7 Replies Latest reply on Oct 11, 2008 1:43 AM by javidjamae

EJB3 & SSL not working in JBoss 5 Beta3?

javidjamae Feb 6, 2008 10:29 PM

I'm trying to get a standalone client to communicate with an EJB over SSL. I tried following the directions here, but they didn't work: http://labs.jboss.com/jbossejb3/docs/tutorial/ssl/ssl.html

It complained that it didn't know what "jboss.aop:service=AspectDeployer" was. I figured that is because this was converted from an MBean into a Microcontainer bean since the time that article was written (or maybe a difference between 4.2 and 5.0).

This document (http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossMicrocontainerFAQ) told me that an MBean could depend on a Microcontainer bean, so I changed the depends in the configuration to this:

 <mbean code="org.jboss.remoting.transport.Connector"
 name="jboss.remoting:type=Connector,transport=socket3843,handler=ejb3">
 <depends>AspectDeployer</depends>
 <attribute name="InvokerLocator">sslsocket://0.0.0.0:3843</attribute>
 <attribute name="Configuration">
 <handlers>
 <handler subsystem="AOP">
 org.jboss.aspects.remoting.AOPRemotingInvocationHandler
 </handler>
 </handlers>
 </attribute>
 </mbean>

Unfortunately, that threw ClassNotFoundException's because of the whitespace around the classname in the handler tag. After getting rid of the whitespace, the server seemed to start without any errors.

But, when I try to access a remote bean without specifying a truststore on the client side (i.e. without using -Djavax.net.ssl.keyStore and keyStorePass), I am able to access the bean. I would expect that I wouldn't be able to. Here is my bean's remote interface:

@Remote
@RemoteBinding(clientBindUrl = "sslsocket://0.0.0.0:3843")
public interface Greeter {
 public void greet(String message);

 public List<Greeting> getAllGreetings();
}

As you can see, I have the RemoteBinding annotation with the clientBindUrl parameter specified.

Am I missing something? I expect to NOT be able to access the bean without having the server certificate in my client truststore and the truststore specified on the command line, but I am still able to. What's the best way to ensure that SSL is actually working?

...

As a side note, I opened a bug about whitespace in the jboss-web.xml files- http://jira.jboss.org/jira/browse/JBAS-5173 - and I've seen this in other places as well. It seems likely that these whitespace issues all be related to the same XML parsing code??

1. Re: EJB3 & SSL not working in JBoss 5 Beta3?

javidjamae Feb 11, 2008 8:40 AM (in response to javidjamae)

So has anybody been able to get EJB's working over SSL in JBoss 5, or is this a bug?
Actions
2. Re: EJB3 & SSL not working in JBoss 5 Beta3?

alrubinger Feb 14, 2008 5:31 AM (in response to javidjamae)

Javid:

Please take a look at our SSL Unit Tests:

http://anonsvn.jboss.org/repos/jbossas/trunk/ejb3/src/test/org/jboss/ejb3/test/ssl/

...and the associated configuration:

http://anonsvn.jboss.org/repos/jbossas/trunk/ejb3/src/resources/test-configs/ejb3-ssl/

...note the transport=sslsocket3843 in deploy/ejb3-ssl-connectors-service.xml

If you're still stuck, please post back.

S,
ALR
Actions

3. Re: EJB3 & SSL not working in JBoss 5 Beta3?

javidjamae Feb 15, 2008 3:58 PM (in response to javidjamae)

It seems like I'm doing everything the same, but I get the following error on the server:

14:36:15,468 ERROR [ServerThread] Worker thread initialization failure
java.lang.reflect.InvocationTargetException
 at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
 at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
 at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
 at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
 at org.jboss.remoting.transport.socket.ServerThread.createServerSocketWrapper(ServerThread.java:720)
 at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:368)
 at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:166)
Caused by: java.net.SocketException: Socket Closed
 at java.net.PlainSocketImpl.setOption(PlainSocketImpl.java:201)
 at java.net.Socket.setSoTimeout(Socket.java:988)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(SSLSocketImpl.java:1971)
 at org.jboss.remoting.transport.socket.SocketWrapper.setTimeout(SocketWrapper.java:85)
 at org.jboss.remoting.transport.socket.ClientSocketWrapper.createStreams(ClientSocketWrapper.java:168)
 at org.jboss.remoting.transport.socket.ClientSocketWrapper.<init>(ClientSocketWrapper.java:66)
 at org.jboss.remoting.transport.socket.ServerSocketWrapper.<init>(ServerSocketWrapper.java:46)
 ... 7 more

I also see this error on the client:

 [echo] java -Djavax.net.ssl.keyStrore=c:\jbia-src\ch07\target/keystore/client.truststore -Djavax.net.ssl.keyStorePassword=clientpass com.manning.jbia.Client
 [java] Exception in thread "main" org.jboss.remoting.CannotConnectException: Can not get connection to server. Problem establishing socket connection for InvokerLocator [sslso
cket://127.0.0.1:3843/]
 [java] at org.jboss.remoting.transport.socket.MicroSocketClientInvoker.transport(MicroSocketClientInvoker.java:559)
 [java] at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:122)
 [java] at org.jboss.remoting.Client.invoke(Client.java:1634)
 [java] at org.jboss.remoting.Client.invoke(Client.java:548)
 [java] at org.jboss.aspects.remoting.InvokeRemoteInterceptor.invoke(InvokeRemoteInterceptor.java:62)
 [java] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 [java] at org.jboss.aspects.tx.ClientTxPropagationInterceptor.invoke(ClientTxPropagationInterceptor.java:61)
 [java] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 [java] at org.jboss.aspects.security.SecurityClientInterceptor.invoke(SecurityClientInterceptor.java:65)
 [java] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 [java] at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.java:74)
 [java] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 [java] at org.jboss.ejb3.stateless.StatelessRemoteProxy.invoke(StatelessRemoteProxy.java:108)
 [java] at $Proxy1.greet(Unknown Source)
 [java] at com.manning.jbia.Client.main(Client.java:27)
 [java] Caused by: java.lang.reflect.InvocationTargetException
 [java] at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
 [java] at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
...
(rest is same as on server)

This is how I started my server:

$ ./run.sh -Djavax.net.ssl.keyStore=../server/enterprise/conf/server.keystore -Djavax.net.ssl.keyStorePassword=serverpass -c enterprise

Here is my mbean:

 <mbean code="org.jboss.remoting.transport.Connector"
 name="jboss.remoting:type=Connector,transport=sslsocket3843,handler=ejb3">
 <attribute name="InvokerLocator">sslsocket://${jboss.bind.address}:3843</attribute>
 <attribute name="Configuration">
 <config>
 <handlers>
 <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
 </handlers>
 </config>
 </attribute>
 </mbean>

Here is my bean:

@RemoteBindings({@RemoteBinding(clientBindUrl = "sslsocket://0.0.0.0:3843", jndiBinding="StatelessSSL")})
@Stateless
public class GreeterBean implements Greeter {
 @PersistenceContext
 private EntityManager em;

 public void greet(String message) {
 Greeting greeting = new Greeting(message);
 em.persist(greeting);
 }

 @SuppressWarnings("unchecked")
 public List<Greeting> getAllGreetings() {
 return em.createQuery("from Greeting").getResultList();
 }
}

And here is my client:

public class Client {
 public static void main(String[] args) throws Exception {
 InitialContext ctx = new InitialContext();

 Greeter greeter = (Greeter) ctx.lookup("StatelessSSL");
 greeter.greet("Hello, world!");
 greeter.greet("Hola, mundo!");
 greeter.greet("Salam, donya!");
 greeter.greet("Bonjour, monde!");
 greeter.greet("Ciao, mondo!");

 List<Greeting> greets = greeter.getAllGreetings();
 for (Greeting greeting : greets) {
 System.out.println(greeting.getGreeting());
 }
 }
}

I'm running in cygwin under windows XP. Just for good measure, I made sure to disable the Windows Firewall, but that didn't make a difference. Any clues?

4. Re: EJB3 & SSL not working in JBoss 5 Beta3?

javidjamae Apr 30, 2008 11:51 PM (in response to javidjamae)

I gave up on this with Beta 3, but I just came back to it on Beta 4 and I'm still getting the same error. Does anybody have any insight as to what the problem may be?

BTW: Those SVN links you posted are no longer working, can somebody point me to the new location of the EJB3 SSL tests / resource files?
Actions
5. Re: EJB3 & SSL not working in JBoss 5 Beta3?

jaikiran May 6, 2008 3:32 AM (in response to javidjamae)

Javid,

Please see this thread http://www.jboss.com/index.html?module=bb&op=viewtopic&t=131072 where the same issue was reported for version 4.2.2.

14:36:15,468 ERROR [ServerThread] Worker thread initialization failure
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:
39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorIm
pl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
at org.jboss.remoting.transport.socket.ServerThread.createServerSocketWrapper(ServerThread.j
ava:720)
at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:368)
at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:166)
Caused by: java.net.SocketException: Socket Closed
at java.net.PlainSocketImpl.setOption(PlainSocketImpl.java:201)
at java.net.Socket.setSoTimeout(Socket.java:988)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(SSLSocketImpl.java:1971)
at org.jboss.remoting.transport.socket.SocketWrapper.setTimeout(SocketWrapper.java:85)
at org.jboss.remoting.transport.socket.ClientSocketWrapper.createStreams(ClientSocketWrapper
.java:168)
at org.jboss.remoting.transport.socket.ClientSocketWrapper.<init>(ClientSocketWrapper.java:66)
at org.jboss.remoting.transport.socket.ServerSocketWrapper.<init>(ServerSocketWrapper.java:46)
... 7 more

The exception stacktrace that you posted looks very similar to what is posted in the other thread. See my comment dated Mon May 5, 2008 12:21 PM in that other thread. Your logs on the client also show that you are passing the keyStore and keyStorePassword as arguments:

[echo] java -Djavax.net.ssl.keyStrore=c:\jbia-src\ch07\target/keystore/client.truststore -Djavax.net.ssl.keyStorePassword=clientpass com.manning.jbia.Client

This looks incorrect. Instead, the trustStore and trustStorePassword need to be passed as arguments from the client. See my comment in that other thread and also this document http://docs.jboss.org/ejb3/app-server/reference/build/reference/en/html/transport.html which describes how to create the trustStore and pass it as an argument from the client.

Let us know, if this works for you (i haven't yet tried this on JBoss-5 Beta).
Actions
6. Re: EJB3 & SSL not working in JBoss 5 Beta3?

javidjamae May 10, 2008 1:40 PM (in response to javidjamae)

Excellent, that worked! Thanks a lot!
Actions

7. Re: EJB3 & SSL not working in JBoss 5 Beta3?

javidjamae Oct 11, 2008 1:43 AM (in response to javidjamae)

In case you're trying this out on JBoss 5 CR2, to get this to work I had to use the following service:

<server>

 <mbean code="org.jboss.remoting.transport.Connector"
 name="jboss.remoting:type=Connector,transport=sslsocket3843,handler=ejb3">
 <attribute name="InvokerLocator">sslsocket://${jboss.bind.address}:3843</attribute>
 <attribute name="Configuration">
 <config>
 <handlers>
 <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
 </handlers>
 </config>
 </attribute>
 </mbean>

</server>

and the following bean binding:

@RemoteBindings(
 {@RemoteBinding(clientBindUrl = "sslsocket://127.0.0.1:3843",
 jndiBinding="StatelessSSL")})

Go to original post