-
1. Re: Remoting-connector with SSL
dlofthouse Feb 27, 2012 2:59 PM (in response to mates1234)Could you please elaborate further on what you mean whey you say it does not work?
What kind of client are you trying to connect to the connector? Also could you please show some of the relevent configuration of both the realm and the connector.
-
2. Re: Remoting-connector with SSL
mates1234 Feb 28, 2012 2:26 AM (in response to dlofthouse)standalone.xml
<security-realm name="SSLRealm">
<server-identities>
<ssl>
<keystore path="localhost.keystore" password="EJB-SSL_KEYPAIR_PASSWORD" relative-to="jboss.server.config.dir"/>
</ssl>
</server-identities>
<authentication>
<jaas name="bean-sec-domain" />
</authentication>
</security-realm>
....
<connector name="remoting-connector" socket-binding="remoting" security-realm="SSLRealm" />
...
ejb: client
Properties p = new Properties();
p.setProperty(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
p.put("jboss.naming.client.ejb.context", true);
InitialContext c = new InitialContext(p);
TestBeanRemote vLookup = (TestBeanRemote) c.lookup("ejb:TestEar/TestEjb/TestBean!"+ TestBeanRemote.class.getName());
jboss-ejb-client.properties
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=true
remote.connections=x1
remote.connection.x1.host=127.0.0.1
remote.connection.x1.port = 4447
remote.connection.x1.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false
remote.connection.x1.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false
remote.connection.x1.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER
and result is
ERROR: JBREM000200: Remote connection failed: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
28.2.2012 8:23:28 org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector setupEJBReceivers
WARN: Could not register a EJB receiver for connection to remote://127.0.0.1:4447
java.lang.RuntimeException: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at org.jboss.ejb.client.remoting.IoFutureHelper.get(IoFutureHelper.java:91)
-
3. Re: Remoting-connector with SSL
dlofthouse Feb 28, 2012 5:49 AM (in response to mates1234)There is one additional option you need on the client: -
remote.connectionprovider.create.options.org.xnio.Options.SSL_STARTTLS=true
-
4. Re: Remoting-connector with SSL
mates1234 Feb 28, 2012 6:05 AM (in response to dlofthouse)I've got same problem with SSL_STARTTLS=true
It looks like there is no SSL connection on server side.
Server configuration is correct?
-
5. Re: Remoting-connector with SSL
dlofthouse Feb 28, 2012 6:12 AM (in response to mates1234)Can you try setting the option on 'remote.connection.x1.connect.options' instead?
-
6. Re: Remoting-connector with SSL
mates1234 Feb 28, 2012 6:21 AM (in response to dlofthouse)That is it. Thanks
remote.connection.x1.connect.options.org.xnio.Options.SSL_STARTTLS=true
solve the problem.
-
7. Re: Remoting-connector with SSL
mates1234 Feb 28, 2012 6:29 AM (in response to mates1234)For lookup with "remote://" protocol I've construct Properties for InitialContext like
p.put("jboss.naming.client.remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED","true");
p.put("jboss.naming.client.connect.options.org.xnio.Options.SSL_STARTTLS","true");
and now it works.
-
8. Re: Remoting-connector with SSL
mrusinak May 29, 2012 5:37 PM (in response to mates1234)Hello, I have a followup question. Is there any way to make the client ignore the server's certificate? We want to use SSL for encryption on remote EJB queries, but do not have control over the JVM the client runs to set the JVM level truststore / certificates to trust.
Using:
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=true remote.connections = x1 remote.connection.x1.host = 127.0.0.1 remote.connection.x1.port = 9112 remote.connection.x1.username = admin remote.connection.x1.password = admin remote.connection.x1.connect.options.org.xnio.Options.SSL_STARTTLS=true remote.connection.x1.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=true remote.connection.x1.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=true remote.connection.x1.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER
On running my client (which just tries to initiate a connection), I get an error on client during EJB reciever registration:
INFO [main] (EndpointImpl.java:70) - JBoss Remoting version 3.2.3.GA ERROR [Remoting "config-based-ejb-client-endpoint" read-1] (RemoteConnection.java:99) - JBREM000200: Remote connection failed: java.io.IOException: JBREM000202: Abrupt close on Remoting connection 76933bcb to computer/127.0.0.1:9112 WARN [main] (ConfigBasedEJBClientContextSelector.java:133) - Could not register a EJB receiver for connection to remote://127.0.0.1:9112 java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
With this jboss-side error:
ERROR [org.jboss.remoting.remote.connection] (Remoting "computer" read-1) JBREM000200: Remote connection failed: javax.net.ssl.SSLException: Fatal Alert received: Certificate Unknown
Thanks for any help!
-
9. Re: Remoting-connector with SSL
dlofthouse May 30, 2012 6:32 AM (in response to mrusinak)No you do need the truststore on the client side to be able to verify the certificate although you should be able to use the following properties on the client without affecting the JVM installation: -
-Djavax.net.ssl.trustStore=client.truststore -Djavax.net.ssl.trustStorePassword=truststore_password
The issue is that if the client is inadvertantly forwarded to connect to a different address a man in the middle type attack with a fake private key is fairly simple with that intermediarry now having full access to the data being exchanged.
-
10. Re: Remoting-connector with SSL
mrusinak May 30, 2012 8:58 AM (in response to dlofthouse)Sorry, what I meant when I said JVM-level was exactly what you typed - the client is more or less a plugin to running framework, so it isn't started in its own command windows / environment. And while I can certainly access/change those via System, that affects every other "plugin" as well.
I do realize not validating the certificate can lead to man-in-the-middle, but since we currently do not use SSL at all we have other means of validating who we are talking to. This is just a first step to get encrypted traffic. If we can't allow the client to ignore the certificate, then is there a way to be able to pass in our certificate to the properties used for .lookup()?
-
11. Re: Remoting-connector with SSL
ybxiang.china Aug 4, 2012 4:06 AM (in response to mates1234)Hello Mates,
In JBoss 6, We can use bellow annotations on an EJB,
@RemoteBindings({
@RemoteBinding(clientBindUrl="sslsocket://${jboss.bind.address}:3843", jndiBinding="nms-ear/SSLSecuredRemoteSession/remote")
,@RemoteBinding(jndiBinding="nms-ear/SecuredRemoteSession/remote")
})
@Remote
public interface ISecuredRemoteSession extends ILogin{
....
But, in JBoss 7, this annotation is NOT supported by default. How do you bind your EJB interface to an SSL IP and port?