-
1. Re: Remoting with SSL and Cipher Suite
renz13 Jun 20, 2012 10:51 AM (in response to renz13)The <jsse> element of the <security-domain> in the configuration file is maybe the right place, but it seems to be ignored when I try to use it with client-auth enabled
I've made a few tests with a trustore and client-auth enabled, and remote calls works even with an untrusted certificate!!!
<jsse keystore-password="pass" keystore-url="file:/D:/jboss-as-7.1.1.Final/standalone/configuration/server.keystore" truststore-password="otherpass" truststore-url="file:/D:/jboss-as-7.1.1.Final/standalone/configuration/server.truststore" cipher-suites="TLS_RSA_WITH_AES_256_CBC_SHA" client-auth="true"/>
Any idea?
-
2. Re: Remoting with SSL and Cipher Suite
dlofthouse Jun 20, 2012 10:56 AM (in response to renz13)1 of 1 people found this helpfulAt the moment we don't have a configuration option to specify this and security domains are completey unrelated to the Remoting configuration.
I have added the following issue to re-visit this: -
-
3. Re: Remoting with SSL and Cipher Suite
renz13 Jun 20, 2012 1:06 PM (in response to dlofthouse)I don't understand why do you say they are "completely unrelated" (my english is not so good, maybe i've not explain correctly my problem)?
For the moment I'm using security-realm to manage athentication/authorization of my remote ejb client.
I use a database to store login/password and roles and use ssl to secure and identify my server.
Here is a part of my standalone.xml, which is working :
....
<security-realm name="myRealm">
<server-identities>
<ssl>
<keystore path="server.keystore" relative-to="jboss.server.config.dir" password="pass"/>
</ssl>
</server-identities>
<authentication>
<jaas name="myDomain"/>
</authentication>
</security-realm>
......
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
<connector name="remoting-connector" socket-binding="remoting" security-realm="AreaFseRealm"/>
</subsystem>
.....
<security-domain name="myDomain" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/myDS"/>
<module-option name="principalsQuery" value="SELECT pass FROM user WHERE username=?"/>
<module-option name="rolesQuery" value="SELECT r.roles, 'Roles' FROM role r INNER JOIN user u USING (id_user) WHERE u.username=?"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
What I try to add now is :
- client certificate authentication (with revocation check) : clients certificates are delivered by a CA. I have the CA certificate and I can download CRL => Maybe i've to code my own TrustManager or something else
- use one of this cipher (i'm developping both client and server side) :
* TLS_RSA_WITH_3DES_EDE_CBC_SHA
* TLS_RSA_WITH_AES_128_CBC_SHA
* TLS_RSA_WITH_AES_256_CBC_SHA
=> If it's not possible, how can I know the cipher used by default?
I thought this could be done in the <jsse> element looking at https://docs.jboss.org/author/display/AS71/Security+subsystem+configuration
-
4. Re: Remoting with SSL and Cipher Suite
dlofthouse Jun 21, 2012 5:01 AM (in response to renz13)1 of 1 people found this helpfulWhat I mean when I say that they are unrelated is that any configuration applied to a security domain is not used to apply the SSL settings to the Remoting connector.
-
5. Re: Remoting with SSL and Cipher Suite
renz13 Jun 21, 2012 6:36 AM (in response to dlofthouse)OK, thanks for your help ;-)
Just a last question, what is the <jsse> element used for? Is it only for outbound connexion?
-
6. Re: Remoting with SSL and Cipher Suite
rohanemmanuel Aug 1, 2012 8:40 AM (in response to renz13)can i use the ssl tag for AS 71.2 ? for the remoting EJB3 over ssl?
<ssl>
<keystore path="server.keystore" relative-to="jboss.server.config.dir" password="pass"/>
</ssl>
if not .wat else should i configure for AS 7.1.2?
-
7. Re: Remoting with SSL and Cipher Suite
dlofthouse Aug 1, 2012 9:35 AM (in response to rohanemmanuel)Yes that is exactly how you would set it on the realm associated with the connection.
-
8. Re: Remoting with SSL and Cipher Suite
rohanemmanuel Aug 2, 2012 12:34 AM (in response to dlofthouse)can u point me to the documentation where this is given in detail
or do u have any sample application which you could share.
i am tryin to remotely connect to an simple stateless bean over ssl
thanks
-
9. Re: Remoting with SSL and Cipher Suite
renz13 Oct 17, 2012 5:13 AM (in response to renz13)I was thinking again about a way of configuring the cipher suites on client or on the server side.
Do you think we can use a workaround by using a system property or something else, used by the SSLFactory?
-
10. Re: Remoting with SSL and Cipher Suite
renz13 Oct 17, 2012 11:03 AM (in response to renz13)On the client-side, this option in the jboss-ejb-client.properties does the trick :
remote.connection.default.connect.options.org.xnio.Options.SSL_ENABLED_CIPHER_SUITES=TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA
If i could find an equivalent on the server side...