Secure Global Desktop 4.40 Administration Guide > Security > Securing the SOAP Connections to an SGD Server

Securing the SOAP Connections to an SGD Server

Client applications, such as the webtop, use the SOAP protocol (over HTTP) to access the web services provided by an SGD server. Use HTTPS to secure the SOAP connections in the following circumstances:

You use SGD with the HTTPS port through a firewall (firewall forwarding)
You relocate the webtop to a different JavaServer Pages (JSP) container on a different host
You develop your own applications, using the SGD com.tarantella.tta.webservices.client.views package, either on the same host as SGD or on a different host

Note If you develop your own client using a different programming language, you need to develop your own methods for securing the SOAP connections. This page gives the general principles you need to implement.

Configuring the Client Application to Use HTTPS and Trust SGD Server Certificates

To secure the SOAP connections, the client application must be configured to use HTTPS and to trust the X.509 certificates for any SGD servers it connects to. Follow these steps:

Log in as superuser (root) on the SGD host.
Add the X.509 certificates to the certificate store.
You install server certificates with the keytool application, see the Java 2 SDK Tools and Utilities documentation for details.

You store the certificates in the certificate store for the Java 2 Runtime Environment (JRE) used by the SGD server, /opt/tarantella/bin/jre/lib/security/cacerts.

You must add the X.509 certificate for each SGD server in the array. The certificate for each server is stored in /opt/tarantella/var/tsp/cert.pem.

Use the following command:
```
# /opt/tarantella/bin/jre/bin/keytool -import \
  -file /opt/tarantella/var/tsp/cert.pem \
  -keystore /opt/tarantella/bin/jre/lib/security/cacerts \ 
  -storepass changeit \
  -alias hostname
```
Change to the webapps/sgd/WEB-INF/classes/com/tarantella/tta/webservices/client/apis directory.
Edit the Resources.properties file.
For each of the web services listed in the properties file, change the URL to an HTTPS URL.
- The URLs have the format http://server:port/service. The default is http://localhost:80/service.
- Use localhost for the server if the client application (for example the webtop) is on the same host as SGD. Otherwise, use the fully qualified DNS name of an SGD server.
- The port is the port that the SGD Web Server listens on.
- You can only specify one URL for each web service, for example, https://boston.indigo-insurance.com:443/axis/services/rpc/print.
Save the changes to the Resources.properties file.
Restart the web server and JSP container.
If you are using the SGD Web Server, use the following command:
```
# tarantella webserver restart --ssl
```
If you are using your own JSP container or web server, you must restart your JSP container after making any changes to the Resources.properties file. You must also make sure the web server is configured to accept HTTPS connections and restart it.
Repeat these steps on each SGD server in the array.

Remote Hosts

If you relocate the SGD webtop to another host, or if you have developed your own applications on another host using the com.tarantella.tta.webservices.client.views package, you must edit both the relocated Resources.properties file and the one on the SGD server. How you do this is described in the following sections.

Web Services URLs

In the relocated Resources.properties file, the URLs must be for the SGD server the client application connects to, for example https://boston.indigo-insurance.com:443/axis/services/rpc/print.

In the Resources.properties file on the SGD host, amend the URLs to https://localhost:443.

Keystores

You have to create two keystores as follows:

One for the HTTPS connections from the client application (webtop) to the SGD server
One for the HTTPS connections from the SGD server to the remote host. This is used to send events from the server

For the HTTPS connections to the SGD server, you must create your own keystore on the remote host, using your own JDK. This keystore must contain the SGD server certificate. Add the details of this keystore to the relocated Resources.properties file, by adding the following lines:

keystore=keystore
keystorepass=password

For the HTTPS connections from the SGD server to the remote host, you must install the root certificate (the CA certificate used to sign the certificate) for the remote host into the keystore (the cacerts file) for the JRE used by the SGD server. You do this using the keytool application as follows:

# /opt/tarantella/bin/jre/bin/keytool -import \
-keystore /opt/tarantella/bin/jre/lib/security/cacerts \ 
-storepass changeit \
-file certificate_path \
-alias remote_hostname

Related Topics
Relocating the Webtop to Your Own JSP Container Using SGD With Firewalls Introducing SGD Security Services