6 Replies Latest reply on Jun 20, 2006 3:04 AM by mathias

ssl encrypted rmi/ejb still sending unencrypted data?

mathias Jun 13, 2006 10:28 AM

Hello,

I have a question that puzzles me and i do hope someone can help me out...

I am securing a swing client that uses the jboss clientloginmodule, takes an initialcontext then looks up ejb's to do various things on my 4.0.3 jboss server.

I have followed section 8.7 of the admin guide "using ssl with jboss". So, i have the securitycontext, I've set up keystores for client and server, all EJB's are configured with my "SSL-invoker" etc.

Here's my concern: I have installed "windump" a TCP packet sniffing tool to ensure that the data is indeed encrypted... and SOME data is encrypted. For example, i tried before I set up any SSL and the clientloginmodule username and password could easily be read through the dumps.

This is nolonger the case, however there are still lots of cleartext data being sent between the client and server. Mostly class names, like rmicontext, various jboss classnames, but, more worrying, some of my own implemented class names.

To me, this is kind of a security issue. Have I got something wrong, is it supposed to be like this? I thought that configuring the socketfactories on the server according to the guide would make everything encrypted...

As always, happy to be enlighted.

1. Re: ssl encrypted rmi/ejb still sending unencrypted data?

mathias Jun 14, 2006 5:48 AM (in response to mathias)

To clarify, what happens is that when the EJB call is made (look up home and remote interface, call the method), using the Login/InitialContext, on the network the communication first takes place on the "normal" rmi port (1098). This is where you can see some cleartext information such as class names and such.

The communication is then moved to the secure port (14445) and at that point it is ssl encrypted of course.

So, is there some way to ensure that *all* communication takes place over SSL port, or is this simply how it works??
Actions
2. Re: ssl encrypted rmi/ejb still sending unencrypted data?

mathias Jun 15, 2006 1:30 AM (in response to mathias)

Oh maaan, is there noone with some input here?
Actions
3. Re: ssl encrypted rmi/ejb still sending unencrypted data?

mathias Jun 15, 2006 2:29 AM (in response to mathias)

Hmm, I've done some more thinking and I might have a theory.

In the client, I do an InitialContext, using the normal jndi port (1099) to look up home interfaces for the beans.

I haven't configured anything special for the JNDI service, so that would probably mean that that information is sent unencrypted, but then the securitydomain of the EJB's kick in and the usage of the beans is encrypted.

I sure would like some confirmation, and if someone has any pointer about how to, in that case, configure the jndi remote service, I'd be a happy camper.
Actions
4. Re: ssl encrypted rmi/ejb still sending unencrypted data?

starksm64 Jun 15, 2006 10:55 AM (in response to mathias)

Yes, jndi must also be setup to use ssl if you want its data encrypted.
Actions
5. Re: ssl encrypted rmi/ejb still sending unencrypted data?

mathias Jun 16, 2006 5:37 AM (in response to mathias)

Thanks scott, as i thought then. But it still means that the logincontext's usr/pwd is sent encrypted right? I mean, they are not passed when the initialcontext is looked up? Reason i think so is because i could see them before setting up SSL for the EJB's, but not after...
Actions
6. Re: ssl encrypted rmi/ejb still sending unencrypted data?

mathias Jun 20, 2006 3:04 AM (in response to mathias)

hey Scott or anyone, can someone please agree with me.... :)

Also, is there a good guide somewhere on securing JNDI in JBOSS?
Actions

Go to original post