4 Replies Latest reply on Jul 11, 2016 8:00 AM by tomekadamski

    Enabling IIOP over SSL in JBoss AS 7

    Bharti Kundal Newbie

      The following client configuration does not work for connecting to the SSL enabled IIOP in JBoss AS 7:

       

      env.put("jacorb.ssl.socket_factory", "org.jacorb.security.ssl.sun_jsse.SSLSocketFactory");

              env.put("jacorb.ssl.server_socket_factory", "org.jacorb.security.ssl.sun_jsse.SSLServerSocketFactory");

              env.put("jacorb.security.support_ssl", "on");

              env.put("jacorb.security.ssl.client.supported_options","20");

              env.put("jacorb.security.ssl.client.required_options","20");

              env.put("jacorb.security.ssl.server.supported_options","20");

              env.put("jacorb.security.ssl.server.required_options", "20");

              env.put("jacorb.security.ssl.corbaloc_ssliop.supported_options","20");

              env.put("jacorb.security.ssl.corbaloc_ssliop.required_options","20");

              env.put("org.omg.PortableInterceptor.ORBInitializerClass.standard_init","org.jacorb.orb.standardInterceptors.IORInterceptorInitializer");

       

              /**SSL options end here**/

              env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.cosnaming.CNCtxFactory");

              env.put(Context.PROVIDER_URL, "corbaloc::" + host + ":3529/JBoss/Naming/root");

               //  env.put(Context.PROVIDER_URL, "corbaloc:iiop:" + host + ":3529/JBoss/Naming/root");

       

      The server side is enabled for SSL like this:

       

       

                  <orb  ssl-socket-binding="jacorb-ssl">

                      <initializers security="identity" transactions="spec"/>

                  </orb>

               <security support-ssl="on" security-domain="ssl-domain"/>

              </subsystem>

       

      The port 3529 is the IIOP SSL port .

       

      The server complaints that:

      15:05:23,852 INFO  [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, handling exception: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

      15:05:23,853 INFO  [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, SEND TLSv1.2 ALERT:  fatal, description = unexpected_message

      15:05:23,853 INFO  [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, WRITE: TLSv1.2 Alert, length = 2

      15:05:23,853 INFO  [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, called closeSocket()

      15:05:24,875 INFO  [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, called close()

      15:05:24,875 INFO  [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, called closeInternal(true)

      15:05:24,875 INFO  [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, called close()

      15:05:24,875 INFO  [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, called closeInternal(true)

      15:05:24,875 INFO  [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, called close()

      15:05:24,875 INFO  [stdout] (ServerMessageReceptor2) ServerMessageReceptor2, called closeInternal(true)

       

       

       

      Somewhere I feel something is missing on the client side .Can anyone help with pointers

        • 1. Re: Enabling IIOP over SSL in JBoss AS 7
          tomekadamski Novice

          Hi Bharti,

           

          You should explicitly specify version of iiop protocol to > 1.0. You can do it formatting your corbaname address in the following way:

          "corbaname:ssliop:1.2@" + host + ":3529/JBoss/Naming/root"

          1.0 version does not support tagged components and one of them is used to mark that the connection has to be secured and as a result ssliop won't work on 1.0. This is rather hacky configuration but the default protocol could not be changed as 1.0 is required as default by specification.

           

          You should set all SSL configuration options as system properties either in commandline or using System.setProperty. You also have to specify client truststore which will be used during secured connection creation. You can do it using following options:

          jacorb.security.keystore=${your_keystore}

          jacorb.security.keystore_password=${your_password}

          jacorb.security.jsse.trustees_from_ks=true

           

          After above fixes you should be able to run your test correctly.

           

          Regards,

          Tomek

          • 2. Re: Enabling IIOP over SSL in JBoss AS 7
            Bharti Kundal Newbie

            Hi Tomek,

             

            Thank you for the inputs!!!!I will test them

            • 3. Re: Enabling IIOP over SSL in JBoss AS 7
              Bharti Kundal Newbie

              Hi Tomek,

               

              Thanks for the pointers ,the test case works fine now..Posting the entire sample with some observations:

               

              #####################################Standalone client with SSL#####################################################################################

                       System.setProperty("jacorb.security.support_ssl", "on" );

                       System.setProperty("jacorb.ssl.socket_factory", "org.jacorb.security.ssl.sun_jsse.SSLSocketFactory" );

                       System.setProperty("jacorb.ssl.server_socket_factory", "org.jacorb.security.ssl.sun_jsse.SSLServerSocketFactory" );

                       System.setProperty("jacorb.security.ssl.client.supported_options", "20" );

                       System.setProperty("jacorb.security.ssl.client.required_options", "20" );

                       System.setProperty("jacorb.security.ssl.server.supported_options", "20" );

                       System.setProperty("jacorb.security.ssl.server.required_options", "20" );

                       System.setProperty("jacorb.security.ssl.corbaloc_ssliop.supported_options", "20" );

                       System.setProperty("jacorb.security.ssl.corbaloc_ssliop.required_options", "20" );

                       System.setProperty("org.omg.PortableInterceptor.ORBInitializerClass.standard_init", "org.jacorb.orb.standardInterceptors.IORInterceptorInitializer" );

                      System.setProperty("jacorb.security.keystore","/EAP6.4/jboss-eap-6.4/standalone-jacorb_ssl/keystores/clientidentity.jks");

                      System.setProperty("jacorb.security.keystore_password","password");

                       System.setProperty("jacorb.security.jsse.trustees_from_ks","false");

                        System.setProperty("jacorb.security.truststore",/EAP6.4/jboss-eap-6.4/standalone-jacorb_ssl/keystores/client-trust.jks");

                       System.setProperty("javax.net.ssl.trustStore","/EAP6.4/jboss-eap-6.4/standalone-jacorb_ssl/keystores/client-trust.jks");

                        System.setProperty("javax.net.ssl.keyStore","/EAP6.4/jboss-eap-6.4/standalone-jacorb_ssl/keystores/clientidentity.jks");

                      System.setProperty("javax.net.ssl.keyStorePassword","password");

                      

                      env.put(Context.SECURITY_PROTOCOL, "ssl");

                      env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.cosnaming.CNCtxFactory");

                      env.put(Context.PROVIDER_URL, "corbaloc:ssliop:1.2@" + host + ":3529/JBoss/Naming/root");

              ########################################################################################################################################################

               

              If I set System.setProperty("jacorb.security.jsse.trustees_from_ks","true") ,my client side trsustore with this property was ignored: System.setProperty("jacorb.security.truststore","/NotbackedUp/JBOSS_ALL/EAP6.4/jboss-eap-6.4/standalone-jacorb_ssl/keystores/client-trust.jks");

               

              and my SSL handsahke failed with the client being not able to find the trusted certificates from server side and the traces on server side showed the following:

               

              15:41:23,769 DEBUG [jacorb.orb.iiop] (ServerMessageReceptor1) Caught exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

                  at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) [jsse.jar:1.8.0_91]

                  at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) [jsse.jar:1.8.0_91]

                  at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023) [jsse.jar:1.8.0_91]

                  at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125) [jsse.jar:1.8.0_91]

                  at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) [jsse.jar:1.8.0_91]

                  at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:928) [jsse.jar:1.8.0_91]

                  at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) [jsse.jar:1.8.0_91]

                  at org.jacorb.orb.etf.StreamConnectionBase.read(StreamConnectionBase.java:111) [jacorb-2.3.2.redhat-6.jar:2.3.2.redhat-6]

                  at org.jacorb.orb.giop.GIOPConnection.getMessage(GIOPConnection.java:337) [jacorb-2.3.2.redhat-6.jar:2.3.2.redhat-6]

                  at org.jacorb.orb.giop.GIOPConnection.receiveMessages(GIOPConnection.java:480) [jacorb-2.3.2.redhat-6.jar:2.3.2.redhat-6]

                  at org.jacorb.orb.giop.MessageReceptor.doWork(MessageReceptor.java:71) [jacorb-2.3.2.redhat-6.jar:2.3.2.redhat-6]

                  at org.jacorb.util.threadpool.ConsumerTie.run(ConsumerTie.java:61) [jacorb-2.3.2.redhat-6.jar:2.3.2.redhat-6]

                  at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_91]

               

              I then set System.setProperty("jacorb.security.jsse.trustees_from_ks","false") so that my following properties would be picked up

               

              System.setProperty("javax.net.ssl.trustStore","/EAP6.4/jboss-eap-6.4/standalone-jacorb_ssl/keystores/client-trust.jks");

                        System.setProperty("javax.net.ssl.keyStore","/EAP6.4/jboss-eap-6.4/standalone-jacorb_ssl/keystores/clientidentity.jks");

                      System.setProperty("javax.net.ssl.keyStorePassword","password");

               

              The connection with server then works fine and my client is able to access the EJB bean.

              1 of 1 people found this helpful
              • 4. Re: Enabling IIOP over SSL in JBoss AS 7
                tomekadamski Novice

                Hi Bharti,

                 

                If you have trustees defined in different file then you should set jacorb.security.jsse.trustees_from_ks to false ( or not set it at all as the default value of this property is false) and use the javax.net.ssl.trustStore option. There is a note in the documentation (http://www.jacorb.org/releases/3.1/ProgrammingGuide.pdf page 82) that those properties were not working correctly in previous virtual machines but if they work correctly now then they should be used.

                 

                Regards,

                Tomek

                1 of 1 people found this helpful