9 Replies Latest reply on May 6, 2005 4:21 AM by dimitris

    IIOP.NET under SSL with SSL accelerator card

    viguera79

      Hello everybody!!

      I have an EJB application running on my server. It goes under iiop+ssl and all work. My client side uses IIOP.NET and it works too.
      After that, I installed a SSL accelerator card to encrypt and desencrypt the ssl traffic. So, my server is liberated. The SSL card makes that SSL traffic be transparent to the server. Then, I configure Jboss like if the traffic is not under SSL. When I run my application the following error message appear in my client side:

      excepcion System.Runtime.Remoting.RemotingException: No se puede crear un receptor de canal para conectarse a la dirección URL IOR:00000000
      0000003A524D493A6F72672E6A626F73732E646F63732E696E7465726573742E496E746572657374486F6D653A3030303030303030303030303030303000000000000002000
      00000000000C4000102000000000E3139322E3136382E382E323236000DC80000001D4A426F73732F454A42486F6D652625496E7465726573742FACED000570000000000000
      050000000000000008000000004A414300000000010000001C00000000000100010000000105010001000101090000000105010001000000190000002F00000000000000276
      87474703A2F2F73736C7072756562613A383038332F576562434C5B496E7465726573745D2F00000000002000000004000000000000001F0000000400000003000000010000
      00580000000000000003000000190000002F0000000000000027687474703A2F2F73736C7072756562613A383038332F576562434C5B496E7465726573745D2F00000000002
      000000004000000000000001F0000000400000003. Es posible que no se haya registrado un canal correcto.


      That IOR is the same that appear in Jboss when I deploy the server side of the EJB.

      I contacted technical support of IIOP.NET and they said me the following:

      "The problem is, that your the profiles in your IOR don't contain the SSL tagged component (TAG_SSL_SEC_TRANS). This component inside an IOR profile specifies, what's the SSL policy supported by the server, e.g. client authentication required or not.
      If this component is missing, IIOP.NET is not able to connect to the server with the SSL transport. (Other Corba IIOP clients would throw a NO_PERMISSION exception in this case).

      As a workaround, you could possibly try to add an IOR interceptor on the server side (install it in jacorb) to add this component.

      I'm not sure, how this problem is solved in the CORBA field. Are there possibly some CORBA aware SSL cards? "

      Does anybody know how add this IOR interceptor?

      Any help will be useful.
      Thanks and best regards
      Javier

        • 1. Re: IIOP.NET under SSL with SSL accelerator card
          dimitris

          I don't know exactly how ssl accelerators works, but would the exported IOR need to contain the host/ssl port of the accelerator?

          Another idea to try may be to configure normally the server for ssl, but use a plain (non-ssl) connection factory, maybe?

          • 2. Re: IIOP.NET under SSL with SSL accelerator card
            viguera79

            First at all, thanks
            The ssl accelerator create a proxy with an external port and an internal port. SSL traffic enter to external port. The card desencrypts the traffic and moves it (now it's plain text) to the internal port.
            I configured the proxy with 3529 (external port) and 3528(internal port). The key and certificate pair is created and stored in the card.

            I'll try to use a plain connection factory with SSL configuration.

            Do you have any other idea?

            Thanks and regards
            Javier

            • 3. Re: IIOP.NET under SSL with SSL accelerator card
              viguera79

              Hi Dimitris,
              Could you say in what file I have to change the connection factory, and which are the factories?

              Thanks

              • 4. Re: IIOP.NET under SSL with SSL accelerator card
                dimitris

                I just checked and it probably won't work because SSLServerSocketFactory is a subinterface of ServerSocketFactory, so it'll probably won't accept a value of org.jacorb.orb.factory.DefaultServerSocketFactory

                (try that anyways :)

                All the relevant entries are in conf/jacorb.properties (in the 'all' configuration).

                You can try also to see if that does the trick

                jacorb.security.support_ssl=on
                jacorb.security.ssl_components_added_by_ior_interceptor=off

                I guess you want to set those 2 as well, to the address/port of the accelerator card:
                jacorb.ior_proxy_host=1.2.3.4
                jacorb.ior_proxy_port=4711

                • 5. Re: IIOP.NET under SSL with SSL accelerator card
                  viguera79

                  Hi !!

                  I tried you said me and these are the results:

                  If I launch the server with ssl configuratin changing the factories, i.e., jacorb.ssl.socket_factory=org.jacorb.orb.factory.DefaultSocketFactory
                  jacorb.ssl.server_socket_factory=org.jacorb.orb.factory.DefaultServerSocketFactory

                  appear the following error:

                  12:41:25,578 ERROR [giop] org.jacorb.orb.factory.DefaultSocketFactory.(org.jacorb.orb.ORB)
                  12:41:25,593 ERROR [CorbaORBService] Starting failed jboss:service=CorbaORB
                  java.lang.RuntimeException: SSL support is on, but the ssl socket factory can't be instantiated (org.jacorb.orb.factory.DefaultSocketFactor
                  y.(org.jacorb.orb.ORB))!
                  -------------------------------------------------------------------------------------------------------------------------------------------------------------
                  If I launch server with ssl configuration but with
                  jacorb.security.ssl_components_added_by_ior_interceptor=off

                  this error appears in the client side:
                  excepcion System.IO.IOException: no GIOP-Message

                  Server stack trace:
                  at Ch.Elca.Iiop.GiopHeader..ctor(CdrInputStreamImpl stream)
                  at Ch.Elca.Iiop.GiopTransportClientMsgHandler.ReadResponseMessage()
                  at Ch.Elca.Iiop.GiopTransportClientMsgHandler.ReceiveResponseMessage(UInt32 reqNr)
                  at Ch.Elca.Iiop.GiopTransportClientMsgHandler.ProcessResponse(UInt32 forReqId, ITransportHeaders& responseHeaders)
                  at Ch.Elca.Iiop.IiopClientTransportSink.ProcessMessage(IMessage msg, ITransportHeaders requestHeaders, Stream requestStream, ITransportH
                  eaders& responseHeaders, Stream& responseStream)
                  at Ch.Elca.Iiop.IiopClientFormatterSink.SyncProcessMessage(IMessage msg)

                  Exception rethrown at [0]:
                  at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
                  at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
                  at omg.org.CosNaming.NamingContext.resolve(NameComponent[] nameComponents)
                  at clientedotnet.CMyClase.Main(String[] args) in d:\ejemplo jose luis\clientenfastultra\Class1.cs:line 84

                  ----------------------------------------------------
                  With regard to
                  jacorb.ior_proxy_host=1.2.3.4
                  jacorb.ior_proxy_port=4711

                  In proxy host I write my IP server, but what port have I write in proxy_port?
                  The only one that don't throw an error message is 3528, with non ssl configuration but the client side throw the same error above.

                  Any idea?

                  Thanks and regards

                  • 6. Re: IIOP.NET under SSL with SSL accelerator card
                    dimitris

                    Maybe the IORInterceptor is the cleanest solution after all :) It needs some more careful examination since the various pieces are already there and it could just be a matter of configuration, I just haven't looked at it in much detail...

                    Franscisco may know how to setup this?

                    A little dirty hack would be to just subclass DefaultServerSocketFactory and privide dummy implementions for the 2-3 extra SSLServerSocketFactory methods to pass the initial construction step. Then configure for ssl as usual...

                    • 7. Re: IIOP.NET under SSL with SSL accelerator card
                      viguera79

                      Thank you very much,
                      I'll wait your solution.
                      Best regards
                      Javier

                      • 8. Re: IIOP.NET under SSL with SSL accelerator card
                        viguera79

                        Hello,

                        Do you have any new news about my problem?

                        Thanks

                        • 9. Re: IIOP.NET under SSL with SSL accelerator card
                          dimitris

                          Didn't have time for that, sorry :(

                          Apparently this discussion should be probably moved to a user forum.