3 Replies Latest reply on Nov 19, 2004 2:49 AM by rhand

    JBossMQ messages over SSL

    sharris
    sharris Jun 10, 2004 7:00 PM

      How do I do it? There is plenty of info on how to configure JBoss to use SSL for EJB invocation, but there is nothing I can find that ties using SSLSockets or an SSL defined JRMP invoker to the messaging ILs, or in fact to anything in JBoss MQ. (This includes searching twiki, the forums. google and reading the A&D Guide).

      • 4141 Views
      • Tags:
        • 1. Re: JBossMQ messages over SSL
          colinmadere
          colinmadere Jul 7, 2004 3:34 PM (in response to sharris)

          After much prodding I got some info in September 2003. I saved the answers but forgot to get the second page. This was probably for 3.2.1, so not sure if there are differences for the latest version. Good thing I saved it because it appears they deleted it from the forums. I'll leave it to the reader to speculate on why that might be.

          Below is what I coaxed out of Adrian, though I think there was still something missing that was posted on the second page of the now deleted thread.

          One thing that snagged me was needing to set up the client-side truststore for the entity connecting to the server's JBossMQ instance and needing to have the server's certificate in the client's truststore.

          Posted Sep 24, 2003 5:48 PM by adrian@jboss.org:

          OK, I just tried it, here is what I did.

          1) Created a keystore in server/default/conf/test.keystore
          2) Created a security domain that references it
          (resource: is jboss specific protocol that loads from the
          classloader, conf/ is the first classloader installed by jboss)





          resource:test.keystore
          ssltest


          3) Deployed a HTTPSUIL2ConnectionFactory


          <depends optional-attribute-name="Invoker">jboss.mq:service=Invoker
          HTTPSUIL2ConnectionFactory
          HTTPSUIL2XAConnectionFactory
          8193
          60000
          true
          <!-- Used to disconnect the client if there is no activity -->
          <!-- Ensure this is greater than the ping period -->
          70000
          <!-- The size of the buffer (in bytes) wrapping the socket -->
          <!-- The buffer is flushed after each request -->
          2048
          <!-- Large messages may block the ping/pong -->
          <!-- A pong is simulated after each chunk (in bytes) for both reading and writing -->
          <!-- It must be larger than the buffer size -->
          1000000
          org.jboss.security.ssl.ClientSocketFactory
          org.jboss.security.ssl.DomainServerSocketFactory
          java:/jaas/SSL


          On the client set the system property to use the keystore
          as the truststore.









          Job Done.

          Regards,
          Adrian

            • Actions
          • 2. Re: JBossMQ messages over SSL
            colinmadere
            colinmadere Jul 7, 2004 3:37 PM (in response to sharris)

            Fix for last post, forgot to "disable HTML" even though it's XML :)

            1) Created a keystore in server/default/conf/test.keystore
2) Created a security domain that references it
(resource: is jboss specific protocol that loads from the
classloader, conf/ is the first classloader installed by jboss)

<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="jboss.security:service=JaasSecurityDomain,domain=SSL">
<constructor>
<arg type="java.lang.String" value="SSL"/>
</constructor>
<attribute name="KeyStoreURL">resource:test.keystore</attribute>
<attribute name="KeyStorePass">ssltest</attribute>
</mbean>

3) Deployed a HTTPSUIL2ConnectionFactory

<mbean code="org.jboss.mq.il.uil2.UILServerILService"
name="jboss.mq:service=InvocationLayer,type=HTTPSUIL2">
<depends optional-attribute-name="Invoker">jboss.mq:service=Invoker</depends>
<attribute name="ConnectionFactoryJNDIRef">HTTPSUIL2ConnectionFactory</attribute>
<attribute name="XAConnectionFactoryJNDIRef">HTTPSUIL2XAConnectionFactory</attribute>
<attribute name="ServerBindPort">8193</attribute>
<attribute name="PingPeriod">60000</attribute>
<attribute name="EnableTcpNoDelay">true</attribute>
<!-- Used to disconnect the client if there is no activity -->
<!-- Ensure this is greater than the ping period -->
<attribute name="ReadTimeout">70000</attribute>
<!-- The size of the buffer (in bytes) wrapping the socket -->
<!-- The buffer is flushed after each request -->
<attribute name="BufferSize">2048</attribute>
<!-- Large messages may block the ping/pong -->
<!-- A pong is simulated after each chunk (in bytes) for both reading and writing -->
<!-- It must be larger than the buffer size -->
<attribute name="ChunkSize">1000000</attribute>
<attribute name="ClientSocketFactory">org.jboss.security.ssl.ClientSocketFactory</attribute>
<attribute name="ServerSocketFactory">org.jboss.security.ssl.DomainServerSocketFactory</attribute>
<attribute name="SecurityDomain">java:/jaas/SSL</attribute>
</mbean>

On the client set the system property to use the keystore
as the truststore.


<java classname="test.client.Client" fork="true">

<sysproperty key="javax.net.ssl.trustStore" path="${jboss.home}/server/${jboss.config}/conf/test.keystore"/>
<classpath refid="client.classpath"/>

</java>


              • Actions
            • 3. Original thread still exists
              rhand
              rhand Nov 19, 2004 2:49 AM (in response to sharris)

              The original thread still exists: http://jboss.com/index.html?module=bb&op=viewtopic&t=39049 ... it doesn't look as if it's been deleted after all.

                • Actions