Geeks With Blogs
Gerard van der Maaden Everything You Always Wanted to Know About Integration, BizTalk, .Net and more (But Were Afraid to Ask)

SoapUI is one of the best free tools around to test web services. Some time ago I was trying to send a soap message towards a SSL web service that was set up for client certificate authentication. I pretty soon got stuck at the “javax.net.ssl.SSLException: HelloRequest followed by an unexpected handshake message” error, but after reading several posts on the internet I solved that issue. It’s not really that complicated after all, but since I could not find a decent place on the internet that explains this scenario in a proper way, here’s a list of steps that you need to do to make it work.

Note: the following steps are based on a Windows environment

 

Step one:

Export your certificate (the one that you want to use as the client certificate) using the export wizard with the private key and with all certificates in the certification path:

Picture_(Device_Independent_Bitmap)_1

Picture_(Device_Independent_Bitmap)_2

Give it a password (anything you want):

Picture_(Device_Independent_Bitmap)_3

And export it as a PFX file to a location somewhere on disk:

Picture_(Device_Independent_Bitmap)_4

Step two:

Install the newest version of SOAP UI (currently it is 3.6.1)

Open the file C:\Program Files\eviware\soapUI-3.6.1\bin\ soapUI-3.6.1.vmoptions and add this line at the bottom:

-Dsun.security.ssl.allowUnsafeRenegotiation=true

Picture_(Device_Independent_Bitmap)_5

This is needed because of a JAVA security feature in their newest frameworks (For further reading about this issue, read this: http://www.soapui.org/forum/viewtopic.php?t=4089 and this: http://java.sun.com/javase/javaseforbusiness/docs/TLSReadme.html).

 

Open SOAPUI and go to preferences>SSL Settings and configure your certificate in the keystore (use the same password as in step one):

Picture_(Device_Independent_Bitmap)_6

That should be it. Just create a new project and import the WSDL from the client authenticated SSL webservice:

Picture_(Device_Independent_Bitmap)_7

And now you should be able to send soap messages with client certificate authentication.

The above steps worked for me, but please drop a note if it does not work for you.

Posted on Thursday, February 24, 2011 12:35 PM | Back to top


Comments on this post: How to configure SoapUI with client certificate authentication

# re: How to Install Soap UI
Requesting Gravatar...
i am new to testing and heard about this software a lot so thought of testing it by using it can you kindly tell how can i install it , because i have already downloaded it 3.6.1 version in zip format but i cant find any installer ? can you help please ?
Left by Shahrukh Ali Khan on May 25, 2011 11:22 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
I suppose this should be the link: http://sourceforge.net/projects/soapui/files/
From there you can download the installer.
Left by Gerard van der Maaden on May 26, 2011 11:16 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
This worked for me. I was having the exact problem. Thanks a million!
Left by Brian on Jul 08, 2011 5:12 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Even i have same problem. But thing is i dont know how to "Export your certificate" . Can you please let me how to use P12 key in your SOAP UI
Left by Jaya on Jul 12, 2011 12:17 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
@Jaya: for any Windows based system I suppose you could do that via the Certificates snap-ip in MMC, or via Internet Explorer ("Internet Options", "Content" tab and then "Certificates" button). See http://www.tech-pro.net/export-to-pfx.html or http://www.pentaware.com/pw/how_to_export_a_pfx_file_from_your_browser.htm
Left by Gerard van der Maaden on Jul 12, 2011 7:57 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Hi,
Any inputs on how to configure the soap-ui to work in a 2 way authentication mode?

Thanks,
Srinath K
Left by Srinath on Jul 15, 2011 5:38 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
@Srinath: Well, my post here above basically explains the client certificate part of the two way authentication mode.
For the server certificate part you really don't need to do much (provided that the server certificate is valid).
Are you facing a particular difficulty?
Left by Gerard on Jul 16, 2011 3:21 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Hi,

Please my issue is with browser. I downloaded SoapUI 4 and hit a road block during recording the test script. The URL beings up the application but I get a warning from the application that it must be IE7 or higher. Locally I have IE8 installed on the machine and I cannot change the browser requirement for the Application Under Test.
Is there a way to update a settings in SoapUI to recognize or have it use same version on my local: IE8?

I hope my question makes sense. I am new to the tool/QA.

Thanks
Elo
Left by Elo on Jul 20, 2011 6:28 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Hello and thank you for the client authentication tips. Worked for me and saved me some time.

regards,

Adil Tata
Left by Adil Tata on Oct 25, 2011 7:54 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
It worked beautifully. Thanks for sharing.
Left by raju on Nov 29, 2011 2:07 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
hi
got the wsdl file and try to run the wsdl in soap ui and the response get the following error:
<faultString>Error authenticating</faultString>
Left by santosh on Dec 09, 2011 10:35 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Thankas Ton it worked for me but the only thing is after applying the SSL settings we had to close SOAP UI and reopen!!
Left by Druv on Dec 23, 2011 3:33 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Can you plz tell me how should i configure my soap UI for server side authentication?? I am working on a project where we have web service hosts and that require server side authenticatin?
Left by Kabeer Khan on Jan 10, 2012 7:19 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
No, i want to authenticate my server? with server's certificate and its key...
Left by Kabeer on Jan 12, 2012 8:00 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Hi,

Thanks for the steps, i have done same configuration and when i sending a request from mock test, i get a response as socketexpection: socket closed.

I am using server and client in same soap ui project, the url i am using is https:\\localhost:8088 where i have configured the ssl to the port 8088

Please help.
Left by Nagaveni G on Feb 14, 2012 9:31 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
I'm trying to test a wcf service with ssl + client certificate. But I can not export Private Key of the client certificate. Is there any other option you can suggest? Thanks
Left by Ozgur Akdemirci on May 18, 2012 9:20 AM

# Is there any configurable where we can force soapui to use our trusted CA cert to verify?
Requesting Gravatar...
Please suggest..!!
Left by rajdeep on Jun 12, 2012 6:48 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
I am trying to make a webservice call using SOAPUI.The webservice host gave us a *.pfx file(contains the private key and it's public key) and a *.cer file(server trust certificate .. I believe). When I used this *.pfx file in the SSL setting, it still gives me the same error that I used to get. Previously, I had converted this pfx file to a JKS file and applied to the outgoing WS-security configurations SOAP request.
Error from server:
<faultstring xml:lang="en-US">An error occurred when verifying security for the message.</faultstring>.
It will be great if you can suggest me how to use this *.pfx and *.cer file provided by the external party.
Left by Gus on Aug 02, 2012 1:11 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Just wanted to add that I need to pass the certificate information in the header as part of the authentication process. Here is the config file information of a .Net tool that works.
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate" algorithmSuite="Default" />
</security>
Left by Gus on Aug 02, 2012 1:16 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
I have been given two .cer files as certificate file.. Through the above method (I tried using mmc) to export to .PFX, the options and radio button remains disabled while exporting. So there is no way I can export to .PFX format.
Is there any other option. please suggest.
Left by Deepak on Aug 20, 2012 8:30 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Hi Deepak, probably those CER files do not contain any private keys?
Left by Gerard on Aug 20, 2012 9:00 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Thanks Gerard.

Server owners for our systems say that I should generate the private keys (on my local keystore) and provide the same keys to administrators to be imported on servers.

I am a bit confused, as how to proceed on this or if that is possible at all.

Thanks,
Deepak
Left by Deepak on Aug 20, 2012 10:11 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Hi Deepak, it seems that you need to create your own private keys here.
Please look at this link where you can create your own test certificate:
http://msdn.microsoft.com/en-us/library/ff699202.aspx

regards Gerard
Left by Gerard on Aug 20, 2012 10:39 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
here's another link with some stuff about creating certificates (thanks Bernard!):
http://stackoverflow.com/questions/4116639/creating-a-key-and-signing-executable-with-signtool
Left by Gerard on Aug 20, 2012 10:44 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Thanks Gerard .

This helps a lot, the private keys(generated on client) were given to server owners. It should work now !!
Left by Deepak on Aug 21, 2012 4:58 AM

# re: How to configure SoapUI for SSL communication
Requesting Gravatar...
Hi,

I am very new to SSL, but i need to test if i can invoke a https webservice using soap ui. When i fetch the wsdl from the browser, I am also able to download all hte client certificates. But these certificates do not have private key.

Can someone please help me to configure this in Soap UI?
Left by Murali on Aug 23, 2012 10:46 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Murali, you would not be able to download the private key. You need to generate it yourself or obtain it from the webservice admin.

regards Gerard
Left by Gerard on Aug 23, 2012 11:28 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
I would like to thanks you a lot Gerard. I had the same experience, a lot of time spent on exceptions of java clients while mozilla and chrome are doing fine. Thanks for the set up info for SoapUI. It works for 4.5.1 as well. For the RESTclient test tool I found the following tool very useful. In case someone might need it!
https://plus.google.com/104025798250320128549
Left by Ender Akay on Nov 21, 2012 4:59 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Hi,

I have to export the certificate using my IE browser. However, wheni navigate to Tools -> Internet Options -> Certificates . I do not find any certificate name under personal tab.??

Who will provide me the certificates and how can i see them?
Left by Arvind on Nov 22, 2012 2:30 PM

# What about server certificate authentication ?
Requesting Gravatar...
Hi,

Thanks a lot for these explanations for client authentication, it has been really helpful.

I am still facing a problem yet: I need to do both client AND server authentication and I can't find a way to do server authentication.

From here: http://www.soapui.org/Service-Mocking/securing-mockservices-with-ssl.html, do I have to put my server keystore in the other fields from the SSL preferences' window?
I don't really understand what mock services are and whether this link is my solution or not.

I would be very grateful if you could help me,

Thanks
Left by Kerhael on Apr 29, 2013 4:31 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Hi Kerhael, creating a mock service would not be necessary, since I assume your goal is to send a message yourself (as a client) and not to behave as a service.
I dont think that you should worry at all about server certificates, as long as the server certificate has a valid chain (well formed, valid, correctly signed and trustworthy). Apart from that I think that SOAPUI does not perform any server certificate validation (see link: http://www.soapui.org/forum/viewtopic.php?f=2&t=1699 )

Hope this helps.

regards Gerard
Left by Gerard on May 01, 2013 2:53 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Hi Gerard,

Thanks for your answer.
What I wanted to do is check with SoapUI what the browser usually checks: the site's name is OK in the certificate, the certificate has been signed by a correct certificate authority and the certificate's expiration date is still valid.

I had seen the messages in the link you gave me and since those had been written in 2009, I had hoped SoapUI had made some changes now.
Too bad they had not.

Anyway, thank you very much for your time and help :-) !

Regards
Left by Kerhael on May 02, 2013 10:08 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Excellent Post. Also visit http://whiteboxqa.com/selenium.
Left by mahender on Jul 09, 2013 8:12 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
I only got the public key and CA signed certificate to authenticate the webService I'm going to call from SOAP_UI.

My question is I do not have the private key, and as suggested in comments I need to create my own private key and share with the Admin to install on the server to where I'm calling.
But those Admins are not ready to install my private key..how to proceed on this
Left by Rama on Jul 25, 2013 9:43 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Hi Rama, I suppose you could create your own CSR (ceritificate signing request), so that those admins can sign it by a CA.

here is a link that can help you: http://security.stackexchange.com/questions/23903/how-to-distribute-client-certificates-without-exposing-private-key

regards Gerard
Left by Gerard on Jul 26, 2013 12:18 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Hi Gerard,

First of all, thank you very much for your guide, it is really useful.

I have configured all these steps but my problem is that apart from the SSL session, I should send the certificate in the soap message but without a signature. The certificate must not be signed.

I can not find any information about that.

Any ideas?

Thaks a lot
Left by Iciar on Oct 02, 2013 2:13 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
I too faced the same error. I tried sending the certificate file in the form of .pfx file with the request using various versions of SoapUI from version 4 to 6 using the Apply WS-Security given in http://www.soapui.org/SOAP-and-WSDL/applying-ws-security.html but today I tried with version 3.6.1 using the step mentioned here and it worked. Thanks a lot.

I think the new versions are missing this feature.
Left by Sumit Gupta on Oct 03, 2013 10:01 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
I am running named based virtual hosts on apache with 2 Way SSL. I am able to connect via soapui when I don't run named based virtual hosts so I know that my keystore and CA set up is correct.

Non-default virtual host with SSLVerify set to 'require' and VirtualHost-specific CA certificate list is only available to clients with TLS server name indication (SNI) support

Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support

I see that I am coming in with TLS but I cannot get SoapUI to connect. Any ideas? I tried different version of SOAPUI with the posting above and it still doesn't work.
Left by Eric on Dec 27, 2013 3:57 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Thank you. It helped me a lot.

I exported the certificate through firefox. And I exported it as a .cer file. It worked.
Left by Elif on Jan 24, 2014 3:52 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Thank You!!!..This article was pretty helpful as i was struggling with Hand shale error. Cheers
Left by Rads on Feb 04, 2014 10:48 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Hi guys,

I have tried as suggested above but getting "An error occurred when verifying security for the message" continuasly,can anybody help me out here.
Left by kausik on Apr 30, 2014 5:37 PM

# Error communicating with WCF service
Requesting Gravatar...
Hi guys,

I too get the same error "An error occurred when verifying security for the message"

Also I need to use Secret Key sent by STS to sign. I am not able to do that in SOAPUI. Can anybody help.
Left by Hari on May 29, 2014 4:49 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...

Hi,

I too get the same error "
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate"
Left by Célia on Jun 05, 2014 10:54 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
I have following configuration as wshttpbinding for https specific port.

<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate" algorithmSuite="Default" />
</security>

and custom client certificate authentication for validating certificate request using soapUI i am getting error (BadContextToken) any help?
Left by Darshan on Sep 16, 2014 12:40 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
I cannot export the certificate as the private key has been marked as non exportable. I have been giver a jks and a p12 file, using these directly with version 5 of SoapUI does not work. Getting a handshake_failure when I try to hit the service.
Left by Ivan on Nov 20, 2014 1:16 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
This don't work in 5.1.3, handshake_failure, peer don't send certificate.
Left by Oscar Laverde on May 21, 2015 10:59 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Hi,

I followed all the steps described on this entry, but it seems there is something else missing, Probably some specific configuration for the projet...I have tried several ways but it still doesnt work. Do you maybe have some more information about this?
Left by Fernando on Jul 17, 2015 3:25 PM

# re: How to configure SoapUI with client certificate authentication using .cer certificate without key
Requesting Gravatar...
Hi,

I tried following all above steps from Setp:2 as i was already provided with a certificate with .cer extension. I am testing a REST service through SOAPUI 5.0.0 and have imported certificate under preferences in SSL settings. But when i invoke my service i got error no certificate found. My REST services is going through an OAG layer.
Please could you help me on this issue.

Thanks
Left by arpita on Jul 20, 2015 8:06 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Thanks for the post, I needed that.
Funny that I found you post, brings back memories about IP and Biztalk projects :-)
Left by Giel Raijmakers on Oct 09, 2015 8:50 AM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Thanks for the post- it worked.
Left by Chuck Hixon on Jan 15, 2016 9:40 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Hi,
I have configured Saop ui as per your post but i am getting Error in Response header #status# HTTP/1.1 500 Internal Server Error

<s:Subcode>
<s:Value xmlns:a="http://schemas.xmlsoap.org/ws/2005/02/sc">a:BadContextToken</s:Value>
</s:Subcode>
</s:Code>
<s:Reason>
<s:Text xml:lang="en-US">The message could not be processed. This is most likely because the action 'http://tempuri.org/IService1/GetData' is incorrect or because the message contains an invalid or expired security context token or because there is a mismatch between bindings. The security context token would be invalid if the service aborted the channel due to inactivity. To prevent the service from aborting idle sessions prematurely increase the Receive timeout on the service endpoint's binding.</s:Text>
</s:Reason>

I have the WCF simple service with WShttpbinding and my web config :
<bindings>
<wsHttpBinding>
<binding name="basicbinding" >
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Windows" />
<message negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>

It works find with httpbasicbinding but we want with wshttpbinding to be worked with soap ui .

Kindly help me on this .
Left by Mani on May 03, 2016 8:10 AM

# soapui
Requesting Gravatar...
hi,
we provide online training and videos tutorials for soapui
for free videos refer the link below
http://soapui-tutorial.com/soapui-tutorial/introduction-to-webservices/
Left by sejal on Jul 04, 2016 12:09 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
I setup soapUI with above steps but still I am getting below error

"IST 2016:ERROR:javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown"
although I have imported my certificate.

is there could be any other reason ? my soapUI version is 5.2.0

Left by Alok Shukla on Dec 28, 2016 1:04 PM

# re: How to configure SoapUI with client certificate authentication
Requesting Gravatar...
Worked absolutely fine with SOUPUI 4.5.1
Left by Umair on Sep 05, 2017 10:40 AM

Your comment:
 (will show your gravatar)


Copyright © gvdmaaden | Powered by: GeeksWithBlogs.net