6 Replies Latest reply on Feb 4, 2009 12:41 PM by biebel1975

RMI over SSL - mutual authentication

evka Dec 13, 2006 4:46 AM

Hello everybody.
I've tried to configure Jboss to use RMI over SSL to access my Session beans. It works fine only that way, the server sends it's certificate key to the client and client must have it in it's trust store, but the client isn't required to send it's certificate key to the server and server doesn't control it. Could you please help me? What am I doing wrong?

The service XML file deployed on server:

<?xml version="1.0" encoding="UTF-8"?>
<server>

 <!-- The SSL domain setup -->
 <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
 name="jboss.security:service=JaasSecurityDomain,domain=RMI+SSL">
 <constructor>
 <arg type="java.lang.String" value="RMI+SSL"/>
 </constructor>
 <attribute name="KeyStoreURL">d:/jboss-4.0.4.GA/server/suc/certs/ServerKeyTrust.jks</attribute>
 <attribute name="KeyStorePass">password</attribute>
 <attribute name="TrustStoreURL">d:/jboss-4.0.4.GA/server/suc/certs/ServerKeyTrust.jks</attribute>
 <attribute name="TrustStorePass">password</attribute>
 <attribute name="ManagerServiceName">jboss.security:service=JaasSecurityManager</attribute>
</mbean>

<mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
 name="jboss.security:service=invoker,type=jrmp,socketType=SSLSocketFactory,wantsClientAuth=true">
 <attribute name="RMIObjectPort">14445</attribute>
 <attribute name="RMIClientSocketFactory">org.jboss.security.ssl.RMISSLClientSocketFactory
 </attribute>
 <attribute name="RMIServerSocketFactoryBean"
 attributeClass="org.jboss.security.ssl.RMISSLServerSocketFactory"
 serialDataType="javaBean">
 <property name="bindAddress">${jboss.bind.address}</property>
 <property name="securityDomain">java:/jaas/RMI+SSL</property>
 <property name="wantsClientAuth">true</property>
 <property name="needsClientAuth">true</property>
 </attribute>
 <depends>jboss.security:service=JaasSecurityDomain,domain=RMI+SSL</depends>
 </mbean>
</server>

Part of the definition in jboss.xml in my deployed application:

<session>
 <ejb-name>SlSbModule</ejb-name>
 <jndi-name>ejb/SlSbModule</jndi-name>
 <local-jndi-name>SlSbModuleLocal</local-jndi-name>
 <invoker-bindings>
 <invoker>
 <invoker-proxy-binding-name>
 stateless-ssl-invoker
 </invoker-proxy-binding-name>
 </invoker>
 <call-logging>true</call-logging>
 </invoker-bindings>
 </session>
...
<invoker-proxy-bindings>
 <invoker-proxy-binding>
 <name>stateless-ssl-invoker</name>
 <!-- invoker-mbean>jboss:service=invoker,type=jrmp,socketType=SSL</invoker-mbean -->
 <invoker-mbean>jboss.security:service=invoker,type=jrmp,socketType=SSLSocketFactory,wantsClientAuth=true</invoker-mbean>
 <proxy-factory>org.jboss.proxy.ejb.ProxyFactory</proxy-factory>
 <proxy-factory-config>
 <client-interceptors>
 <home>
 <interceptor>org.jboss.proxy.ejb.HomeInterceptor</interceptor>
 <interceptor>org.jboss.proxy.SecurityInterceptor</interceptor>
 <interceptor>org.jboss.proxy.TransactionInterceptor</interceptor>
 <interceptor>org.jboss.invocation.InvokerInterceptor</interceptor>
 </home>
 <bean>
 <interceptor>org.jboss.proxy.ejb.StatelessSessionInterceptor</interceptor>
 <interceptor>org.jboss.proxy.SecurityInterceptor</interceptor>
 <interceptor>org.jboss.proxy.TransactionInterceptor</interceptor>
 <interceptor>org.jboss.invocation.InvokerInterceptor</interceptor>
 </bean>
 </client-interceptors>
 </proxy-factory-config>
 </invoker-proxy-binding>
 </invoker-proxy-bindings>

1. Re: RMI over SSL - mutual authentication

evka Dec 13, 2006 4:53 AM (in response to evka)

Oh, I forgot the JBoss version is jboss-4.0.4.GA
Actions
2. Re: RMI over SSL - mutual authentication

evka Jan 2, 2007 3:26 AM (in response to evka)

I am still stuck at this problem. Does anybody have an experience, how to make mutual authentication of RMI call in JBoss, please?
Any advice will be welcome.
Actions
3. Re: RMI over SSL - mutual authentication

rtrancoso Jul 16, 2007 9:03 PM (in response to evka)

Hello Evka,
im desesperate trying to achieve at least rmi+ssl handshake. Ive read a lot os documents but nothing. I did one try pretty like the configurations you post here and nothing.

If you can help-me to start maybe I can reach the solution because my last requeriment (to implement) is that one. To provide a secure media to access EJB3. (im using 4.0.4.GA ).

Can you give-me some directions of where I can find more about it? or just what you put here can be usefull?

And another question. How can be safe to do a client authenticate in a ssl session with a certificate? anyone with this will not be able to get this secure connection?

I saw that none in the whole internet know how to do that! (or just hide it :P)
You can contact me direct by mail on rubentrancoso a+ gmail d0t com
Actions
4. Re: RMI over SSL - mutual authentication

evka Jul 17, 2007 3:56 AM (in response to evka)

Hello rtrancoso.
I am afraid, that JBoss doesn't support this functionality - as I described, the only thing to secure the RMI was, that the client had to have server certificate in its trust store. I also browsed over many JBoss tutorials and forums and nothing helped me in this way.

Some informations can be found here:
http://itextdocs.lowagie.com/techtips/ssl/ - RMI over SSL
and here:
http://answers.suziana.com/2006/12/13/security-jaasjboss-rmi-over-ssl-mutual-authentication.html

So good luck with solving this problem. We have moved to WebShere, where this security is supported.
Actions
5. Re: RMI over SSL - mutual authentication

ykthinker Feb 28, 2008 4:41 PM (in response to evka)

I have the same problem. Server certs works but when it comes to mutual certs, never works. Can this be consider as a BUG that even these two parameters were added:

true
true

but it's not really useful?

By the way, the error I got is:

16:10:50,328 WARN [ServiceController] Problem starting service jboss:service=in
voker,socketType=SSLSocketFactory,type=jrmp
java.lang.NullPointerException
at org.jboss.security.ssl.Context.forDomain(Context.java:66)
at org.jboss.security.ssl.DomainServerSocketFactory.initSSLContext(Domai
nServerSocketFactory.java:304)
at org.jboss.security.ssl.DomainServerSocketFactory.createServerSocket(D
omainServerSocketFactory.java:225)
at org.jboss.security.ssl.DomainServerSocketFactory.createServerSocket(D
omainServerSocketFactory.java:203)
at org.jboss.security.ssl.RMISSLServerSocketFactory.createServerSocket(R
MISSLServerSocketFactory.java:120)
at sun.rmi.transport.tcp.TCPEndpoint.newServerSocket(TCPEndpoint.java:61
5)
at sun.rmi.transport.tcp.TCPTransport.listen(TCPTransport.java:231)
at sun.rmi.transport.tcp.TCPTransport.exportObject(TCPTransport.java:178
)
at sun.rmi.transport.tcp.TCPEndpoint.exportObject(TCPEndpoint.java:382)
at sun.rmi.transport.LiveRef.exportObject(LiveRef.java:116)
at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:14
5)
at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:12
9)
Actions
6. Re: RMI over SSL - mutual authentication

biebel1975 Feb 4, 2009 12:41 PM (in response to evka)

Did you found a solution? I've got the same problem.
Actions

Go to original post