1 Reply Latest reply on Feb 26, 2010 4:02 PM by Ben Schofield

    Possible to define client truststore on server when using sslsocket transport?

    Ben Schofield Novice

      I am using JBoss Remoting 2.5.2 with JBoss EAP 5.0.  When using the sslsocket transport, is it possible to configure the location of the truststore used by the remoting client during the ssl handshake?  From what I have demonstrated to myself already the client will use the cacerts file or the truststore specified by the system property javax.net.ssl.trustStore.  Instead of using either of these truststores I would like to define on the server side which truststore (and truststore password) the client should use.  Is this possible?

       

      I have configured both the socketFactory and serverSocketFactory properties of the Connector (xml bean configuration below).  I anticipated that the client would honor the socketFacotory setting but this doesn't seem to be the case.  Did some research and found the following in the remoting guide pdf.

       

      5.7.4. Client side configuration from the JBoss Application Server
      As described in sections Declarative configuration: MBeans and Declarative configuration: POJOs, the declarative
      xml files used by the Application Server can be used to configure the client by way of the parameters included in
      the InvokerLocator. However, a peculiarity in the way socket factories are created on the client restricts the parameters
      taken into consideration to those passed in the configuration map passed to the
      org.jboss.remoting.Client constructor. The following two parameters, introduced in releases 2.4.0.SP1 and
      2.5.2, respectively, eliminate that restriction.
      org.jboss.remoting.Remoting.SOCKET_FACTORY_NAME (actual value is 'socketFactory') - key for giving
      the name of the socket factory class to be used by clients.
      org.jboss.remoting.Remoting.USE_ALL_SOCKET_FACTORY_PARAMS (actual value is 'useAllSocketFactoryParams')
      - key for indicating that all socket factory parameters in the InvokerLocator should be used by clients.
      Note that the parameter org.jboss.remoting.Remoting.CONFIG_OVERRIDES_LOCATOR (actual value "configOverridesLocator"),
      described in section org.jboss.remoting.Remoting, is also relevant.

       

      I am not 100% these settings are what I need but would like to try them out.  Unfortunately I am not sure how to set these in a JBoss MicroContainer bean xml file.  Any insight on how to do this would be appreciated.

       

      <deployment xmlns="urn:jboss:bean-deployer:2.0">
          <!--  We don't want the AOPDependencyBuilder  -->
          <annotation>@org.jboss.aop.microcontainer.annotations.DisableAOP</annotation>

        <!--

          JBoss Remoting Connector

          Note: Bean Name "org.jboss.ejb3.RemotingConnector" is used
          as a lookup value; alter only after checking java references
          to this key.

        -->

        <bean name="org.jboss.ejb3.RemotingConnector"
          class="org.jboss.remoting.transport.Connector">

       

          <property name="invokerLocator">

       

            <value-factory bean="ServiceBindingManager"
              method="getStringBinding">
              <parameter>
                jboss.remoting:type=Connector,name=DefaultEjb3Connector,handler=ejb3
              </parameter>
              <parameter>
                <null />
              </parameter>
               <parameter>sslsocket://${jboss.bind.address}:${port}</parameter>
              <parameter>
                <null />
              </parameter>
               <parameter>3873</parameter>
            </value-factory>

       

          </property>
          <property name="serverConfiguration">
            <inject bean="ServerConfiguration" />
          </property>

       

          <property name="serverSocketFactory">
            <inject bean="sslServerSocketFactory" />
          </property>

       

          <property name="socketFactory">
            <inject bean="sslSocketFactory" />
          </property>

       

        </bean>

       

              <bean name="sslServerSocketFactory" class="org.jboss.security.ssl.DomainServerSocketFactory">
                      <constructor>

                               <!-- defines the keystore to use -->
                              <parameter><inject bean="jboss.security:service=JAAS-Security-Domain"/></parameter>
                      </constructor>
              </bean>
              <bean name="sslSocketFactory" class="org.jboss.security.ssl.DomainSocketFactory">
                      <constructor>

                               <!-- hopefully defines the truststore configured in the injected JaasSecurityDomain to be used by the client -->
                              <parameter><inject bean="jboss.security:service=JAAS-Security-Domain"/></parameter>
                      </constructor>
              </bean>

       

       

       

        <!-- Remoting Server Configuration -->
        <bean name="ServerConfiguration"
          class="org.jboss.remoting.ServerConfiguration">
          <property name="invocationHandlers">
            <map keyClass="java.lang.String" valueClass="java.lang.String">
              <entry>
                <key>AOP</key>
                <value>
                  org.jboss.aspects.remoting.AOPRemotingInvocationHandler
                </value>
              </entry>
            </map>
          </property>
        </bean>

       

      </deployment>