0 Replies Latest reply on Aug 20, 2010 3:26 AM by Glenn Bech

    Securing EJB3 traffic with mutual authentication using certificates

    Glenn Bech Newbie

      Hi,

       

      I am atempting to secure traffic between an Oracle Weblogic 10 and JBOSS 5.1.0 server. Our project is required to both encrypt the traffic and provide mutual authentication.

       

      I know that my aproach does not secure the JNDI lookup, and that it will configure the entire server, and not just my application.

      I think however that this is the fastest way to reach our deadline, withour having to add annotations and such to our beans.

       

      So far I have done the following;

       

      • Created a self signed server certificate using keytool:  keytool -genkey -alias server -keyalg RSA -keystore server.keystore
      • Configured the invokerLocator of the bean org.jboss.ejb3.RemotingConnector to use sslsocket transport.

       

      <bean name="org.jboss.ejb3.RemotingConnector">
          <property name="invokerLocator">
            <value-factory bean="ServiceBindingManager"
              method="getStringBinding">
              <parameter>
                jboss.remoting:type=Connector,name=DefaultEjb3Connector,handler=ejb3
              </parameter>
              <parameter>
                <null />
              </parameter>
              <parameter>sslsocket://${jboss.bind.address}:${port}</parameter>
              <parameter>
                <null />
              </parameter>
              <parameter>3873</parameter>
            </value-factory>
          </property>
          <property name="serverConfiguration">
            <inject bean="ServerConfiguration" />
          </property>
      </bean>
      
      
      • On the client side, I also generate a self signed certificate: keytool -genkey -alias client -keyalg RSA -keystore client.keystore
      • I then establish mutual authentication
      • I export the server certificate from the server keystore and import it into what becomes the
        client truststore
      • I export the client certificate from the client keystore and import it into what becomes
        the server truststore
      • I then configure both weblogic and JBOSS with the comamnd line arguments

           

          -Djavax.net.ssl.keyStore
          -Djavax.net.ssl.keyStorePassword
          -Djavax.net.ssl.trustStore=
          -Djavax.net.ssl.trustStorePassword
          I have one-way SSL up and running. If I remove the server certificate from the Client trust store, the handshake
          fails.
          My problem is; JBOSS does not authenticate the client certificate and accepts all incoming traffic.
          It seems to be ignoring the configured truststore. I have searched all documentation and have
          found nothing on EJB3 over SSL & mutual authentication in JBOSS 5.1.0AS
          Can anyone help?