I have built a jax-ws web service client using the jaxws-maven-plugin. It is failing when I use it from a Glassfish 7.0.25 server with Java 21.
I'm calling a SAP server which only validates the client certificate in the SSL handshake if one is supplied by the client. If a client certificate is not supplied then SAP allows the connection.
SAP returns a CertificateRequest message during the SSL handshake, with a list of trusted certificate authorities.
Unfortunately, Glassfish sends its self-signed certificate, which isn't signed by one of these authorities and isn't trusted, and SAP abandons the handshake. I would like it not to supply a client certificate.
As part of the investigation into the problem, I wrote a web service client using jakarta.xml.soap.SOAPMessage and java.net.http.HttpClient. When I run it from the same Glassfish server, it returns 'No X.509 certificate for client authentication, use empty Certificate message instead', and the handshake is successful.
Does anyone know if it is possible to configure jax-ws to not to return a client certificate during the ssl handshake?
JAX-WS is sending a client cert because GlassFish gives it a default SSLContext that contains that self-signed cert. If a server asks for a cert, JAX-WS just sends whatever it has..
I recommand that you give the port an SSLContext with no KeyManagers, so it has nothing to send
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(new KeyManager[0], null, null);
((BindingProvider) port).getRequestContext().put(
"com.sun.xml.ws.transport.https.client.SSLSocketFactory",
ctx.getSocketFactory()
);
This forces an empty Certificate message and SAP stops complaining...
No magic JAX-WS flag exists.