Ron, thanks a lot for those pointers. With that help, i was able to come up with a configuration which deploys the ssl connector for EJB3. Here's the configuration:
<?xml version="1.0" encoding="UTF-8"?>
<!--
EJB3 SSL Connector
-->
<deployment xmlns="urn:jboss:bean-deployer:2.0">
<!-- We have to expose this MC bean through JMX http://www.jboss.com/index.html?module=bb&op=viewtopic&t=149570#4206018 -->
<bean name="DomainServerSocketFactoryService" class="org.jboss.remoting.security.domain.DomainServerSocketFactoryService">
<annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.remoting:service=ServerSocketFactory,type=SecurityDomainAdvanced",exposedInterface=org.jboss.remoting.security.domain.DomainServerSocketFactoryServiceMBean.class,registerDirectly=true)</annotation>
<property name="securityDomain">java:/jaas/SSLAdvanced</property>
<depends>JaasSecurityDomain</depends>
</bean>
<!-- This is the MC bean which sets the keystore url and password -->
<bean name="JaasSecurityDomain" class="org.jboss.security.plugins.JaasSecurityDomain">
<constructor>
<parameter>SSLAdvanced</parameter>
</constructor>
<property name="keyStoreURL">localhost.keystore</property>
<property name="keyStorePass">opensource</property>
</bean>
<!-- The serverConfiguration that we will use in our EJB3SSLRemotingConnector.
This serverConfiguration will define the (usual) invocationHandler(s) and also the serverParameters.
The serverParameter is important since that's the place where we specify the serverSocketFactory to use for SSL -->
<bean name="SSLServerConfiguration" class="org.jboss.remoting.ServerConfiguration">
<property name="invocationHandlers">
<map keyClass="java.lang.String" valueClass="java.lang.String">
<entry>
<key>AOP</key>
<value>
org.jboss.aspects.remoting.AOPRemotingInvocationHandler
</value>
</entry>
</map>
</property>
<property name="serverParameters">
<map keyClass="java.lang.String" valueClass="java.lang.Object">
<entry>
<key>serverSocketFactory</key>
<!-- This value should match the JMX MBean that we create above for the MC Bean "DomainServerSocketFactoryService" -->
<value>jboss.remoting:service=ServerSocketFactory,type=SecurityDomainAdvanced</value>
</entry>
</map>
</property>
</bean>
<!-- Our EJB3 SSL Remoting connector which uses the SSLServerConfiguration that we created above. It also
configures the invokerLocator -->
<bean name="EJB3SSLRemotingConnector" class="org.jboss.remoting.transport.Connector">
<property name="invokerLocator">
<value-factory bean="ServiceBindingManager"
method="getStringBinding">
<parameter>
jboss.remoting:type=Connector,name=SSLEjb3Connector,handler=ejb3
</parameter>
<parameter>
<null />
</parameter>
<parameter>sslsocket://${jboss.bind.address}:${port}</parameter>
<parameter>
<null />
</parameter>
<parameter>3843</parameter>
</value-factory>
</property>
<property name="serverConfiguration">
<inject bean="SSLServerConfiguration" />
</property>
</bean>
</deployment>
This deploys fine or rather with a single ERROR message which at first seemed harmless to me:
2009-01-31 16:08:34,313 ERROR [org.jboss.remoting.transport.socket.SocketServerInvoker] (AcceptorThread[[SSL: ServerSocket[addr=/0.0.0.0,port=0,localport=3843]]]) SSLServerSocket error
javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:303)
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:253)
at org.jboss.remoting.util.SecurityUtility.accept(SecurityUtility.java:931)
at org.jboss.remoting.transport.socket.SocketServerInvoker$AcceptThread.run(SocketServerInvoker.java:1003)
However when i run the SSL client to lookup a bean through sslsocket, the client just hangs. A bit of debugging through logs indicates a couple of issues in Remoting code:
1) With the above configuration, the server.log shows me this:
2009-01-31 16:39:10,996 DEBUG [org.jboss.security.plugins.JaasSecurityDomain] (HDScanner) Using KeyStore=vfszip:/opt/jpai/jboss-5.0.0.GA/server/default/deploy/jboss-ejb3-tutorial-ssl.jar/localhost.keystore
2009-01-31 16:39:10,996 DEBUG [org.jboss.security.plugins.JaasSecurityDomain] (HDScanner) Creating JaasSecurityDomain(SSLAdvanced)
2009-01-31 16:39:10,996 DEBUG [org.jboss.security.plugins.JaasSecurityDomain] (HDScanner) Created JaasSecurityDomain(SSLAdvanced)
2009-01-31 16:39:10,996 DEBUG [org.jboss.system.ServiceController] (HDScanner) Creating service jboss.remoting:service=ServerSocketFactory,type=SecurityDomainAdvanced
2009-01-31 16:39:10,997 DEBUG [org.jboss.security.plugins.JaasSecurityDomain] (HDScanner) Starting JaasSecurityDomain(SSLAdvanced)
2009-01-31 16:39:11,309 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] (HDScanner) Added SSLAdvanced, org.jboss.security.plugins.JaasSecurityDomain@1caef1c to map
2009-01-31 16:39:11,314 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SSLAdvanced] (HDScanner) CachePolicy set to: org.jboss.util.TimedCachePolicy@177533f
2009-01-31 16:39:11,314 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] (HDScanner) setCachePolicy, c=org.jboss.util.TimedCachePolicy@177533f
2009-01-31 16:39:11,314 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (HDScanner) Creating SDC for domain=SSLAdvanced
2009-01-31 16:39:11,315 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SSLAdvanced] (HDScanner) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@fa874b
2009-01-31 16:39:11,315 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SSLAdvanced] (HDScanner) CachePolicy set to: org.jboss.util.TimedCachePolicy@1c87675
2009-01-31 16:39:11,315 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (HDScanner) setCachePolicy, c=org.jboss.util.TimedCachePolicy@1c87675
2009-01-31 16:39:11,316 DEBUG [org.jboss.security.plugins.JaasSecurityDomain] (HDScanner) Started JaasSecurityDomain(SSLAdvanced)
2009-01-31 16:39:11,328 DEBUG [org.jboss.system.ServiceController] (HDScanner) starting service jboss.remoting:service=ServerSocketFactory,type=SecurityDomainAdvanced
2009-01-31 16:39:11,351 DEBUG [org.jboss.remoting.ServerInvoker] (HDScanner) SocketServerInvoker[0.0.0.0:3843] did not find server socket factory configuration as mbean service or classname. Creating default server socket factory.
2009-01-31 16:39:11,420 DEBUG [org.jboss.remoting.ServerInvoker] (HDScanner) SocketServerInvoker[0.0.0.0:3843] created server socket factory com.sun.net.ssl.internal.ssl.SSLServerSocketFactoryImpl@260627
2009-01-31 16:39:11,421 DEBUG [org.jboss.remoting.transport.Connector] (HDScanner) Handler supplied is not an object name.
2009-01-31 16:39:11,421 DEBUG [org.jboss.remoting.ServerInvoker] (HDScanner) SocketServerInvoker[jaikiran.jboss:3843] added org.jboss.aspects.remoting.AOPRemotingInvocationHandler@5e1bc1 for subsystem 'AOP'
2009-01-31 16:39:11,421 DEBUG [org.jboss.remoting.transport.socket.SocketServerInvoker] (HDScanner) SocketServerInvoker[jaikiran.jboss:3843] starting
2009-01-31 16:39:11,529 DEBUG [org.jboss.remoting.transport.socket.SocketServerInvoker] (HDScanner) SocketServerInvoker[jaikiran.jboss:3843] created [SSL: ServerSocket[addr=/0.0.0.0,port=0,localport=3843]]
2009-01-31 16:39:11,529 DEBUG [org.jboss.remoting.ServerInvoker] (HDScanner) SocketServerInvoker[jaikiran.jboss:3843] started for locator InvokerLocator [sslsocket://jaikiran.jboss:3843/?]
2009-01-31 16:39:11,529 DEBUG [org.jboss.remoting.transport.socket.SocketServerInvoker] (HDScanner) SocketServerInvoker[jaikiran.jboss:3843] started
2009-01-31 16:39:11,529 DEBUG [org.jboss.remoting.transport.Connector] (HDScanner) org.jboss.remoting.transport.Connector@86411 started
2009-01-31 16:39:12,114 ERROR [org.jboss.remoting.transport.socket.SocketServerInvoker] (AcceptorThread[[SSL: ServerSocket[addr=/0.0.0.0,port=0,localport=3843]]]) SSLServerSocket error
javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:303)
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:253)
at org.jboss.remoting.util.SecurityUtility.accept(SecurityUtility.java:931)
at org.jboss.remoting.transport.socket.SocketServerInvoker$AcceptThread.run(SocketServerInvoker.java:1003)
So the log says (the line marked in bold), that the configuration doesn't contain the server socket factory configuration, even though the configuration does have it. I looked at the org.jboss.remoting.transport.Connector.init() code:
private void init()
throws Exception
{
Map invokerConfig = new HashMap();
if (locatorURI == null)
{
// InvokerLocator attribute not set; check to see if serverConfiguration is set.
if (serverConfiguration != null)
{
getInvokerConfigFromServerConfiguration(invokerConfig);
}
// Check to see if Configuration attribute is set.
else if (xml != null)
{
getInvokerConfigFromXML(invokerConfig);
}
configuration.putAll(invokerConfig);
}
if (locatorURI == null)
{
throw new IllegalStateException("Connector not configured with LocatorURI.");
}
InvokerLocator locator = new InvokerLocator(locatorURI);
if (invoker == null)
{
// create the server invoker
invoker = InvokerRegistry.createServerInvoker(locator, configuration);
Based on debugging, i can see that the "configuration" is always empty (even though the "invokerConfig" has all the relevant configurations) when the InvokerLocator is being created. That's because, the getInvokerConfigFromServerConfiguration (nor the getInvokerConfigFromXML) is ever called because of the if (locatorURI == null) condition never being satisfied. Looking at this code, those two methods getInvokerConfigFromXML/getInvokerConfigFromServerConfiguration are currently setting the locatorURI as well as populating the configurations. I guess those might have to be refactored so that populating the configurations is done separately, irrespective of whether locatorURI is set or not. As such, i refactored the Connector code to move the locatorURI creation and configuration setting into two separate independent methods and patched it in the AS5.0 GA. I'll mail you the patch separately (too long to post it here).
That patch got me one step closer to getting my client running, but it wasn't enough because i saw this in the logs:
2009-01-31 17:12:38,616 DEBUG [org.jboss.remoting.ServerInvoker] (HDScanner) The 'serverSocketFactory' attribute was set with a value, but the MBeanServer reference is null.
2009-01-31 17:12:38,620 DEBUG [org.jboss.remoting.ServerInvoker] (HDScanner) Could not create server socket factory by classname (jboss.remoting:service=ServerSocketFactory,type=SecurityDomainAdvanced). Error message: jboss.remoting:service=ServerSocketFactory,type=SecurityDomainAdvanced
2009-01-31 17:12:38,620 DEBUG [org.jboss.remoting.ServerInvoker] (HDScanner) SocketServerInvoker[0.0.0.0:3843] did not find server socket factory configuration as mbean service or classname. Creating default server socket factory.
2009-01-31 17:12:38,666 DEBUG [org.jboss.remoting.ServerInvoker] (HDScanner) SocketServerInvoker[0.0.0.0:3843] created server socket factory com.sun.net.ssl.internal.ssl.SSLServerSocketFactoryImpl@1df43bf
Since the Connector is now a MC Bean, it doesn't have a reference to the MBeanServer and hence the log (marked in bold). I'm not sure whether there's a way to inject MBean server into a MC Bean. The ugly hack that i could think of was to use the MBeanServerLocator.locateJBoss() to set the MBean Server. Definitely ugly since its not going to work outside AS.
private MBeanServer server = org.jboss.mx.util.MBeanServerLocator.locateJBoss();
Maybe there's a better way to get hold of the MBean Server into the MC bean (even though both are unrelated)?
With this additional change patched in, i was finally able to make my EJB3 client happy :) The deployment went fine and the client was able to lookup the bean invoke the operations.
Do you suggest i create a JIRA for this?
P.S: This is not critical for EJB3 because the MBean variant of these configurations (in my first post) works without any issues. I was just curious in using the MC Bean version, so started looking at it.