0 Replies Latest reply on Apr 5, 2014 8:27 AM by Andreas Neuteich

    JNDI remote lookup with SSL

    Andreas Neuteich Newbie

      Hello all,

       

      I would like to make a remote JNDI lookup on a JBoss AS 7.1.1 which is SSL secured.

       

      Here is what I have done so far:

       

      on client side:

       

      Properties props = new Properties();
      props.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
      props.put(Context.PROVIDER_URL, "remote://localhost:4447");
      props.put(Context.SECURITY_PRINCIPAL, "q");
      props.put(Context.SECURITY_CREDENTIALS, "super");
      
      
      props.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "true");
      props.put("remote.connection.default.connect.options.org.xnio.Options.SSL_STARTTLS",  "true");
      props.put("remote.connections", "default");
      props.put("remote.connection.default.host", "localhost");
      props.put("remote.connection.default.port", "4447");
      props.put("remote.connection.default.username", "q");
      props.put("remote.connection.default.password", "super");
      props.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");
      props.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT","false");
      props.put("remote.connection.default.connect.options.org.jboss.remoting3.RemotingOptions.HEARTBEAT_INTERVAL", "600000");
      
      
      InitialContext context = new InitialContext(props);
      
      
      // Strings for JNDI names
      String factoryName = "jms/RemoteConnectionFactory";
      String queueName =  "jms/queue/test";
      // Perform JNDI lookup
      QueueConnectionFactory factory = (QueueConnectionFactory) context.lookup(factoryName);
      Queue queue = (Queue) context.lookup(queueName);
      

       

      Called with VM arguments:

      -Djavax.net.ssl.trustStore=C:\tmp\client.keystore 
      -Djavax.net.ssl.trustStorePassword=123456
      

       

      on server side:


      standalone.xml:


          <management>
              <security-realms>
                  <security-realm name="ManagementRealm">
                      <authentication>
                          <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                      </authentication>
                  </security-realm>
                  <security-realm name="ApplicationRealm">
                      <server-identities>
                          <ssl>
                              <keystore path="server.keystore" relative-to="jboss.server.config.dir" password="123456"/>
                          </ssl>
                      </server-identities>
                      <authentication>
                          <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                      </authentication>
                  </security-realm>
              </security-realms>
             ...
      

       

      However, this exception is thrown:

      ERROR: JBREM000200: Remote connection failed: java.io.IOException: Client starting STARTTLS but channel doesn't support SSL
      

       

      On my JBoss I am getting:

       

      13:40:46,702 INFO  [stdout] (Remoting "my-jboss" read-1) Using SSLEngineImpl.
      13:40:46,734 INFO  [stdout] (Remoting "my-jboss" read-1) Allow unsafe renegotiation: false
      13:40:46,735 INFO  [stdout] (Remoting "my-jboss" read-1) Allow legacy hello messages: true
      13:40:46,735 INFO  [stdout] (Remoting "my-jboss" read-1) Is initial handshake: true
      13:40:46,736 INFO  [stdout] (Remoting "my-jboss" read-1) Is secure renegotiation: false
      13:40:46,737 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello
      13:40:46,738 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello
      13:40:46,739 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for SSLv2Hello
      13:40:46,740 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello
      13:40:46,741 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello
      13:40:46,742 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for SSLv2Hello
      13:40:46,743 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for SSLv2Hello
      13:40:46,744 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv3
      13:40:46,745 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for SSLv3
      13:40:46,747 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for SSLv3
      13:40:46,747 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv3
      13:40:46,748 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for SSLv3
      13:40:46,749 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for SSLv3
      13:40:46,750 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for SSLv3
      13:40:46,751 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
      13:40:46,752 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
      13:40:46,753 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
      13:40:46,754 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
      13:40:46,755 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
      13:40:46,756 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
      13:40:46,757 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
      13:40:46,758 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
      13:40:46,759 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
      13:40:46,760 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
      13:40:46,760 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
      13:40:46,761 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
      13:40:46,762 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
      13:40:46,763 INFO  [stdout] (Remoting "my-jboss" read-1) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
      13:40:46,765 INFO  [stdout] (Remoting "my-jboss" read-1) Remoting "my-jboss" read-1, called closeInbound()
      13:40:46,766 INFO  [stdout] (Remoting "my-jboss" read-1) Remoting "my-jboss" read-1, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
      13:40:46,767 INFO  [stdout] (Remoting "my-jboss" read-1) javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
      13:40:46,768 INFO  [stdout] (Remoting "my-jboss" read-1) Remoting "my-jboss" read-1, SEND TLSv1 ALERT:  fatal, description = internal_error
      13:40:46,769 INFO  [stdout] (Remoting "my-jboss" read-1) Remoting "my-jboss" read-1, WRITE: TLSv1 Alert, length = 2
      

       

      If I remove the <server-identities> and <ssl> tags in the standalone.xml, I can successfully do the lookup of the JMS queue factory. But I need to do it with an SSL secured JBoss AS.

       

      Based on https://community.jboss.org/thread/206763 I was able to make an EJB lookup with SSL, but for the simple lookup of the JMS queue factory this is not working.

      Please help.