4 Replies Latest reply on Jul 11, 2016 8:00 AM by tomekadamski

Enabling IIOP over SSL in JBoss AS 7

bkundal Jul 1, 2016 5:54 AM

The following client configuration does not work for connecting to the SSL enabled IIOP in JBoss AS 7:

env.put("jacorb.ssl.socket_factory", "org.jacorb.security.ssl.sun_jsse.SSLSocketFactory");

env.put("jacorb.ssl.server_socket_factory", "org.jacorb.security.ssl.sun_jsse.SSLServerSocketFactory");

env.put("jacorb.security.support_ssl", "on");

env.put("jacorb.security.ssl.client.supported_options","20");

env.put("jacorb.security.ssl.client.required_options","20");

env.put("jacorb.security.ssl.server.supported_options","20");

env.put("jacorb.security.ssl.server.required_options", "20");

env.put("jacorb.security.ssl.corbaloc_ssliop.supported_options","20");

env.put("jacorb.security.ssl.corbaloc_ssliop.required_options","20");

env.put("org.omg.PortableInterceptor.ORBInitializerClass.standard_init","org.jacorb.orb.standardInterceptors.IORInterceptorInitializer");

/**SSL options end here**/

env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.cosnaming.CNCtxFactory");

env.put(Context.PROVIDER_URL, "corbaloc::" + host + ":3529/JBoss/Naming/root");

// env.put(Context.PROVIDER_URL, "corbaloc:iiop:" + host + ":3529/JBoss/Naming/root");

The server side is enabled for SSL like this:

</orb>

</subsystem>

The port 3529 is the IIOP SSL port .

The server complaints that:

15:05:23,852 INFO [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, handling exception: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

15:05:23,853 INFO [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, SEND TLSv1.2 ALERT: fatal, description = unexpected_message

15:05:23,853 INFO [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, WRITE: TLSv1.2 Alert, length = 2

15:05:23,853 INFO [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, called closeSocket()

15:05:24,875 INFO [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, called close()

15:05:24,875 INFO [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, called closeInternal(true)

15:05:24,875 INFO [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, called close()

15:05:24,875 INFO [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, called closeInternal(true)

15:05:24,875 INFO [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, called close()

15:05:24,875 INFO [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, called closeInternal(true)

Somewhere I feel something is missing on the client side .Can anyone help with pointers

1. Re: Enabling IIOP over SSL in JBoss AS 7

tomekadamski Jul 7, 2016 12:50 PM (in response to bkundal)

Hi Bharti,

You should explicitly specify version of iiop protocol to > 1.0. You can do it formatting your corbaname address in the following way:
"corbaname:ssliop:1.2@" + host + ":3529/JBoss/Naming/root"
1.0 version does not support tagged components and one of them is used to mark that the connection has to be secured and as a result ssliop won't work on 1.0. This is rather hacky configuration but the default protocol could not be changed as 1.0 is required as default by specification.

You should set all SSL configuration options as system properties either in commandline or using System.setProperty. You also have to specify client truststore which will be used during secured connection creation. You can do it using following options:
jacorb.security.keystore=${your_keystore}
jacorb.security.keystore_password=${your_password}
jacorb.security.jsse.trustees_from_ks=true

After above fixes you should be able to run your test correctly.

Regards,
Tomek
Actions
2. Re: Enabling IIOP over SSL in JBoss AS 7

bkundal Jul 8, 2016 1:27 AM (in response to tomekadamski)

Hi Tomek,

Thank you for the inputs!!!!I will test them
Actions
3. Re: Enabling IIOP over SSL in JBoss AS 7

bkundal Jul 8, 2016 6:24 AM (in response to bkundal)

Hi Tomek,

Thanks for the pointers ,the test case works fine now..Posting the entire sample with some observations:

#####################################Standalone client with SSL#####################################################################################
         System.setProperty("jacorb.security.support_ssl", "on" );
         System.setProperty("jacorb.ssl.socket_factory", "org.jacorb.security.ssl.sun_jsse.SSLSocketFactory" );
         System.setProperty("jacorb.ssl.server_socket_factory", "org.jacorb.security.ssl.sun_jsse.SSLServerSocketFactory" );
         System.setProperty("jacorb.security.ssl.client.supported_options", "20" );
         System.setProperty("jacorb.security.ssl.client.required_options", "20" );
         System.setProperty("jacorb.security.ssl.server.supported_options", "20" );
         System.setProperty("jacorb.security.ssl.server.required_options", "20" );
         System.setProperty("jacorb.security.ssl.corbaloc_ssliop.supported_options", "20" );
         System.setProperty("jacorb.security.ssl.corbaloc_ssliop.required_options", "20" );
         System.setProperty("org.omg.PortableInterceptor.ORBInitializerClass.standard_init", "org.jacorb.orb.standardInterceptors.IORInterceptorInitializer" );
        System.setProperty("jacorb.security.keystore","/EAP6.4/jboss-eap-6.4/standalone-jacorb_ssl/keystores/clientidentity.jks");
        System.setProperty("jacorb.security.keystore_password","password");
         System.setProperty("jacorb.security.jsse.trustees_from_ks","false");
          System.setProperty("jacorb.security.truststore",/EAP6.4/jboss-eap-6.4/standalone-jacorb_ssl/keystores/client-trust.jks");
         System.setProperty("javax.net.ssl.trustStore","/EAP6.4/jboss-eap-6.4/standalone-jacorb_ssl/keystores/client-trust.jks");
          System.setProperty("javax.net.ssl.keyStore","/EAP6.4/jboss-eap-6.4/standalone-jacorb_ssl/keystores/clientidentity.jks");
        System.setProperty("javax.net.ssl.keyStorePassword","password");

        env.put(Context.SECURITY_PROTOCOL, "ssl");
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.cosnaming.CNCtxFactory");
        env.put(Context.PROVIDER_URL, "corbaloc:ssliop:1.2@" + host + ":3529/JBoss/Naming/root");
########################################################################################################################################################

If I set System.setProperty("jacorb.security.jsse.trustees_from_ks","true") ,my client side trsustore with this property was ignored: System.setProperty("jacorb.security.truststore","/NotbackedUp/JBOSS_ALL/EAP6.4/jboss-eap-6.4/standalone-jacorb_ssl/keystores/client-trust.jks");

and my SSL handsahke failed with the client being not able to find the trusted certificates from server side and the traces on server side showed the following:

15:41:23,769 DEBUG [jacorb.orb.iiop] (ServerMessageReceptor1) Caught exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) [jsse.jar:1.8.0_91]
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) [jsse.jar:1.8.0_91]
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023) [jsse.jar:1.8.0_91]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125) [jsse.jar:1.8.0_91]
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) [jsse.jar:1.8.0_91]
    at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:928) [jsse.jar:1.8.0_91]
    at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) [jsse.jar:1.8.0_91]
    at org.jacorb.orb.etf.StreamConnectionBase.read(StreamConnectionBase.java:111) [jacorb-2.3.2.redhat-6.jar:2.3.2.redhat-6]
    at org.jacorb.orb.giop.GIOPConnection.getMessage(GIOPConnection.java:337) [jacorb-2.3.2.redhat-6.jar:2.3.2.redhat-6]
    at org.jacorb.orb.giop.GIOPConnection.receiveMessages(GIOPConnection.java:480) [jacorb-2.3.2.redhat-6.jar:2.3.2.redhat-6]
    at org.jacorb.orb.giop.MessageReceptor.doWork(MessageReceptor.java:71) [jacorb-2.3.2.redhat-6.jar:2.3.2.redhat-6]
    at org.jacorb.util.threadpool.ConsumerTie.run(ConsumerTie.java:61) [jacorb-2.3.2.redhat-6.jar:2.3.2.redhat-6]
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_91]

I then set System.setProperty("jacorb.security.jsse.trustees_from_ks","false") so that my following properties would be picked up

System.setProperty("javax.net.ssl.trustStore","/EAP6.4/jboss-eap-6.4/standalone-jacorb_ssl/keystores/client-trust.jks");
          System.setProperty("javax.net.ssl.keyStore","/EAP6.4/jboss-eap-6.4/standalone-jacorb_ssl/keystores/clientidentity.jks");
        System.setProperty("javax.net.ssl.keyStorePassword","password");

The connection with server then works fine and my client is able to access the EJB bean.
1 of 1 people found this helpful
Actions
4. Re: Enabling IIOP over SSL in JBoss AS 7

tomekadamski Jul 11, 2016 8:00 AM (in response to bkundal)

Hi Bharti,

If you have trustees defined in different file then you should set jacorb.security.jsse.trustees_from_ks to false ( or not set it at all as the default value of this property is false) and use the javax.net.ssl.trustStore option. There is a note in the documentation (http://www.jacorb.org/releases/3.1/ProgrammingGuide.pdf page 82) that those properties were not working correctly in previous virtual machines but if they work correctly now then they should be used.

Regards,
Tomek
1 of 1 people found this helpful
Actions

Go to original post