The <jsse> element of the <security-domain> in the configuration file is maybe  the right place, but it seems to be ignored when I try to use it with client-auth enabled

I've made a few tests with a trustore and client-auth enabled, and remote calls works even with an untrusted certificate!!!

<jsse keystore-password="pass" keystore-url="file:/D:/jboss-as-7.1.1.Final/standalone/configuration/server.keystore" truststore-password="otherpass" truststore-url="file:/D:/jboss-as-7.1.1.Final/standalone/configuration/server.truststore" cipher-suites="TLS_RSA_WITH_AES_256_CBC_SHA" client-auth="true"/>

Any idea?

I don't understand why do you say they are "completely unrelated" (my english is not so good, maybe i've not explain correctly my problem)?

For the moment I'm using security-realm to manage athentication/authorization of my remote ejb client.

I use a database to store login/password and roles and use ssl to secure and identify my server.

Here is a part of my standalone.xml, which is working :

....

<security-realm name="myRealm">

    <server-identities>

        <ssl>

            <keystore path="server.keystore" relative-to="jboss.server.config.dir" password="pass"/>

        </ssl>

    </server-identities>

    <authentication>

        <jaas name="myDomain"/>

    </authentication>

</security-realm>

......

<subsystem xmlns="urn:jboss:domain:remoting:1.1">

    <connector name="remoting-connector" socket-binding="remoting" security-realm="AreaFseRealm"/>

</subsystem>

.....

<security-domain name="myDomain" cache-type="default">

    <authentication>

        <login-module code="Remoting" flag="optional">

            <module-option name="password-stacking" value="useFirstPass"/>

        </login-module>

        <login-module code="Database" flag="required">

            <module-option name="dsJndiName" value="java:jboss/datasources/myDS"/>

            <module-option name="principalsQuery" value="SELECT pass FROM user WHERE username=?"/>

            <module-option name="rolesQuery" value="SELECT r.roles, 'Roles' FROM role r INNER JOIN user u USING (id_user) WHERE u.username=?"/>

            <module-option name="password-stacking" value="useFirstPass"/>

        </login-module>

    </authentication>

</security-domain>

What I try to add now is :

- client certificate authentication (with revocation check) : clients certificates are delivered by a CA. I have the CA certificate and I can download CRL => Maybe i've to code my own TrustManager or something else

- use one of this cipher (i'm developping both client and server side) :

     * TLS_RSA_WITH_3DES_EDE_CBC_SHA

     * TLS_RSA_WITH_AES_128_CBC_SHA

     * TLS_RSA_WITH_AES_256_CBC_SHA

     => If it's not possible, how can I know the cipher used by default?

I thought this could be done in the <jsse> element looking at https://docs.jboss.org/author/display/AS71/Security+subsystem+configuration 

OK, thanks for your help ;-)

Just a last question, what is the <jsse> element used for? Is it only for outbound connexion?

I was thinking again about a way of configuring the cipher suites on client or on the server side.

Do you think we can use a workaround by using a system property or something else, used by the SSLFactory?

On the client-side, this option in the jboss-ejb-client.properties does the trick :

remote.connection.default.connect.options.org.xnio.Options.SSL_ENABLED_CIPHER_SUITES=TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA

If i could find an equivalent on the server side...