2 Replies Latest reply on Sep 3, 2002 4:50 AM by Jean-Christophe P

    RMI+SSL

    Frederic Soulier Newbie

      Hi

      Using JBoss (CVS Head today) I have changed my jboss-service.xml as follows:

      <!-- ==================================================================== -->
      <!-- Invokers to the JMX node -->
      <!-- ==================================================================== -->

      <!-- RMI/JRMP invoker -->

      4444
      org.jboss.security.ssl.RMISSLClientSocketFactory
      org.jboss.security.ssl.RMISSLServerSocketFactory
      <!--
      custom
      -->
      RMI+SSL

      jboss:service=TransactionManager




      jboss:service=TransactionManager


      Now when I start JBoss I get:

      2002-08-01 19:15:50,237 INFO [org.jboss.ejb.EJBDeployer] Started
      2002-08-01 19:15:50,238 INFO [org.jboss.invocation.jrmp.server.JRMPInvoker] Starting
      2002-08-01 19:15:50,298 ERROR [org.jboss.invocation.jrmp.server.JRMPInvoker] Failed to setSecurityDomain=RMI+SSL on socket factory
      2002-08-01 19:15:50,326 ERROR [org.jboss.invocation.jrmp.server.JRMPInvoker] Starting failed
      java.lang.NullPointerException
      at org.jboss.security.ssl.DomainServerSocketFactory.createServerSocket(DomainServerSocketFactory.java:110)
      at org.jboss.security.ssl.DomainServerSocketFactory.createServerSocket(DomainServerSocketFactory.java:83)
      at org.jboss.security.ssl.RMISSLServerSocketFactory.createServerSocket(RMISSLServerSocketFactory.java:71)
      at sun.rmi.transport.tcp.TCPEndpoint.newServerSocket(TCPEndpoint.java:554)
      at sun.rmi.transport.tcp.TCPTransport.listen(TCPTransport.java:217)
      at sun.rmi.transport.tcp.TCPTransport.exportObject(TCPTransport.java:171)
      at sun.rmi.transport.tcp.TCPEndpoint.exportObject(TCPEndpoint.java:314)
      at sun.rmi.transport.LiveRef.exportObject(LiveRef.java:114)
      at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:120)
      at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:104)
      at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:273)
      at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:204)
      at org.jboss.invocation.jrmp.server.JRMPInvoker.exportCI(JRMPInvoker.java:352)
      at org.jboss.invocation.jrmp.server.JRMPInvoker.startService(JRMPInvoker.java:267)
      at org.jboss.invocation.jrmp.server.JRMPInvoker$1.startService(JRMPInvoker.java:112)
      at org.jboss.system.ServiceMBeanSupport.start(ServiceMBeanSupport.java:196)
      at org.jboss.invocation.jrmp.server.JRMPInvoker.start(JRMPInvoker.java:516)
      at java.lang.reflect.Method.invoke(Native Method)
      at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:549)
      at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:951)
      at $Proxy9.start(Unknown Source)
      at org.jboss.system.ServiceController.start(ServiceController.java:386)
      at org.jboss.system.ServiceController.start(ServiceController.java:402)
      at org.jboss.system.ServiceController.start(ServiceController.java:402)
      at java.lang.reflect.Method.invoke(Native Method)
      at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:549)
      at org.jboss.util.jmx.MBeanProxy.invoke(MBeanProxy.java:174)
      at $Proxy5.start(Unknown Source)
      at org.jboss.deployment.SARDeployer.start(SARDeployer.java:304)
      at org.jboss.deployment.MainDeployer.start(MainDeployer.java:806)
      at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:624)
      at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:588)
      at java.lang.reflect.Method.invoke(Native Method)
      at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:549)
      at org.jboss.util.jmx.MBeanProxy.invoke(MBeanProxy.java:174)
      at $Proxy7.deploy(Unknown Source)
      at org.jboss.deployment.scanner.URLDeploymentScanner.deploy(URLDeploymentScanner.java:392)
      at org.jboss.deployment.scanner.URLDeploymentScanner.scanDirectory(URLDeploymentScanner.java:611)
      at org.jboss.deployment.scanner.URLDeploymentScanner.scan(URLDeploymentScanner.java:464)
      at org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.doScan(AbstractDeploymentScanner.java:187)
      at org.jboss.deployment.scanner.AbstractDeploymentScanner.startService(AbstractDeploymentScanner.java:254)
      at org.jboss.system.ServiceMBeanSupport.start(ServiceMBeanSupport.java:196)
      at java.lang.reflect.Method.invoke(Native Method)
      at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:549)
      at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:951)
      at $Proxy0.start(Unknown Source)
      at org.jboss.system.ServiceController.start(ServiceController.java:386)
      at java.lang.reflect.Method.invoke(Native Method)
      at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:549)
      at org.jboss.util.jmx.MBeanProxy.invoke(MBeanProxy.java:174)
      at $Proxy5.start(Unknown Source)
      at org.jboss.deployment.SARDeployer.start(SARDeployer.java:304)
      at org.jboss.deployment.MainDeployer.start(MainDeployer.java:806)
      at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:624)
      at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:588)
      at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:572)
      at java.lang.reflect.Method.invoke(Native Method)
      at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:549)
      at org.jboss.util.jmx.MBeanProxy.invoke(MBeanProxy.java:174)
      at $Proxy6.deploy(Unknown Source)
      at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:324)
      at org.jboss.system.server.ServerImpl.start(ServerImpl.java:232)
      at org.jboss.Main.boot(Main.java:146)
      at org.jboss.Main$1.run(Main.java:379)
      at java.lang.Thread.run(Thread.java:479)

      How do I define the RMI+SSL security domain?

      Thanks
      /Fred

        • 1. Re: RMI+SSL
          Frederic Soulier Newbie

          OK, following some investigation I have now the following configuration:

          jboss-service.xml (for jrmp)
          ----------------------------

          <!-- ==================================================================== -->
          <!-- Security -->
          <!-- ==================================================================== -->

          <!-- RMI+SSL Security Domain setup -->




          /opt/jboss-3.1.0alpha/server/all/.keystore
          changeit


          <!-- ==================================================================== -->
          <!-- Invokers to the JMX node -->
          <!-- ==================================================================== -->

          <!-- RMI/JRMP invoker -->

          rmissl.security:name=JaasSecuritydomain,domain=RMI+SSL
          4444
          org.jboss.security.ssl.RMISSLClientSocketFactory
          org.jboss.security.ssl.RMISSLServerSocketFactory
          <!--
          custom
          -->
          java:/jaas/RMI+SSL

          jboss:service=TransactionManager



          cluster-service.xml (for jrmpha)
          --------------------------------

          <!-- ==================================================================== -->
          <!-- HA JNDI -->
          <!-- ==================================================================== -->

          jboss:service=DefaultPartition
          DefaultPartition
          1111



          4445
          org.jboss.security.ssl.RMISSLClientSocketFactory
          org.jboss.security.ssl.RMISSLServerSocketFactory
          <!--
          custom
          -->
          java:/jaas/RMI+SSL



          On the client side, even without the server certificate added to cacerts, I can still lookup/access my EJBs without restriction (I should get a SSLException: untrusted server cert chain).

          From my server.log
          ------------------
          ...
          2002-08-02 15:00:30,008 INFO [org.jboss.security.plugins.SecurityConfig] Creating
          2002-08-02 15:00:30,009 INFO [org.jboss.security.plugins.SecurityConfig] Created
          2002-08-02 15:00:30,010 INFO [org.jboss.security.plugins.JaasSecurityManagerService] Creating
          2002-08-02 15:00:30,011 INFO [org.jboss.security.plugins.JaasSecurityManagerService] Created
          2002-08-02 15:00:30,012 INFO [org.jboss.security.plugins.JaasSecurityDomain.RMI+SSL] Created
          ...
          2002-08-02 15:00:30,779 INFO [org.jboss.security.plugins.SecurityConfig] Starting
          2002-08-02 15:00:30,784 INFO [org.jboss.security.plugins.SecurityConfig] Started
          2002-08-02 15:00:31,032 INFO [org.jboss.security.plugins.JaasSecurityManagerService] Starting
          2002-08-02 15:00:31,104 INFO [org.jboss.security.plugins.JaasSecurityManagerService] Started
          2002-08-02 15:00:31,105 INFO [org.jboss.security.plugins.JaasSecurityDomain.RMI+SSL] Starting
          2002-08-02 15:00:31,531 INFO [org.jboss.security.plugins.JaasSecurityManagerService] Added RMI+SSL, org.jboss.security.plugins.JaasSecurityDomain@7f242c to map
          2002-08-02 15:00:31,662 INFO [org.jboss.security.plugins.JaasSecurityDomain.RMI+SSL] Started
          ...
          2002-08-02 15:01:04,535 INFO [org.jboss.invocation.jrmp.server.JRMPInvokerHA] Creating
          2002-08-02 15:01:04,536 INFO [org.jboss.invocation.jrmp.server.JRMPInvokerHA] Created
          ...
          2002-08-02 15:01:07,933 INFO [org.jboss.invocation.jrmp.server.JRMPInvokerHA] Starting
          2002-08-02 15:01:07,987 INFO [org.jboss.invocation.jrmp.server.JRMPInvokerHA] Started
          ...
          2002-08-02 15:01:09,726 INFO [org.jboss.invocation.jrmp.server.JRMPInvoker] Creating
          2002-08-02 15:01:09,727 INFO [org.jboss.invocation.jrmp.server.JRMPInvoker] Created
          ...
          2002-08-02 15:01:09,993 INFO [org.jboss.invocation.jrmp.server.JRMPInvoker] Starting
          2002-08-02 15:01:10,173 INFO [org.jboss.invocation.jrmp.server.JRMPInvoker] Started
          ...




          Any idea?

          /Fred

          • 2. Re: RMI+SSL
            Jean-Christophe P Newbie

            Hi,

            I have a similar problem
            (BTW it was working fine on 2.4
            using the ssl-domain extension on jboss.xml)
            what I did is :
            1 - to deploy a service called rmissl-service
            which install the security domain
            2 - use this domain in the jboss.xml
            3 - use the RMISSLSocketFactory (jboss.xml)

            but my bean doenst seem to use the secure transport
            (while using the right login module),

            did you make any progress on this issue

            thanks a lot

            jc

            PS: I'm using 3.0.0 (downloaded 10 days ago)
            I will try with 3.0.2 asad