10 Replies Latest reply on Oct 17, 2012 11:03 AM by renz13

    Remoting with SSL and Cipher Suite

    renz13 Newbie

      Hello,

       

      Is there a way to configure (on server or client side) cipher suite used by remoting?

      My application should only accept :

      TLS_RSA_WITH_3DES_EDE_CBC_SHA

      TLS_RSA_WITH_AES_128_CBC_SHA

      TLS_RSA_WITH_AES_256_CBC_SHA

       

      Thanks for your help

        • 1. Re: Remoting with SSL and Cipher Suite
          renz13 Newbie

          The <jsse> element of the <security-domain> in the configuration file is maybe  the right place, but it seems to be ignored when I try to use it with client-auth enabled

          I've made a few tests with a trustore and client-auth enabled, and remote calls works even with an untrusted certificate!!!

           

          <jsse keystore-password="pass" keystore-url="file:/D:/jboss-as-7.1.1.Final/standalone/configuration/server.keystore" truststore-password="otherpass" truststore-url="file:/D:/jboss-as-7.1.1.Final/standalone/configuration/server.truststore" cipher-suites="TLS_RSA_WITH_AES_256_CBC_SHA" client-auth="true"/>

           

          Any idea?

          • 2. Re: Remoting with SSL and Cipher Suite
            Darran Lofthouse Master

            At the moment we don't have a configuration option to specify this and security domains are completey unrelated to the Remoting configuration.

             

            I have added the following issue to re-visit this: -

            https://issues.jboss.org/browse/AS7-5033

            1 of 1 people found this helpful
            • 3. Re: Remoting with SSL and Cipher Suite
              renz13 Newbie

              I don't understand why do you say they are "completely unrelated" (my english is not so good, maybe i've not explain correctly my problem)?

              For the moment I'm using security-realm to manage athentication/authorization of my remote ejb client.

              I use a database to store login/password and roles and use ssl to secure and identify my server.

               

              Here is a part of my standalone.xml, which is working :

              ....

              <security-realm name="myRealm">

                  <server-identities>

                      <ssl>

                          <keystore path="server.keystore" relative-to="jboss.server.config.dir" password="pass"/>

                      </ssl>

                  </server-identities>

                  <authentication>

                      <jaas name="myDomain"/>

                  </authentication>

              </security-realm>

              ......

              <subsystem xmlns="urn:jboss:domain:remoting:1.1">

                  <connector name="remoting-connector" socket-binding="remoting" security-realm="AreaFseRealm"/>

              </subsystem>

              .....

              <security-domain name="myDomain" cache-type="default">

                  <authentication>

                      <login-module code="Remoting" flag="optional">

                          <module-option name="password-stacking" value="useFirstPass"/>

                      </login-module>

                      <login-module code="Database" flag="required">

                          <module-option name="dsJndiName" value="java:jboss/datasources/myDS"/>

                          <module-option name="principalsQuery" value="SELECT pass FROM user WHERE username=?"/>

                          <module-option name="rolesQuery" value="SELECT r.roles, 'Roles' FROM role r INNER JOIN user u USING (id_user) WHERE u.username=?"/>

                          <module-option name="password-stacking" value="useFirstPass"/>

                      </login-module>

                  </authentication>

              </security-domain>

               

                  

              What I try to add now is :

              - client certificate authentication (with revocation check) : clients certificates are delivered by a CA. I have the CA certificate and I can download CRL => Maybe i've to code my own TrustManager or something else

              - use one of this cipher (i'm developping both client and server side) :

                   * TLS_RSA_WITH_3DES_EDE_CBC_SHA

                   * TLS_RSA_WITH_AES_128_CBC_SHA

                   * TLS_RSA_WITH_AES_256_CBC_SHA

                   => If it's not possible, how can I know the cipher used by default?

                  

              I thought this could be done in the <jsse> element looking at https://docs.jboss.org/author/display/AS71/Security+subsystem+configuration 

              • 4. Re: Remoting with SSL and Cipher Suite
                Darran Lofthouse Master

                What I mean when I say that they are unrelated is that any configuration applied to a security domain is not used to apply the SSL settings to the Remoting connector.

                1 of 1 people found this helpful
                • 5. Re: Remoting with SSL and Cipher Suite
                  renz13 Newbie

                  OK, thanks for your help ;-)

                   

                  Just a last question, what is the <jsse> element used for? Is it only for outbound connexion?

                  • 6. Re: Remoting with SSL and Cipher Suite
                    Rohan Emmanuel Newbie

                    can i use the  ssl tag for AS 71.2 ? for the remoting EJB3 over ssl?

                    <ssl>

                                <keystore path="server.keystore" relative-to="jboss.server.config.dir" password="pass"/>

                            </ssl>

                    if not .wat else should i configure for AS 7.1.2?

                    • 7. Re: Remoting with SSL and Cipher Suite
                      Darran Lofthouse Master

                      Yes that is exactly how you would set it on the realm associated with the connection.

                      • 8. Re: Remoting with SSL and Cipher Suite
                        Rohan Emmanuel Newbie

                        can u point me to the documentation where this is given in detail

                        or do u have any sample application which you could share.

                         

                        i am tryin to remotely connect to an simple stateless bean over ssl

                         

                        thanks

                        • 9. Re: Remoting with SSL and Cipher Suite
                          renz13 Newbie

                          I was thinking again about a way of configuring the cipher suites on client or on the server side.

                          Do you think we can use a workaround by using a system property or something else, used by the SSLFactory?

                          • 10. Re: Remoting with SSL and Cipher Suite
                            renz13 Newbie

                            On the client-side, this option in the jboss-ejb-client.properties does the trick :

                             

                            remote.connection.default.connect.options.org.xnio.Options.SSL_ENABLED_CIPHER_SUITES=TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA
                            

                             

                            If i could find an equivalent on the server side...