JNDI remote lookup with SSL
Hello all,
I would like to make a remote JNDI lookup on a JBoss AS 7.1.1 which is SSL secured.
Here is what I have done so far:
on client side:
Properties props = new Properties();
props.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
props.put(Context.PROVIDER_URL, "remote://localhost:4447");
props.put(Context.SECURITY_PRINCIPAL, "q");
props.put(Context.SECURITY_CREDENTIALS, "super");
props.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "true");
props.put("remote.connection.default.connect.options.org.xnio.Options.SSL_STARTTLS", "true");
props.put("remote.connections", "default");
props.put("remote.connection.default.host", "localhost");
props.put("remote.connection.default.port", "4447");
props.put("remote.connection.default.username", "q");
props.put("remote.connection.default.password", "super");
props.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");
props.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT","false");
props.put("remote.connection.default.connect.options.org.jboss.remoting3.RemotingOptions.HEARTBEAT_INTERVAL", "600000");
InitialContext context = new InitialContext(props);
// Strings for JNDI names
String factoryName = "jms/RemoteConnectionFactory";
String queueName = "jms/queue/test";
// Perform JNDI lookup
QueueConnectionFactory factory = (QueueConnectionFactory) context.lookup(factoryName);
Queue queue = (Queue) context.lookup(queueName);
Called with VM arguments:
-Djavax.net.ssl.trustStore=C:\tmp\client.keystore -Djavax.net.ssl.trustStorePassword=123456
on server side:
standalone.xml:
<management> <security-realms> <security-realm name="ManagementRealm"> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/> </authentication> </security-realm> <security-realm name="ApplicationRealm"> <server-identities> <ssl> <keystore path="server.keystore" relative-to="jboss.server.config.dir" password="123456"/> </ssl> </server-identities> <authentication> <properties path="application-users.properties" relative-to="jboss.server.config.dir"/> </authentication> </security-realm> </security-realms> ...
However, this exception is thrown:
ERROR: JBREM000200: Remote connection failed: java.io.IOException: Client starting STARTTLS but channel doesn't support SSL
On my JBoss I am getting:
13:40:46,702 INFO [stdout] (Remoting "my-jboss" read-1) Using SSLEngineImpl. 13:40:46,734 INFO [stdout] (Remoting "my-jboss" read-1) Allow unsafe renegotiation: false 13:40:46,735 INFO [stdout] (Remoting "my-jboss" read-1) Allow legacy hello messages: true 13:40:46,735 INFO [stdout] (Remoting "my-jboss" read-1) Is initial handshake: true 13:40:46,736 INFO [stdout] (Remoting "my-jboss" read-1) Is secure renegotiation: false 13:40:46,737 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello 13:40:46,738 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello 13:40:46,739 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for SSLv2Hello 13:40:46,740 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello 13:40:46,741 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello 13:40:46,742 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for SSLv2Hello 13:40:46,743 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for SSLv2Hello 13:40:46,744 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv3 13:40:46,745 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for SSLv3 13:40:46,747 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for SSLv3 13:40:46,747 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv3 13:40:46,748 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for SSLv3 13:40:46,749 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for SSLv3 13:40:46,750 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for SSLv3 13:40:46,751 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1 13:40:46,752 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1 13:40:46,753 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 13:40:46,754 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1 13:40:46,755 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1 13:40:46,756 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 13:40:46,757 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1 13:40:46,758 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 13:40:46,759 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 13:40:46,760 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 13:40:46,760 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 13:40:46,761 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 13:40:46,762 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 13:40:46,763 INFO [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1 13:40:46,765 INFO [stdout] (Remoting "my-jboss" read-1) Remoting "my-jboss" read-1, called closeInbound() 13:40:46,766 INFO [stdout] (Remoting "my-jboss" read-1) Remoting "my-jboss" read-1, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack? 13:40:46,767 INFO [stdout] (Remoting "my-jboss" read-1) javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? 13:40:46,768 INFO [stdout] (Remoting "my-jboss" read-1) Remoting "my-jboss" read-1, SEND TLSv1 ALERT: fatal, description = internal_error 13:40:46,769 INFO [stdout] (Remoting "my-jboss" read-1) Remoting "my-jboss" read-1, WRITE: TLSv1 Alert, length = 2
If I remove the <server-identities> and <ssl> tags in the standalone.xml, I can successfully do the lookup of the JMS queue factory. But I need to do it with an SSL secured JBoss AS.
Based on https://community.jboss.org/thread/206763 I was able to make an EJB lookup with SSL, but for the simple lookup of the JMS queue factory this is not working.
Please help.