Sometime in a project you end-up using a constellation of applications not many peoples are using at the same time. This is my case in the project I am actually working on. My project is a Java client that consumes a SOAP web service (CISCO AXL) through the Axis2 toolkit. I am developing in the Eclipse (Juno) Java IDE. The service is hosted on a server that can only be accessed using an SSL (https) connection. To add to the challenge, for most of our customers, the server certificate is issued by a non trusted CA.
When you say SOAP web service, you think Fiddler. It is almost impossible to get it done without seeing what is sent and received over the wire. This is where the fun begins. Having all these pieces working together took me several hours to figure out so, here is the solution I came with, hoping this will help someone crying in the dark out there.
WARNING: This is serious stuff. We are playing with certificate authorities and screwing up the chain of trust. DON’T DO THIS ON A PRODUCTION COMPUTER. This is intended for development environment only.
Ok … the disclaimer stuff being done, the first step is to make it work with your browser. You want to get rid of the warning messages blocking you from accessing the web service port because of the bad server certificate. To do this, you must add the server certificate CA to your Trusted Root Certificate Authorities. When you hit the web page, the browser allows you to view ans save the server certificate. Save it in the .cer format and start your Certificate Manager. In Windows this is an mmc plugin. From there you can import the CA certificate to your computer Trusted Rood Certificate Authorities store. You should now be able to navigate to the web service port using your browser. This allows you to access the service WSDL and generate your proxy using WSDL2Java.
Your next problem will show up when running your app using that brand new proxy. Even if the server certificate is now trusted by your computer, the Java JRE have it’s own trusted certificates key store and will block access to this server. You will have to add this server certificate to the JRE certificate store by following these instructions …
- Go to the JRE’s security folder at $JAVA_HOME/jre/lib/security
- To list the trusted certificates issue following command: keytool -list -keystore cacerts
- To add a certificate in this list: keytool -import -keystore cacerts -file C:\certnew.cer
- Enter “Y” to confirm …
- The default password for cacerts is changeit
At this point you should be able to run your Java client using the proxy code generated by the Axis2/WSDL2Java generator.
Ok … that was fairly common stuff. Now, let’s say you want to see what your application is sending to the server over the wire. This is not that easy since everything is encrypted when using an SSL connection (https). I used Fiddler to do the work. Out of the box, Fiddler will catch most of the traffic coming from and to your browsers. To display the content of the messages sent and received by your Java app while debugging in Eclipse, you will need to make a few more tweaks to your project environment.
Fiddler acts as a web proxy so the idea is to configure Fiddler as your proxy when debugging stuff in Eclipse. This is done by adding the following VM arguments to your debug configuration:
These arguments will forward all the standard and SSL http traffic to the Fiddler proxy, Fiddler proxy default port is 8888. You can change in the program options.
Once the traffic is forwarded to the Fiddler proxy, you need a way to see what’s in the message. You can do this by activating the “Decrypt HTTPS traffic” option in the “Tools->Fiddler Options->HTTPS” configuration page. This action will generate a dummy certificate and add it to your trusted root CA. Remember not to do this on a production computer!
In some cases, this will be enough to see the content of the https messages but, in our case, there is one more step to do. Remember the Java trusted CAs store? That’s it, you have to export the new Fiddler certificate and install it in the JRE certificate store.
You can find the Fiddler certificate in your computer certificate store under the name “DO_NOT_TRUST_FiddlerRoot”. Save the certificate in a .cer file and import it to the Java certificate store by following the same instructions as for the server certificate. One last thing. The Fiddler certificate default alias is “mykey” which already exist in the Java certificate store. Use the -alias option of the keytool app to change to a unique name: keytool -import -keystore cacerts -alias myalias123 -file C:\fiddlercert.cer.
You are done. You should now be able to debug your Java/Axis2 client in Eclipse and see, in Fiddler, the content of the SOAP messages sent and received from the server.