The configuration is done via an SSLContext
, which is effectively a factory for the SSLSocketFactory
(or SSLEngine
). By default, this will be configured from the javax.net.ssl.*
properties. In addition, when a server requests a certificate, it sends a TLS/SSL CertificateRequest
message that contains a list of CA's distinguished names that it's willing to accept. Although this list is strictly speaking only indicative (i.e. servers could accept certs from issuers not in the list or could refuse valid certs from CAs in the list), it usually works this way.
By default, the certificate chooser in the X509KeyManager
configured within the SSLContext
(again you normally don't have to worry about it), will pick one of the certificates that has been issued by one in the list (or can be chained to an issuer there).
That list is the issuers
parameter in X509KeyManager.chooseClientAlias
(the alias
is the alias name for the cert you want to picked, as referred to within the keystore). If you have multiple candidates, you can also use the socket
parameter, which will get you the peer's IP address if that helps making a choice.
If this helps, you may find using jSSLutils (and its wrapper) for the configuration of your SSLContext
(these are mainly helper classes to build SSLContext
s). (Note that this example is for choosing the server-side alias, but it can be adapted, the source code is available.)
Once you've done this, you should look for the documentation regarding the axis.socketSecureFactory
system property in Axis (and SecureSocketFactory
). If you look at the Axis source code, it shouldn't be too difficult to build a org.apache.axis.components.net.SunJSSESocketFactory
that's initialized from the SSLContext
of your choice (see this question).
Just realized you were talking about Axis2, where the SecureSocketFactory
seems to have disappeared. You might be able to find a workaround using the default SSLContext
, but this will affect your entire application (which isn't great). If you use a X509KeyManagerWrapper of jSSLutils, you might be able to use the default X509KeyManager
and treat only certain hosts as an exception. (This is not an ideal situation, I'm not sure how to use a custom SSLContext
/SSLSocketFactory
in Axis 2.)
Alternatively, according to this Axis 2 document, it looks like Axis 2 uses Apache HTTP Client 3.x:
If you want to perform SSL client
authentication (2-way SSL), you may
use the Protocol.registerProtocol
feature of HttpClient. You can
overwrite the "https" protocol, or use
a different protocol for your SSL
client authentication communications
if you don't want to mess with regular
https. Find more information at
http://jakarta.apache.org/commons/httpclient/sslguide.html
In this case, the SslContextedSecureProtocolSocketFactory
should help you configure an SSLContext
.