374/SstWSServlet"/>
</port>
This is one change which is necessary for passing secure data between client and server.
Modifications to the Transport Layer
Server
The changes to the server concern modifying the default configuration of the server transport configuration and registering that modified configuration. The following sub expression in the above Smalltalk expression answers the currently registered server configuration.
config := SstHttpsCommunications serverTransportConfiguration.
The following code should be placed in the server workspace after the container startup and before the service is deployed.
"Configuration for SSL"
config := SstHttpsCommunications serverTransportConfiguration.
(config securityConfiguration)
certificateFilename: 'vast_server.pem';
privateKeyFilename: 'vast_server_key.pem';
verify: SciSslConstants::SSL_VERIFY_PEER |
SciSslConstants ::SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
verifyDepth: 1;
caPath: ' ';
caFile: 'vast_ca.pem'.
SstTransport
register: config
mutuallyReachableBy: (Set
with: config transportIdentifier
with: SstHttpsCommunications lightTransportConfiguration transportIdentifier).
The security configuration shown is fully configured for authentication and with a private key. For more information on the variations in the use of SSL to secure http connections, see
Securing Applications with SSL.
The following sub expression registers the configuration once the security configuration has been specified.
SstTransport
register: config
mutuallyReachableBy: (Set
with: config transportIdentifier
with: SstHttpsCommunications lightTransportConfiguration transportIdentifier).
The entire workspace then looks like this
Server Workspace Code
[
| aContainer aServiceCollection aService |
SstWSContainer clearAll.
SciSslSocketConfiguration clearRegistry.
aContainer := SstWSContainer
createContainerNamed: SciSocketManager default getHostName
using:(SstWSContainerConfiguration defaultConfiguration).
aContainer startUp.
"Configuration for SSL"
config := SstHttpsCommunications serverTransportConfiguration.
(config securityConfiguration)
certificateFilename: 'vast_server.pem';
privateKeyFilename: 'vast_server_key.pem';
verify: SciSslConstants::SSL_VERIFY_PEER |
SciSslConstants ::SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
verifyDepth: 1;
caPath: ' ';
caFile: 'vast_ca.pem'.
SstTransport
register: config
mutuallyReachableBy: (Set
with: config transportIdentifier
with: SstHttpsCommunications lightTransportConfiguration transportIdentifier).
aServiceCollection := aContainer deploy:
(AbtXmlConfiguration current defaultResourceQualifier),
'SstWSInsurancePolicyInterface.xml'.
aServiceCollection first inspect
] fork
Client
The configuration of the client transport must be modified to coordinate with the server. The transport layer, SstTransport maintains a registry of configurations. The ‘httpsl’ entry is the default for the client web services transport layer.
SstTransport configurationForIdentifier: 'httpsl'.
Inspecting this expression will reveal that the certificate is defaulted to ‘cert.pem’ and the private key to ‘key.pem.
This configuration must be modified to match the way the web service was deployed in the server image. The Smalltalk expression below shows how to modify configurations for the client to exchange data securely with the server. These changes are placed after the container startup and before the service is deployed
"Configuration for SSL"
config := (SstTransport configurationForIdentifier: 'httpsl') securityConfiguration.
config
certificateFilename: 'vast_client.pem';
privateKeyFilename: 'vast_client_key.pem';
verify: SciSslConstants::SSL_VERIFY_PEER |
SciSslConstants ::SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
verifyDepth: 1;
caPath: ' ';
caFile: 'vast_ca.pem'.
The security configuration shown is fully configured for authentication and with a private key. For more information on the variations in the use of SSL to secure http connections, see
Securing Applications with SSL.
The entire workspace then looks like this
Client Workspace Code
| aContainer aServiceCollection aService config |
[
SstWSContainer clearAll.
SciSslSocketConfiguration clearRegistry.
aContainer := SstWSContainer createContainerNamed: 'ClientContainer'
using: (SstWSContainerConfiguration defaultConfiguration).
aContainer startUp.
config := (SstTransport configurationForIdentifier: 'httpsl') securityConfiguration.
config
certificateFilename: 'vast_client.pem';
privateKeyFilename: 'vast_client_key.pem';
verify: SciSslConstants::SSL_VERIFY_PEER |
SciSslConstants ::SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
verifyDepth: 1;
caPath: ' ';
caFile: 'vast_ca.pem'.
aServiceCollection := aContainer deploy:
(AbtXmlConfiguration current defaultResourceQualifier),
'SstWSInsurancePolicyClientInterface.xml'.
aService := aServiceCollection first.
aService about inspect.
" (aService invoke: 'about' withArguments: #( )) inspect."
" (aService ratePolicy: '29467810') inspect."
" (aService invoke: 'ratePolicy' withArguments: #( '29467810' )) inspect."
"These operations require complex types beyond the scope of this example."
" aService getAllPolicies inspect. "
" (aService invoke: 'getInfoForPolicy' withArguments: #( '29467810' )) inspect."
" (aService invoke: 'updatePolicy' withArguments: #( '29467810' )) inspect." "error"
aContainer
] fork.
Deploying the Web Service
Invoking the Web Service
To invoke the service, first deploy the service in the client image using the
modified client workspace, then in the resulting web service inspector, invoke the server with one of the operations (commented out in the workspace.) For instance
(self invoke: 'ratePolicy' withArguments: #( '29467810' )) inspect.
will open an inspector on the rate for the policy 29467810. Depending on the web service with which you started, the value will be a string or a float.
Summary
The steps involved in securing a web service are
• Copy the security files that are shipped with VAST Platform to the directory or directories in which the client and server images will be started;
• Alter the web service implementation description WSDL file to reflect a secure location for the SstWSServlet;
• In the server image, register a secure HTTP configuration for the server with the desired certificates and verification flags and deploy the service;
• In the client image, deploy the web service with the client security configuration for 'httpsl'. (The default client transport for https is ‘httpsl’.).