0 Replies Latest reply on Apr 14, 2004 7:08 PM by Pulkit Singhal

    Setting up SSL for the remote calls made to EJBs

    Pulkit Singhal Newbie

      Hello everyone,
      I have been to many sites and most of them teach how to secure the tomcat using ssl which makes https connections secure. But I feel like something is missing. What if the bean I want to deploy doesn't neccessarily use the https. I mean what if I am just writing an ejb-jar.xml for my beans, deploying them and then making calls to them using client code that looks some thing like:

      Properties properties = new Properties();
      properties.put(Context.INITIAL_CONTEXT_FACTORY,
      "org.jnp.interfaces.NamingContextFactory");
      properties.put(Context.PROVIDER_URL, "localhost:1099");
      Context initial = new InitialContext(properties);
      Object objectRef = initial.lookup("Transaction");
      TransactionFactory transactionFactory =
      (TransactionFactory) PortableRemoteObject.narrow( objectRef,
      TransactionFactory.class);
      IUserInfo userInfo = new UserInfo("a", "b", "c", false);
      ITransaction transaction = transactionFactory.create(userInfo);
      System.out.println(transaction.getBalance());
      transaction.withdraw(10.0);
      System.out.println(transaction.getBalance());
      transaction.credit(25.6);
      System.out.println(transaction.getBalance());

      In such a case pure rmi calls are being used...RIGHT?
      If that is the case then I have yet to find anything that secures these for me while making use of SSL.
      Often it has been suggested that the following be added to the jboss.xml file.

      <ejb-name>MyBean</ejb-name>
      <configuration-name>Standard Stateful SessionBean</configuration-name>
      <home-invoker>jboss:service=invoker,type=jrmp,socketType=SSL</home- invoker>
      <bean-invoker>jboss:service=invoker,type=jrmp,socketType=SSL</bean- invoker>

      In this, should the name "my bean" be replaced by the name of the session bean that one might have constructed to envelope the local entity bean? By that I mean a stateful session bean for programatically logging in and using the functions of an underlying and unexposed entity bean.
      So do we add the lines above under that session bean's name or is this different?
      Also shouldn't the initial data from the user be encrypted, for example the parameters sent for the creation of the login sesion bean itself? For ex. the invokation for the transaction session bean above should have something telling it to encode the call:
      ITransaction transaction = transactionFactory.create(userInfo);
      I mean if this is not encoded...I just game away my userInfo...DOH!
      So I was thinking that we should have set up the client to call up a context with properties that tell it to use SSL and what certificates or keys to encode the info with. But apparently that doesn't seem to be needed at all. Why? Or is it that people just haven't mentioned or displayed it so far? If so, kindly tell me how to do so.
      Even the lines above are added to jboss.xml which means the client is oblivious to the need for using ssl. Furthermore, the jboss server for tomcat is told the location of the keys and/or certificates it should use, is there a similar procedure for securing the underlying rmi calls?

      I feel like a lot is lacking in my understanding of this situation.
      Could someone please shed some light on this subject?

      Thank You.
      Pulkit