Secure Global Desktop Administration Guide > Security > Securing the SOAP connections to a Secure Global Desktop server

Securing the SOAP connections to a Secure Global Desktop server

Client applications, such as the browser-based webtop, use the SOAP protocol (over HTTP) to access the web services provided by a Secure Global Desktop server. We recommend you use HTTPS to secure these SOAP connections if you:

• Use Secure Global Desktop with the HTTPS port through a firewall (firewall forwarding).
• Relocate the browser-based webtop to a different JavaServer Pages (JSP) container on a different host.
• Develop your own applications, using the Secure Global Desktop com.tarantella.tta.webservices.client.views package, either on the same host as Secure Global Desktop or on a different host.

Note If you develop your own client, for example because you want to use a different programming language, you need to develop your own methods for securing the SOAP connections. This page gives the general principles you need to implement.

To secure the SOAP connections, the client must be configured to use HTTPS and to trust the X.509 certificates for any Secure Global Desktop servers it connects to. Follow these steps:

1. Create a keystore and install the X.509 certificates for any Secure Global Desktop servers the client will connect to.
   • A keystore is a password protected database containing X.509 certificates.
   • The client application will only allow secure connections to a server if that server's certificate is in the keystore.
   • You create a keystore with the Java™ keytool application, using the following command:

     /opt/tarantella/bin/jre/bin/keytool -import -keystore keystore_path -file certificate_path

   • The command automatically prompts for a password for the keystore.
   • The X.509 certificate for a Secure Global Desktop server can be found in /opt/tarantella/var/tsp/cert.pem.
   • We recommend that the keystore is kept within the Secure Global Desktop installation directory.
2. Change to the webapps/sgd/WEB-INF/classes/com/tarantella/tta/webservices/client/apis directory.
3. Edit the Resources.properties file.
4. For each of the web services listed in the properties file, change the URL to an HTTPS URL.
   • The URLs have the format http://server:port/service (the default is http://localhost:80/service).
   • Use localhost for the server if the webtop/application is on the same host as Secure Global Desktop. Otherwise, use the fully qualified DNS name of a Secure Global Desktop server.
   • The port is the port that the Secure Global Desktop Web Server listens on.
   • You can only specify one URL for each web service, for example, https://boston.indigo-insurance.com:443/axis/services/rpc/print.
5. Add the details of the keystore you created in step 1 to the Resources.properties file:
   • Insert the following lines:

     keystore=keystore
     keystorepass=password

     where keystore is the path to the keystore and password is the password for the keystore.
6. Save the changes to the Resources.properties file.
7. Restart the web server and JSP container.
   • If you are using the Secure Global Desktop Web Server, use tarantella webserver restart --ssl.
   • If you are using your own JSP container and/or web server, you must restart your JSP container after making any changes to the Resources.properties file. You must also make sure the web server is configured to accept HTTPS connections and restart it.
8. Repeat these steps on each member of the array.

Remote hosts

If you have relocated the browser-based webtop to another host, or if you have developed your own applications on another host using the com.tarantella.tta.webservices.client.views package, you must edit both the relocated Resources.properties file and the one on the Secure Global Desktop server.

Web services URLs

In the relocated Resources.properties file, the URLs must be for the Secure Global Desktop server the client application will connect to, for example https://boston.indigo-insurance.com:443/axis/services/rpc/print.

In the Resources.properties file on the Secure Global Desktop host, amend the URLs to https://localhost:443.

Keystores

You have to create two keystores:

• one for the HTTPS connections from the client application (webtop) to the Secure Global Desktop server
• one for the HTTPS connections from the Secure Global Desktop server to the remote host (this is used to send events from the server)

For the HTTPS connections to the Secure Global Desktop server, you must create a keystore on the remote host, using your own JDK. This keystore must contain the Secure Global Desktop server certificate. Add the details of this keystore to the relocated Resources.properties file.

For the HTTPS connections from the Secure Global Desktop server to the remote host, you must install the root certificate for the remote host into the keystore (the cacerts file) for the JVM used by the Secure Global Desktop server. You do this using the keytool application. We also recommend you use the -alias command to identify the certificate, for example:

/opt/tarantella/bin/jre/bin/keytool -import \
-keystore /opt/tarantella/bin/jre/lib/security/cacerts \ 
-file certificate_path -alias remote_server_name

Note for Java web application developers

If you have developed your own Java web applications and you do not want to include the keystore details in the Resources.properties file, you can pass in this information by setting the following System properties:

keystore path: javax.net.ssl.trustStore
keystore password: javax.net.ssl.keyStorePassword

If you do this, you must not assign any keystore values in the Resources.properties file.

Copyright © 1997-2005 Sun Microsystems, Inc. All rights reserved.