8 Replies Latest reply on Mar 9, 2010 8:02 PM by koten ou

    How can I configure ESB in sending/Receiving JMS Messages with SSL?

    koten ou Newbie

      Hellow everyone!

       

      How can I configure ESB in send/Receive JMS Messages with SSL?

      Could you please tell me which xml do  I have to configure or things I hava to do ?

       

      thanks very much ,God be with you guys

       

      ou

       

      --2010-02-22 18:06

      Maybe I made mistakes that SSL is not supposed to be used in JMS Messaging? Could you give me some advice in making JMS Messaging with higher secruity level?

       

      thanks

        • 1. Re: How can I configure ESB in sending/Receiving JMS Messages with SSL?
          Ryan Hochstetler Newbie

          Koten,

           

          It is entirely valid to attempt to use TLS/SSL to secure JMS communcations across the network.  My project has 100+ instances of JBoss AS distributed across the globe which do this with JBoss 4.2.x and JBoss MQ.  Our next release will do the same with JBoss 5.1 and JBoss Messaging.

           

          However, I'm struggling to respond to your questionbecause there are a hundred little details that factor into how you will go about accomplishing this.  Answer the following questions, then I will attempt to help you.

           

          We install the ESB into an existing AS, rather than using the jbossesb-server.zip package, so my questions probably have a bias toward that configuration.

          • Which version of the ESB are you running?
          • Which version of JBoss AS are you running?
          • Which messaging system (JBoss MQ, JBoss Messaging, etc) are you using to back the ESB?  Which version?
          • Describe the process which is attempting to send JMS messages to the ESB.  Is it a ServiceInvoker outside of the JBoss JVM?  Is it an ESB-naive process sending to a gateway queue?  On the same server?  Remotely located?
          • Is there a firewall between the two points of communication?  Which ports and protocols are permitted through the firewall?
          • You mentioned send AND receive.  Is your other receiver simply a similar configuration of JBoss AS/ESB on another machine, or is it a different JMS container entirely?
          • Do you intend to use mutual authentication, or are you simply attempting to encrypt the network communications?

           

          That's just the start.  Answer those and we'll go from there.

          • 2. Re: How can I configure ESB in sending/Receiving JMS Messages with SSL?
            koten ou Newbie

            Ryan

             

            First of all ,it is very kind of you for your reply, thank you very much.

             

            Here is the  backguound of The project I'm developing . It is to exchange Large data like log files between  ESB servers (i don't know whether it is reasonable because it was designed by my boss :-) .It is only two case in JMS Message Changing that:

            1. server A sends JMS messages to server B's queue , B gets messages from its local queue

            2. server A sends JMS messages to its local queue , B listens the remote queue from A for getting messages

             

            What i want to do is to implement SSL communication with the two patterns above.

             

            For the next , let me answer the questions you asked.

            •Which version of the ESB are you running?
            The ESB-Server be installed in my workspace is version-4.7 which named jbossesb-server-4.7.(I guess:)

             

            •Which version of JBoss AS are you running?
            I run the server directly in the .\jbossesb-server-4.7\bin\run.bat , I'm afraid of that , I'm using the jbossesb-server.zip package directly which is diffrerent with you.

             

            •Which messaging system (JBoss MQ, JBoss Messaging, etc) are you using to back the ESB?  Which version?
            I'm sorry , I cann't sure about it , I just configure the services listen the JMS-bus from the JMS-Providers.

             

            •Describe the process which is attempting to send JMS messages to the ESB.  Is it a ServiceInvoker outside of the JBoss JVM?  Is it an ESB-naive process sending to a gateway queue?  On the same server?  Remotely located?
            I'm using the action named JMS-Router which is inherent in Jboss-esb to send messages to local queues or remote queues.And I user JMS-Provider to get message from local/remote queues.

             

            •Is there a firewall between the two points of communication?  Which ports and protocols are permitted through the firewall?
            it is no firewall in my Project-Environment of this release,but it is hard to say it won't be firewall configured in  the future.If you have advice about it , tell me please.thanks

             

            •You mentioned send AND receive.  Is your other receiver simply a similar configuration of JBoss AS/ESB on another machine, or is it a different JMS container entirely?
            The machines for JMS-Message-communication which I'm using is same to each other. all be installed with the jbossesb-server-4.7

             

            •Do you intend to use mutual authentication, or are you simply attempting to encrypt the network communications?
            In fact , I want both of them above , but It seems hard to use mutual authentication in my project for some objective reasons.So I want to start from ncrypting the network communications. If not mind , would you please give some advice in using mutual authentication either?thanks

             

            At last,thanks again for your kindly reply,and sorry for my poor English :-)

             

            There could be time differernce above 10 hours between Japan and America,so ....have a good night and a good dream.
            waiting for you reply

            regard

            • 3. Re: How can I configure ESB in sending/Receiving JMS Messages with SSL?
              Ryan Hochstetler Newbie

              The key here is that you have no firewall to contend with.  In that case, you have the freedom to allow JBoss Remoting to open up another socket and do it's own ssl communications.  Nearly all of the transports supported by remoting have an SSL-wrapped counterpart.

               

              It looks as if the JBoss ESB server distribution you use contains JBoss AS 4.2.3 and JBoss Messaging 1.4.0.  These are relatively old compared to what I am using, so I can't specifically provide you a step-by-step reply, but I can point you in the correct direction.

               

              Download the JBoss Messaging 1.4.0 distribution from here: http://www.jboss.org/jbossmessaging/downloads.html

              There is an example in there named secure-socket which demonstrates how to set up a Remoting connector which will accept SSL communications.  Add those configuration files to your deployed jbossesb-server-4.7 configuration.  That directory also contains a java class, SecureSocketExample, which will demonstrate that the SSL connector you configured is working.  The key here is that it looks up the /SecureConnectionFactory in JNDI, rather than your existing remote JMS Connection Factory.  Any JMS messages produced or consumed through sessions created from that connection factory will be SSL-encrypted in-transit (cool, isn't it?).  Once you get this working, you should see how it is possible to configure JMSRouter to connect to a remote queue via the secured connection factory.

               

              The JBoss Messaging and JBoss Remoting forums are probably going to be more helpful if you have trouble configuring that secure-socket example.  The jbossesb-server-4.7 distribution seems to be nothing more than the standard JBoss 4.2.3 with the ESB installer run against it, so all the advice you get for standard JBoss AS installations should be applicable to your JBoss ESB Server installation.

              http://community.jboss.org/en/jbossmessaging?view=discussions

              http://community.jboss.org/en/jbossremoting?view=discussions

               

              Note:  once you get this working, you should replace they certificate in the example keystore with your own.  Otherwise, anybody will be able to decrypt your messages because they will have access to the certificate with which they were encrypted.

               

              Good Luck,

              Ryan

               

              PS: Don't worry about your English.  It's passable, and certainly 100-times better than my Japanese!  I've really let it slip since college, for lack of anyone to converse with.

              • 4. Re: How can I configure ESB in sending/Receiving JMS Messages with SSL?
                koten ou Newbie

                Ryan

                 

                I think it very valuable for the points you told me, and I will have a try on them.

                And  it is a very good start for me to use the JBOSS-Forum for your kindly reply.

                 

                thank you

                 

                PS:I'm not sure that my Japanese is 100 times well than you  because  I'm not Japanese either :-),just working in Japan.

                And I believe that you can be well than me on Japanese as long as you come to Japan :-)

                 

                regard

                • 5. Re: How can I configure ESB in sending/Receiving JMS Messages with SSL?
                  Nikos Massios Novice

                  Hello,

                   

                  In folder the

                  C:\jboss-5.1.0.GA-ESB4.6\server\default\deploy\messaging

                  we added the file remoting-sslbisocket-service.xml

                  you can copy it from

                  C:\jboss-5.1.0.GA-ESB4.6\docs\examples\jms

                  and configure it after you copy it.

                   

                  This creates the ssl transport. You also need to make a keystore for the server and a truststore for the client. See

                  http://community.jboss.org/wiki/sslsetup

                  especially the part "ssl enabled on the server the common case". It link I give you gives instructions about configuring https but the instructions for creating the keystore and the truststore are still valid. In fact we are using the same keystore that https uses (for the time being).

                   

                  Finally after you have set up the sslbisocket service you need to configure the connection factory this is done again in

                  C:\jboss-5.1.0.GA-ESB4.6\server\default\deploy\messaging

                  at the

                  connection-factories-service.xml

                  We added a new connection factory for SSL

                   

                  <mbean code="org.jboss.jms.server.connectionfactory.ConnectionFactory" name="jboss.messaging.connectionfactory:service=SSLConnectionFactory" xmbean-dd="xmdesc/ConnectionFactory-xmbean.xml">

                   

                  <depends optional-attribute-name="ServerPeer">jboss.messaging:service=ServerPeer</depends>

                   

                  <depends optional-attribute-name="Connector">jboss.messaging:service=Connector,transport=sslbisocket</depends>

                   

                  <depends>jboss.messaging:service=PostOffice</depends>

                   

                  <attribute name="JNDIBindings">

                   

                  <bindings>

                   

                  <binding>/SSLConnectionFactory</binding>

                   

                  <binding>/SSLXAConnectionFactory</binding>

                   

                  <binding>java:/SSLConnectionFactory</binding>

                   

                  <binding>java:/SSLXAConnectionFactory</binding>

                   

                  </bindings>

                   

                  </attribute>

                   

                  </mbean>

                   

                  If you want to lookup a queue with ssl you need client code like this

                  System.setProperty("javax.net.ssl.trustStore", "C:\\workspace\\esbClientTest\\conf\\client.truststore");

                  System.setProperty(

                  "javax.net.ssl.trustStorePassword", "PASSWORD HERE");

                   

                  Properties initialContextProperties =

                  new Properties();

                  initialContextProperties.put(Context.

                  INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");

                  initialContextProperties.put(Context.

                  URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces");

                   

                  initialContextProperties.put(Context.PROVIDER_URL, "jnp://127.0.0.1:1099");

                   

                   

                  InitialContext iniCtx =

                  new InitialContext(initialContextProperties);

                   

                  // USE THIS LINE WITHOUT SSL Object tmp = iniCtx.lookup(

                   

                  "ConnectionFactory");

                  // USE NEXT LINE WITH SSL

                  Object tmp = iniCtx.lookup("SSLConnectionFactory");

                  QueueConnectionFactory qcf = (QueueConnectionFactory) tmp;

                   

                  que = (Queue) iniCtx.lookup("queue/QUEUENAME HERE");

                  conn = qcf.createQueueConnection();

                  // USE THE FOLLOWING LINE FOR A QUEUE WITH AUTHENTICATION

                   

                   

                  // conn = qcf.createQueueConnection(USERNAME HERE,CREDENTIALS HERE);

                   

                   

                   

                  session = conn.createQueueSession(false, QueueSession.AUTO_ACKNOWLEDGE);

                   

                  conn.start();

                  System.

                  out.println("Connection Started");

                   

                  As far as firewall ports are concerned. I think you need

                  1099    TCP  JNDI    look JMS queue

                  1098    TCP  RMI      JNDI port for RMI

                  4457    TCP   JMS    JMS no SSL

                  4459     TCP  JMS    JMS with SSL

                  and 

                  4444    RMIObjectPort. (basically you need to fix the RMI port to a fixed port instead of a random port to make it work with a firewall)

                  see

                  http://community.jboss.org/wiki/UsingJBossBehindAFirewall

                   

                   

                   

                  Nikos

                  • 6. Re: How can I configure ESB in sending/Receiving JMS Messages with SSL?
                    koten ou Newbie

                    nikos

                     

                    Thank you very much for your detailed explanations . I'v tried a few times in accordance with you guidance and I think it be SSL-Configured for that it seems normal in sending a message on "SSLConnectionFactory", and receiving the message by JMS-Listener, which listening the queue in the bus from the JMS-Provider with "SSLConnectionFactory".

                     

                    But I have no idea in how to know that the message sending/receiving is under SSL and no idea in if it is been Rightly configured.

                    I want to describe my configuration for  my SSL test here.Sorry for no-sourcecode because of  some security reason in my company.

                     

                    1.I'm used the jbossesb-server-4.7 (using jboss-messaging 1.4 I think :~)

                    2.I copied the remoting-sslbisocket-service.xml from jboss-5.1.0.GA ,and pasted it ito .\jbossesb-server-4.7\server\default\deploy\jboss-messaging.sar\

                    3.I added the SSLConnectionFactory into  the connection-factories-service.xml ,that the configuration is exactly same as you gave to me.

                    4.I maked the server.keystore,server.cer and client.truststore

                    5.I configured the server.keystore in remoting-sslbisocket-service.xml with its location and passwords.

                    6.I created a esb-service which listening a queue by the bus offered by JMS-Provider in SSLConnectionFactory.

                    7.I wrote a programm with the code you gave me for sending a message on SSLConnectionFactory

                     

                    Now the action in the esb-service is well displaying the message after sending a message by my programme.

                    But how could I know it is rightly SSL-Configured ?

                     

                    It is very kind of you for giving the detail for SSL-Configuration that I thought it could be the temination in my last reply in 2/24 :-)
                    thank you very mucch

                    regard

                    koten

                    • 7. Re: How can I configure ESB in sending/Receiving JMS Messages with SSL?
                      Nikos Massios Novice

                      Hello Koten,

                       

                      I guess your only question is


                      "Now the action in the esb-service is well displaying the message after sending a message by my programme.

                      But how could I know it is rightly SSL-Configured ?"

                       

                      I think in jboss-log4j.xml there is an appender which is called AUDIT. This appender definitely prints out the ssl handshaking for https. I am not sure if it also prints out the ssl handshaking for the ssl bidirectional socket.

                       

                      Another way you could test that would be with a packet sniffer, for example ethereal. Try reading the message when using the normal Connection Factory. Probably you will be able to read something human readable. Then try the SSLConnectionFactory.

                       

                      I think if you are using the SSLConnectionFactory you have probably set it up right. If you do not set

                      System.setProperty("javax.net.ssl.trustStore", "C:\\workspace\\esbClientTest\\conf\\client.truststore");

                      System.setProperty("javax.net.ssl.trustStorePassword", "PASSWORD HERE");

                      and still use the SSLConnectionFactory then the handshaking will fail. That's another way to know that you are using SSL.

                       

                      Nikos.

                      • 8. Re: How can I configure ESB in sending/Receiving JMS Messages with SSL?
                        koten ou Newbie

                        Hello Nikos

                         

                        Thanks for you reply

                         

                        As what you said , my only question is to proof my SSL-Configuration is right :-)  And I will  try the mothod above you gave me for knowing whether it is rightly SSL-Configured.

                         

                        regard

                         

                        Koten

                         

                        PS:I am using the "System.setProperty(...)" to send message in SSLConnectionFactory and faild without it.So I guess I configued it rightly,but I also make my boss trust it...