Version 6

    EJB3 over SSL

    This tutorial shows you how to invoke remote EJBs over an SSL connection.


    Setting up SSL for use in EJB3 involves creating a keystore and making sure the correct transport

    is available in the EJB3 configuration. After which you only have to use the RemoteBinding annotation

    with a clientBindUrl to make sure the bean is called through SSL.


    This tutorial assumes you've setup JBoss 4.x with EJB3 support. Make sure the enviroment variable

    JBOSS_HOME refers to the installation directory.


    Creating a keystore

    For SSL to work we need to create a public/private key pair, which will be stored in a keystore. Generate this using the genkey command that comes with the JDK.


       $ cd $JBOSS_HOME/server/default/conf/
       $ keytool -genkey -alias ejb3-ssl -keypass opensource -keystore localhost.keystore
       Enter keystore password:  opensource
       What is your first and last name?
       What is the name of your organizational unit?
       What is the name of your organization?
       What is the name of your City or Locality?
       What is the name of your State or Province?
       What is the two-letter country code for this unit?
       Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
         [no]:  yes


    Since we have not signed our certificate through any certification authoritiy, we also need to create a truststore for the client, explicitly saying that we trust the certificate we just created. The first step is to export the certificate using the JDK keytool:


       $ keytool -export -alias ejb3-ssl -file mycert.cer -keystore localhost.keystore
       Enter keystore password:  opensource
       Certificate stored in file <mycert.cer>



    Then we need to create the truststore if it does not exist and import the certificate into the trueststore:


       $ keytool -import -alias ejb3-ssl -file mycert.cer -keystore localhost.truststore
       Enter keystore password:  opensource
       Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
       Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
       Serial number: 43bff927
       Valid from: Sat Jan 07 18:23:51 CET 2006 until: Fri Apr 07 19:23:51 CEST 2006
       Certificate fingerprints:
                MD5:  CF:DC:71:A8:F4:EA:8F:5A:E9:94:E3:E6:5B:A9:C8:F3
                SHA1: 0E:AD:F3:D6:41:5E:F6:84:9A:D1:54:3D:DE:A9:B2:01:28:F6:7C:26
       Trust this certificate? [no]:  yes
       Certificate was added to keystore 



    Setting up the transport

    To setup the transport open $JBOSS_HOME/server/default/deploy/ejb3.deployer/META-INF/jboss-service.xml in your

    favorite text editor. Add the following mbean to it:


       <mbean code="org.jboss.remoting.transport.Connector"
          <attribute name="InvokerLocator">sslsocket://</attribute>
          <attribute name="Configuration">
                <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>



    Starting JBoss

    We need to tell JBoss Remoting where to find the keystore to be used for SSl and its password. This is done using

    the and system properties when starting JBoss, as

    the following example shows:


        $ cd $JBOSS_HOME/bin
        $ ./


    Creating your beans

    Create your EJBs as usual and add the following annotation to bind it to the SSL invoker.


    import org.jboss.annotation.ejb.RemoteBinding;


    For the purpose this tutorial an example bean is provided (see src/org/jboss/tutorial/ssl/bean/

    To compile and deploy the example simple execute ant ejbjar.


    Running your client

    While making sure all the correct libraries are on the classpath we can run the provided client.


        $ java$JBOSS_HOME/server/default/conf/localhost.truststore org.jboss.tutorial.ssl.client.Client


    Or better yet, just run ant run.