2 Replies Latest reply on Dec 8, 2006 12:04 PM by marcreis

    SSLServlet

    marcreis
    marcreis Dec 6, 2006 11:54 AM

      Hi,
      I have a few Questions to using the sslservlet. We Are using JBossGA 4.0.4 with Remoting 1.4.1.
      The communication over the servlet for http works fine.
      For https contacting the webconsole on https over 8443 also works over the browser. But using my client over https to go for ejb3's fails.
      I looked at the wiki and docs, but I dont get it togehter correctly...

      So here what I did:
      First of I generated the keys and put them to the server and to the client (seems to have worked)
      .
      For the Client I then:
      configured the jndi.propteries as follows:

      mct.java.naming.factory.initial=org.jboss.naming.HttpNamingContextFactory
mct.java.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces,java.protocol.handler.pkgs
mct.java.naming.provider.url=https://myserver.de/invoker/restricted/JNDIFactorySSL

      added the following jvm parameters 
      -Djavax.net.ssl.trustStore=C:\work\tmp\Certificates\myclient\client.truststore
-Djavax.net.ssl.trustStorePassword=topsecret


      Then I configured the tomcat server: 
      <!-- SSL/TLS Connector configuration using the admin devl guide keystore-->
 <Connector port="8443" address="${jboss.bind.address}"
 maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
 emptySessionPath="true"
 scheme="https" secure="true" clientAuth="false"
 keystoreFile="${jboss.server.home.dir}/conf/ssl/server.keystore"
 keystorePass="topsecret" sslProtocol = "TLS"/>


      ... moved on to the http-invoker. There I added the the following mbean to the META-INF/jboss-service.xml 
      <!-- Expose the Naming service interface via HTTPS -->
 <mbean code="org.jboss.invocation.http.server.HttpProxyFactory"
 name="jboss:service=invoker,type=https,target=Naming">
 <!-- The Naming service we are proxying -->
 <attribute name="InvokerName">jboss:service=Naming</attribute>
 <!-- Compose the invoker URL from the cluster node address -->
 <attribute name="InvokerURLPrefix">https://</attribute>
 <attribute name="InvokerURLSuffix">:8443/invoker/restricted/JMXInvokerServlet</attribute>
 <attribute name="UseHostName">true</attribute>
 <attribute name="ExportedInterface">org.jnp.interfaces.Naming</attribute>
 <attribute name="JndiName"></attribute>
 <attribute name="ClientInterceptors">
 <interceptors>
 <interceptor>org.jboss.proxy.ClientMethodInterceptor</interceptor>
 <interceptor>org.jboss.proxy.SecurityInterceptor</interceptor>
<interceptor>org.jboss.naming.interceptors.ExceptionInterceptor</interceptor>
 <interceptor>org.jboss.invocation.InvokerInterceptor</interceptor>
 </interceptors>
 </attribute>
 </mbean>


      and this to the WEB-INF/web.xml 
      <!--Https servlet for https Kommunikation-->
 <servlet>
 <servlet-name>JNDIFactorySSL</servlet-name>
 <description>A servlet that exposes the JBoss JNDI Naming service stub through http. The return content is a serialized MarshalledValue containing the org.jnp.interfaces.Naming stub. This configuration handles requests for the standard JNDI naming service. </description>
 <servlet- class>org.jboss.invocation.http.servlet.NamingFactoryServlet</servlet-class>
 <init-param>
 <param-name>namingProxyMBean</param- name>
 <param- value>jboss:service=invoker,type=https,target=Naming</param-value>
 </init-param>
 <init-param>
 <param-name>proxyAttribute</param- name>
 <param-value>Proxy</param-value>
 </init-param>
 <load-on-startup>2</load-on-startup>
 </servlet>

<!--Mapping for SSL-->
 <servlet-mapping>
 <servlet-name>JNDIFactorySSL</servlet-name>
 <url-pattern>/restricted/JNDIFactorySSL/*</url- pattern>
 </servlet-mapping>


      After that I added the following to the servlet-invoker.war/WEB-INF/web.xml 
      <servlet>
 <servlet-name>ServerInvokerServletSSL</servlet-name>
 <description>The ServerInvokerServlet receives requests via HTTPS
 protocol from within a web container and passes it onto the
 ServletServerInvoker for processing.
 </description>
 <servlet- class>org.jboss.remoting.transport.servlet.web.ServerInvokerServlet</servlet-class>
 <init-param>
 <param-name>locatorUrl</param-name>
 <param- value>sslservlet://${jboss.bind.address}:8443/servlet- invoker/ServerInvokerServlet</param-value>
 <description>The servlet server invoker url</description>
 </init-param>
 <load-on-startup>1</load-on-startup>
 </servlet>
 <servlet-mapping>
 <servlet-name>ServerInvokerServlet</servlet-name>
 <url-pattern>/ServerInvokerServlet/*</url-pattern>
 </servlet-mapping>
</web-app>


      Then I moved on to the ejb3-deployer/META-INF/jboss-service.xml. Here I am not sure what I actualy need. I first tried it with this 
      <mbean code="org.jboss.remoting.transport.Connector"
 name="jboss.remoting:type=Connector, transport=SSLServlet"
 display-name="Servlet transport Connector">
 <depends>jboss.aop:service=AspectDeployer</depends>
 <attribute name="InvokerLocator">
 sslservlet://${jboss.bind.address}:8443/servlet-invoker/ServerInvokerServlet</attribute>
 <attribute name="Configuration">
 <handlers>
 <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
 </handlers>
 </attribute>
 </mbean>

      The above results in a 
       [org.jboss.system.ServiceController] Problem creating service jboss.remoting:type=Connector,nam
e=DefaultEjb3ConnectorSSL,handler=ejb3
java.lang.RuntimeException: Couldn't find valid server invoker class for transport 'sslservlet'
 at org.jboss.remoting.InvokerRegistry.createServerInvoker(InvokerRegistry.java:434)
 at org.jboss.remoting.transport.Connector.init(Connector.java:388)
 at org.jboss.remoting.transport.Connector.create(Connector.java:745)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)

      (Altervatively I tried it with defining the SSLSocketBuilder, SSLServerSocketFactoryService mbeans and then a
      the connector mbean)

      I also passt the server the follwing jvm parameters: 
      -Ddefault.client.bindurl=sslservlet://myserver.de/servlet- invoker/ServerInvokerServlet
-Djavax.net.ssl.keyStore=$JBOSS_HOME/server/conf/ssl/server.keystore
-Djavax.net.ssl.keyStorePassword=olga4all


      At the moments all my attempts lead me the above server error or to this on the client: 
      javax.naming.NamingException: Failed to retrieve Naming interface [Root exception is java.net.ConnectException: Connection refused: connect]
 at org.jboss.naming.HttpNamingContextFactory.getInitialContext(HttpNamingContextFactory.java:84)
 at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
 at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
 at javax.naming.InitialContext.init(InitialContext.java:223)
 at javax.naming.InitialContext.<init>(InitialContext.java:197)


      I appreciate any help!
      Thanks!
      Marc

      • 5699 Views
      • Tags:
        • 1. Re: SSLServlet
          marcreis
          marcreis Dec 7, 2006 11:06 AM (in response to marcreis)

          I have tried it with integrating remoting 2.0 but I guess then I run into issues with the integration into 4.0.4GA.
          Trying it resultet in the following for the client:

          javax.naming.NamingException: Could not dereference object [Root exception is java.lang.reflect.UndeclaredThrowableException]
 at org.jnp.interfaces.NamingContext.getObjectInstanceWrapFailure(NamingContext.java:1150)
 at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:705)
 at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:587)...

          So I guess Remoting 2.0 and the sslservlet are not possible in 4.0.4GA?

          So when I use the 1.4.1 Remoting I cant use the sslservlet.
          How can I then configure the usage of https, when not over the sslservlet?
          I thought I would need to go that way for the https communication going over the tomcat server. Can I due this with configuration of the sslsocket and the socketfactory? When trying to due so, I have the feeling that I am missing somehting here, literally the missing link.

          So if someone has a hint... I would be grateful!

          Sincerly

          Marc


            • Actions
          • 2. Re: SSLServlet
            marcreis
            marcreis Dec 8, 2006 12:04 PM (in response to marcreis)

            I got it to work.
            In my case, with functioning http communication, all I had to due was define the ssl connector for tomcat, HttpProxyFactory in the http-invoker (META-INF/jboss-service.xml) and the JNDIFactorySSL Servlet in the http-invoker's invoker.war/WEB-INF/web.xml.
            The Client then just need "-Djavax.net.ssl.trustStore=" JVM arg and jndi.protertie the "https", correct port und "JNDIFacroySSL" in the java.naming.provider.url. Also I set the default.client.bindurl at server startup with https and the fitting port number instead of servlet. Everything else mentioned above has been removed.

            Sincerely
            Marc

              • Actions