Securing EJB3 traffic with mutual authentication using certificates
glenn.bech Aug 20, 2010 3:26 AMHi,
I am atempting to secure traffic between an Oracle Weblogic 10 and JBOSS 5.1.0 server. Our project is required to both encrypt the traffic and provide mutual authentication.
I know that my aproach does not secure the JNDI lookup, and that it will configure the entire server, and not just my application.
I think however that this is the fastest way to reach our deadline, withour having to add annotations and such to our beans.
So far I have done the following;
- Created a self signed server certificate using keytool: keytool -genkey -alias server -keyalg RSA -keystore server.keystore
- Configured the invokerLocator of the bean org.jboss.ejb3.RemotingConnector to use sslsocket transport.
<bean name="org.jboss.ejb3.RemotingConnector"> <property name="invokerLocator"> <value-factory bean="ServiceBindingManager" method="getStringBinding"> <parameter> jboss.remoting:type=Connector,name=DefaultEjb3Connector,handler=ejb3 </parameter> <parameter> <null /> </parameter> <parameter>sslsocket://${jboss.bind.address}:${port}</parameter> <parameter> <null /> </parameter> <parameter>3873</parameter> </value-factory> </property> <property name="serverConfiguration"> <inject bean="ServerConfiguration" /> </property> </bean>
- On the client side, I also generate a self signed certificate: keytool -genkey -alias client -keyalg RSA -keystore client.keystore
- I then establish mutual authentication
- I export the server certificate from the server keystore and import it into what becomes the
client truststore - I export the client certificate from the client keystore and import it into what becomes
the server truststore - I then configure both weblogic and JBOSS with the comamnd line arguments
-Djavax.net.ssl.keyStore
-Djavax.net.ssl.keyStorePassword
-Djavax.net.ssl.trustStore=
-Djavax.net.ssl.trustStorePassword
I have one-way SSL up and running. If I remove the server certificate from the Client trust store, the handshake
fails.
My problem is; JBOSS does not authenticate the client certificate and accepts all incoming traffic.
It seems to be ignoring the configured truststore. I have searched all documentation and have
found nothing on EJB3 over SSL & mutual authentication in JBOSS 5.1.0AS
Can anyone help?