-
1. Re: Remote access of EJB over SSL
You will need to configure the transport security requirment in ejb jar xml and jboss ejb xml. There should be docs for that.
-
2. Re: Remote access of EJB over SSL
can u please be more specific,
it would be a great help if u ponit to the docs by pasting the link since i'm not able to find any for the newer versions of jboss(7.1.2).
Thanks,
-
3. Re: Remote access of EJB over SSL
Hi,
you can check AS7 documentation on SSL: https://docs.jboss.org/author/display/AS71/SSL+setup+guide
then try to search for other threads in this forum (e.g. https://community.jboss.org/message/533313)
and you can try this tutorial as well: http://middlewaremagic.com/jboss/?p=2176
-
4. Re: Remote access of EJB over SSL
hi Chaloupka,
I have tried the tutorial which i suggested,
and i got the following exception on AS 7.1.2.FINAL
[java] 0010: 38 01 10 4A 42Aug 6, 2012 1:21:31 PM org.jboss.remoting3.remot
e.RemoteConnection handleException
[java] ERROR: JBREM000200: Remote connection failed: javax.security.sasl.Sa
slException: Authentication failed: all available authentication mechanisms fail
ed
[java] javax.naming.NamingException: Failed to create remoting connection [
Root exception is java.lang.RuntimeException: javax.security.sasl.SaslException:
Authentication failed: all available authentication mechanisms failed]
[java] at org.jboss.naming.remote.client.ClientUtil.namingException(Cli
entUtil.java:51)
[java] at org.jboss.naming.remote.client.InitialContextFactory.getIniti
alContext(InitialContextFactory.java:151)
[java] at javax.naming.spi.NamingManager.getInitialContext(NamingManage
r.java:667)
[java] at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.
java:288)
[java] at javax.naming.InitialContext.init(InitialContext.java:223)
[java] at javax.naming.InitialContext 4F 53 53 2D 4C 4F 43 41 4C 2D 5
5 8..JBOSS-LOCAL-U
[java] 0020: 53 45 52 01 05 50 4C 41 49 4E 0F 7E AB 30 2A DA SER..PLAIN.
..0*.
[java] 0030: 7C 43 55 81 56 06 1C DE 4B D1 .CU.V...K.
[java] Remoting "config-based-naming-client-endpoint" read-1, called closeI
nbound()
[java] Remoting "config-based-naming-client-endpoint" read-1, fatal error:
80: Inbound closed before receiving pee.<init>(InitialContext.java:197)
[java] at client.TestRemoteClientA.main(Unknown Source)
[java] Caused by: java.lang.RuntimeException: javax.security.sasl.SaslExcep
tion: Authentication failed: all available authentication mechanisms failed
[java] at org.jboss.naming.remote.protocol.IoFutureHelper.get(IoFutureH
elper.java:87)
[java] at org.jboss.naming.remote.client.NamingStoreCache.getRemoteNami
ngStore(NamingStoreCache.java:68)
[java] at org.jboss.naming.remote.client.InitialContextFactory.getOrCre
ateCachedNamingStore(InitialContextFactory.java:196)
[java] at org.jboss.naming.remote.client.InitialContextFactory.getOrCre
ateNamingStore(InitialContextFactory.java:169r's close_notify: possible truncati
on attack?
[java] javax.net.ssl.SSLException: Inbound closed before receiving peer's c
lose_notify: p)
[java] at org.jboss.naming.remote.client.InitialContextFactory.getIniti
alContext(InitialContextFactory.java:134)
[java] ... 5 more
[java] Causossible truncation attack?
[java] %% Invalidated: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
[java] Remoting "config-based-naming-client-endpoined by: javax.security.sa
sl.SaslException: Authentication failed: all available authentication mechanisms
failed
[java] at org.jboss.rt" read-1, SEND TLSv1 ALERT: fatal, description =
internal_error
[java] Padded plaintext before ENCRYPTION: len = 18
[java] 0000: 02 50 69 EA B8 D2 15 F6 76 0B E8 19 6F 3A 54 CF .Pi.....v..
.o:T.
[java] 0010: 3A 77 :w
[java] Remoting "config-based-naming-client-endpoint" read-1, WRITE: TLSv1
Alert, length = 18
[java] emoting3.remote.ClientConnectionOpenListener$Capabilities.handleEven
t(ClientConnectionOpenListener.java:315)
[java] at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capab
ilities.handleEvent(ClientConnectionOpenListener.java:214)
[java] at org.xnio.ChannelListeners.invokeChannelListener(ChannelListen
ers.java:72)
[java] at org.xnio.channels.TranslatingSuspendableChannel.handleReadabl
e(TranslatingSuspendableChannel.java:189)
[java] at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent
(TranslatingSuspendableChannel.java:103)
[java] at org.xnio.ChannelListeners.invokeChannelListener(ChannelListen
ers.java:72)
[java] at org.xnio.channels.TranslatingSuspendableChannel.handleReadabl
e(TranslatingSuspendableChannel.java:189)
[java] at org.xnio.ssl.JsseConnectedSslStreamChannel.handleReadable(Jss
eConnectedSslStreamChannel.java:180)
[java] at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent
(TranslatingSuspendableChannel.java:103)
[java] at org.xnio.ChannelListeners.invokeChannelListener(ChannelListen
ers.java:72)
[java] at org.xnio.nio.NioHandle.run(NioHandle.java:90)
[java] at org.xnio.nio.WorkerThread.run(WorkerThread.java:184)
[java] at ...asynchronous invocation...(Unknown Source)
[java] at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:
270)
[java] at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:
251)
[java] at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:34
9)
[java] at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:33
3)
[java] at org.jboss.naming.remote.client.EndpointCache$EndpointWrapper.
connect(EndpointCache.java:105)
[java] at org.jboss.naming.remote.client.NamingStoreCache.getRemoteNami
ngStore(NamingStoreCache.java:67)
[java] ... 8 more
[java] Exception in thread "main" java.lang.NullPointerException
[java] at client.TestRemoteClientA.main(Unknown Source)
[java] Java Result: 1
please help.
-
5. Re: Remote access of EJB over SSL
It could be caused by the fact that you didn't define user credentials for remote connection.
To quick check - try to remove attribute
security-realm="ApplicationRealm"
from connector tag from remoting subsystem <subsystem xmlns="urn:jboss:domain:remoting:1.1">
When it would work then return this attribute back to configuration and read info about remote ejb client connection
https://docs.jboss.org/author/display/AS71/EJB+invocations+from+a+remote+client+using+JNDI
you'll need to add user with bin/add-user.{sh, bat} script and defining the credential to jboss-ejb-client.properties
-
6. Re: Remote access of EJB over SSL
Hi Chaloupka
when i remove the attribute security-realm="EJBRealm" (i have create this realm based on the link http://middlewaremagic.com/jboss/?p=2176 which u have suggested) from remoting subsystem <subsystem xmlns="urn:jboss:domain:remoting:1.1">
i still get the same exception saying Authentication failed: all available authentication mechanisms failed
Please help
-
7. Re: Remote access of EJB over SSL
Hello,
I followed the tutorial suggested by Ondřej Chaloupka http://middlewaremagic.com/jboss/?p=2176 It works fine as long as the client and server is on the same host.
Got initial Context: javax.naming.InitialContext@5dbd3f6f
remote.commonMethod("Common-MiddlewareMagic") = [CallerBean] commonMethod() returned Hello Common-MiddlewareMagic
remote.testMethod("MiddlewareMagic") = [CallerBean] testMethod() returned Hello MiddlewareMagic
When I duplicated JBoss 7.1 on the remote host and invoked EJB client over SSL I got:
Console output:
javax.naming.NamingException: Failed to create remoting connection [Root exception is java.lang.RuntimeException: Operation failed with status WAITING]
at org.jboss.naming.remote.client.ClientUtil.namingException(ClientUtil.java:36)
at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:121)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at client.TestRemoteClientA.main(TestRemoteClientA.java:34)
Caused by: java.lang.RuntimeException: Operation failed with status WAITING
at org.jboss.naming.remote.protocol.IoFutureHelper.get(IoFutureHelper.java:89)
at org.jboss.naming.remote.client.NamingStoreCache.getRemoteNamingStore(NamingStoreCache.java:56)
at org.jboss.naming.remote.client.InitialContextFactory.getOrCreateCachedNamingStore(InitialContextFactory.java:166)
at org.jboss.naming.remote.client.InitialContextFactory.getOrCreateNamingStore(InitialContextFactory.java:139)
at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:104)
... 5 more
Exception in thread "main" java.lang.NullPointerException
at client.TestRemoteClientA.main(TestRemoteClientA.java:46)
and on the server side:
11:06:57,153 ERROR [org.jboss.remoting.remote.connection] (Remoting "my-srv" read-1) JBREM000200: Remote connection failed: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
I did use the same configured JBoss 7.1 only changed the binding address of localhost to the public IP. Does anybody have any thoughts? I appreciate any help!
Best Regards,
Rihards
-
8. Re: Remote access of EJB over SSL
edit: I am using 7.1.3 and I don't know if it is the same with 7.1.1 or 7.1.2
Hi,
I run into the same problem with the tutorial. The properties for the InitialContext creation seem to be wrong.
These are the two parameter I need to set to enable SSL:
prop.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "true");
prop.put("remote.connection.<name of your connection>.connect.options.org.xnio.Options.SSL_STARTTLS", "true");
Regards,
Thorben
-
9. Re: Remote access of EJB over SSL
Dear Thorben,
Thank you for your fast response. Indeed I'm still on JBoss 7.1.1 My remote server props look like
Properties props = new Properties();
props.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
props.put(Context.PROVIDER_URL, "remote://a.b.c.d:4447");
props.put(Context.SECURITY_PRINCIPAL, "ejbUser");
props.put(Context.SECURITY_CREDENTIALS, "ejbPassword");
props.put("jboss.naming.client.remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "true");
props.put("jboss.naming.client.connect.options.org.xnio.Options.SSL_STARTTLS", "true");
props.put("jboss.naming.client.ejb.context", true);
props.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
context = new InitialContext(props);
Would you be able to paste in your working properties? I already define SSL_ENABLED", "true" and SSL_STARTTLS", "true"... As I said if the client and server are on the same host, it works fine, however if the server is in the remote location it still gives the same errors...
Sorry for me being a bit nube, what goes inside <name of your connection> is it default and where can I see what connection I use?
Does this line do the same in the initial context as you suggested for SSL_STARTTLS props.put("jboss.naming.client.connect.options.org.xnio.Options.SSL_STARTTLS","true");
Would you remember, are the remote server settings stay the same as the local server settings, or it needs a bit more tweaking?
Sincerely Yours,
Rihards
-
10. Re: Remote access of EJB over SSL
Dear Rihards,
JBoss remoting supports connections to multiple servers. You need to provide a specific configuration for each server. The property remote.connections contains a list of all connection configurations. The configuration of each connection starts with remote.connection.<name of the connection>. I used the name default in my configuration below.
These are the parameter that work for me:
final Properties clientProperties = new Properties();
clientProperties.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "true");
clientProperties.put("remote.connections", "default");
clientProperties.put("remote.connection.default.connect.options.org.xnio.Options.SSL_STARTTLS", "true");
clientProperties.put("remote.connection.default.host", hostName);
clientProperties.put("remote.connection.default.port", portNumber);
clientProperties.put("remote.connection.default.username", userName);
clientProperties.put("remote.connection.default.password", password);
clientProperties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT",
"false");
Regards,
Thorben
-
11. Re: Remote access of EJB over SSL
I think you both use a different approach!
@Rihards uses the remote-naming (remote:// as URL) and @Thorben show ejb-client properties.
You can not mix both in that way. I recommend to use the ejb-client because the remote-naming does not have the full features for EJB invocation. See EJB invocations from a remote client using JNDI
-
12. Re: Remote access of EJB over SSL
Dear Wolf-Dieter Fink,
As I mentioned above I was able to invoke EJB over SSL by following exact steps to the tutorial http://middlewaremagic.com/jboss/?p=2176
However only in a way when the client and server (JBoss 7.1.1) are on the same host. When I host the server on the remote IP it gives the errors as I explained above
Console output:
javax.naming.NamingException: Failed to create remoting connection [Root exception is java.lang.RuntimeException: Operation failed with status WAITING]
at org.jboss.naming.remote.client.ClientUtil.namingException(ClientUtil.java:36)
at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:121)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at client.TestRemoteClientA.main(TestRemoteClientA.java:34)
Caused by: java.lang.RuntimeException: Operation failed with status WAITING
at org.jboss.naming.remote.protocol.IoFutureHelper.get(IoFutureHelper.java:89)
at org.jboss.naming.remote.client.NamingStoreCache.getRemoteNamingStore(NamingStoreCache.java:56)
at org.jboss.naming.remote.client.InitialContextFactory.getOrCreateCachedNamingStore(InitialContextFactory.java:166)
at org.jboss.naming.remote.client.InitialContextFactory.getOrCreateNamingStore(InitialContextFactory.java:139)
at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:104)
... 5 more
Exception in thread "main" java.lang.NullPointerException
at client.TestRemoteClientA.main(TestRemoteClientA.java:46)
and on the server side:
11:06:57,153 ERROR [org.jboss.remoting.remote.connection] (Remoting "my-srv" read-1) JBREM000200: Remote connection failed: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
Looks like on the same host it creates SSL session, and on the remote host it lacks some privileges, or something, which fail to do so...?!?
What is the cause of it, why it works on the same host and doesn't remotely?
-
13. Re: Remote access of EJB over SSL
In fact, when I sniff for the packets from the client to the remote server tcp port 4447, seems that the client initiates the communication (EJB lookup protocol) in plain text format?!?
.......my-srv.mydomain.com...).....#config-based-naming-client-endpoint...J......my-srv....JBOSS-LOCAL-USER..PLAIN....3.2.18.GA-redhat-1.....(.....(...............
Also on the server side the error persists asking, is it the plain-text format...?!? Anybody has any ideas why it works on the same host but doesn't work remotely?
-
14. Re: Remote access of EJB over SSL
You should check whether you are able to use the ejb-client approach.
If you mix remote-naming and ejb-client I've seen weird behaviour as remote-naming use the ejb-client and might have issues if there are fragments of the ejb-client configuration (like jboss-ejb-client.xml).
Try to use the ejb-client code the doc is linked in my comment above.