Ask Search:
Timofey KhomichukTimofey Khomichuk 

Web Service Connector with two-way SSL enabled

In our java application we use Web Service Connector framework (WSC) to communicate with Salesforce (https://github.com/forcedotcom/wsc). We successfuly connected with one-way authentication (server-only auth). However we need to implement two-way SSL with mutual authentication enabled, so that our application as a client to Salesforce must provide client certificate for successful handshake. Could anyone advise how to extend SSL parameters in WSC required for client authentication on Salesforce side like keystore, certificate alias etc. All needed actions on Salesforce side are carried out (user permissions, Mutual Authentication feature etc).
Puneet MehtaPuneet Mehta
Hi Timofey,
Do you have any specific questions regarding the connection?

This link: https://developer.salesforce.com/page/Making_Authenticated_Web_Service_Callouts_Using_Two-Way_SSL should be your starting point. Please use developer board for any technical question.
Timofey KhomichukTimofey Khomichuk
Hi Puneet,
Thank you for the link. It is good article however it describes the flow from SF to Java app as a server hosted in Tomacat.
In my case we need to communicate in opposite way: our application should be authenticated on Saleforce using certificate.
We use the mentioned framwork for communication with SF 
https://developer.salesforce.com/page/Introduction_to_the_Force.com_Web_Services_Connector
https://github.com/forcedotcom/wsc
The question is: How to configure SSL parameters in the mentioned Web Service Connector framwork (keystore, Certificate alias, SSL protocol etc.)?
Does this java framework exposes any properties Setter whcih will allow to set SSL parameters to the client requests?
Or are any changes required in the configuration of http client embedded into application container where our application is running (jetty HTTPClient)?
I posted the same question in Developers forum https://developer.salesforce.com/forums/ForumsMain?id=9060G000000ICNpQAO
 
Steven LawranceSteven Lawrance
Thanks for asking about that. You'll generally need to set the TransportFactory in the ConnectorConfig object that you use to create the PartnerConnection (or EnterpriseConnection, etc), though another option is to set the Transport.

It's possible to create a Transport implementation that is based off of the com.sforce.ws.transport.JdkHttpTransport class while having the JdkHttpTransport create the connection with its static createConnection method. Your Transport implementation can then set up the SSLSocketFactory (casting the connection to HttpsURLConnection is required to do that), and your SSLSocketFactory can be created from creating an SSLContext that is initialized to include your client certificate.
Timofey KhomichukTimofey Khomichuk
Thanks Steven for the answer. So far we postponed the delivery of this functionality. So we will try your recommendations later and let you know the results.
Pat PattersonPat Patterson
I managed to get Web Service Connector (WSC) working with Mutual Authentication - see my blog entry at http://blog.superpat.com/2018/01/29/salesforce-mutual-authentication-part-2-web-service-connector-wsc/
Pat PattersonPat Patterson
I managed to get Web Service Connector (WSC) working with Mutual Authentication - see my blog entry at http://blog.superpat.com/2018/01/29/salesforce-mutual-authentication-part-2-web-service-connector-wsc/
Steven LawranceSteven Lawrance
Thanks, Pat Patterson! That is a great writeup, and it nicely highlights the areas for improvement that Salesforce can focus on to improve the the client certificate experience with the Salesforce APIs. I'll share that with the API product managers.