3 Replies Latest reply on Oct 25, 2010 9:36 AM by johnsonb

    Restricting Cipher suites

    seanduddy
    seanduddy Feb 23, 2006 7:37 AM

      Hi,
      I am trying to retrict the enabled cipher suites to just TLS_RSA_WITH_AES_128_CBC_SHA on the JBOSS server side, i.e. any clients connect using my stateless beans MUST use this suite. I was using JBOSS 4.0.2, but it appears there was no way to restrict the suites,
      so I switched to 4.0.3SP1 (http://jira.jboss.com/jira/browse/JBAS-1983)
      which is supposed to solve this problem. However when I use the xml configuration described in the bug fix:-

      <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
 name="jboss:service=invoker,type=jrmp,socketType=SSLSocketFactory,wantsClientAuth=true">
 <attribute name="RMIObjectPort">0</attribute>
 <attribute name="RMIClientSocketFactory">org.jboss.security.ssl.RMISSLClientSocketFactory
 </attribute>
 <attribute name="RMIServerSocketFactoryBean"
 attributeClass="org.jboss.security.ssl.RMISSLServerSocketFactory"
 serialDataType="javaBean">
 <property name="bindAddress">${jboss.bind.address}</property>
 <property name="securityDomain">java:/jaas/rmi-ssl</property>
 <property name="wantsClientAuth">true</property>
 <property name="needsClientAuth">true</property>
 <property name="CiperSuites">TLS_RSA_WITH_AES_128_CBC_SHA</property>
 <property name="Protocols">SSLv2Hello,SSLv3,TLSv1</property>
 </attribute>
 </mbean>



      I get the following error at startup:-

      java.lang.NullPointerException
      at org.jboss.security.ssl.Context.forDomain(Context.java:51)
      at org.jboss.security.ssl.DomainServerSocketFactory.initSSLContext(DomainServerSocketFactory.java:220)
      at org.jboss.security.ssl.DomainServerSocketFactory.createServerSocket(DomainServerSocketFactory.java:143)
      at org.jboss.security.ssl.DomainServerSocketFactory.createServerSocket(DomainServerSocketFactory.java:121)
      at org.jboss.security.ssl.RMISSLServerSocketFactory.createServerSocket(RMISSLServerSocketFactory.java:105)
      at sun.rmi.transport.tcp.TCPEndpoint.newServerSocket(TCPEndpoint.java:615)
      at sun.rmi.transport.tcp.TCPTransport.listen(TCPTransport.java:231)
      at sun.rmi.transport.tcp.TCPTransport.exportObject(TCPTransport.java:178)
      at sun.rmi.transport.tcp.TCPEndpoint.exportObject(TCPEndpoint.java:382)
      at sun.rmi.transport.LiveRef.exportObject(LiveRef.java:116)
      at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:145)
      at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:129)
      at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:275)
      at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:206)
      at org.jboss.invocation.jrmp.server.JRMPInvoker.exportCI(JRMPInvoker.java:437)
      at org.jboss.invocation.jrmp.server.JRMPInvoker.startService(JRMPInvoker.java:359)
      at org.jboss.invocation.jrmp.server.JRMPInvoker$1.startService(JRMPInvoker.java:136)
      at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:274)
      at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:230)
      at org.jboss.invocation.jrmp.server.JRMPInvoker.jbossInternalLifecycle(JRMPInvoker.java:631)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:324)
      at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
      at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
      at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:943)
      at $Proxy0.start(Unknown Source)
      at org.jboss.system.ServiceController.start(ServiceController.java:428)
      at org.jboss.system.ServiceController.start(ServiceController.java:446)
      at org.jboss.system.ServiceController.start(ServiceController.java:446)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:324)
      at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
      at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
      at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
      at $Proxy4.start(Unknown Source)
      at org.jboss.deployment.SARDeployer.start(SARDeployer.java:285)
      at org.jboss.deployment.MainDeployer.start(MainDeployer.java:989)
      at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:790)
      at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:753)
      at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:737)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:324)
      at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
      at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:118)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
      at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:127)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
      at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
      at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
      at $Proxy5.deploy(Unknown Source)
      at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:453)
      at org.jboss.system.server.ServerImpl.start(ServerImpl.java:330)
      at org.jboss.Main.boot(Main.java:187)
      at org.jboss.Main$1.run(Main.java:438)
      at java.lang.Thread.run(Thread.java:534)


      Anyone got any ideas?

      Note: I have SSL working when I use the configuration as descibed in the admin guide(chapter 8), however this section has not been updated to include these new property values to restrict the suites and it differs in format also ...



      • 8245 Views
      • Tags:
        • 1. Re: Restricting Cipher suites
          starksm64
          starksm64 Feb 23, 2006 12:32 PM (in response to seanduddy)

          You need a dependency on the provider of the java:/jaas/rmi-ssl keystore.

          <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
 name="jboss:service=invoker,type=jrmp,socketType=SSLSocketFactory,wantsClientAuth=true">
...
<depends>Whatevery your JaasSecurityDomain associated with java:/jaas/rmi-ssl uses for its name attribute</depends>



            • Actions
          • 2. Re: Restricting Cipher suites
            seanduddy
            seanduddy Feb 24, 2006 6:13 AM (in response to seanduddy)

            hi Scott,
            Thanks for your instant reply. However I tried what you suggested but I still get the same exception. My configuration now looks like:--

            <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
 name="jboss:service=invoker,type=jrmp,socketType=SSLSocketFactory,wantsClientAuth=true">
 <attribute name="RMIObjectPort">0</attribute>
 <attribute name="RMIClientSocketFactory">org.jboss.security.ssl.RMISSLClientSocketFactory
 </attribute>
 <attribute name="RMIServerSocketFactoryBean"
 attributeClass="org.jboss.security.ssl.RMISSLServerSocketFactory"
 serialDataType="javaBean">
 <property name="bindAddress">${jboss.bind.address}</property>
 <property name="securityDomain">java:/jaas/rmi+ssl</property>
 <property name="wantsClientAuth">true</property>
 <property name="needsClientAuth">true</property>
 <property name="CiperSuites">TLS_RSA_WITH_AES_128_CBC_SHA</property>
 <property name="Protocols">SSLv2Hello,SSLv3,TLSv1</property>
 </attribute>
 <depends>jboss:service=TransactionManager</depends>
 <depends>jboss.security:service=JaasSecurityDomain,domain=rmi+ssl</depends>
 </mbean>


            any ideas?



              • Actions
            • 3. Re: Restricting Cipher suites
              johnsonb
              johnsonb Oct 25, 2010 9:36 AM (in response to seanduddy)

              See http://community.jboss.org/message/282682 , I believe that this is  the problem you are having.  If you move your customized invoker out of  conf/jboss-service.xml to a file in deploy (like  jrmp-invoker-serice.xml), then the JaasSecurityManagerService will have  started and you will be able to set the SecurityDomain.

                • Actions