6 Replies Latest reply on Jul 29, 2004 7:19 PM by Scott Stark

    JBoss & Kerberos

    Roger Smith Newbie

      I have been researching how to provide secure communication between a application client using RMI and a JBoss server. I was able to get RMI over SSL to work but my company would
      prefer to use Kerberos. I have found little to no documentation on JBoss and kerberos. Does JBoss support it? If so, can you point me to some documentation or describe to me how to integrate it with JBoss? Also, I have done some reading about SRP. Is this the JBoss preferred way to provide secure communication? Any help with this would be great. Thanks for your time.

        • 1. Re: JBoss & Kerberos
          Scott Stark Master

          We don't have a jboss speicific login module for kerberos but they exist so that would be the path to using kerberos with jboss.

          SRP is preferred simply because it does not have the pki management headache. Any kerberos integration would be similar to how SRP is done so its worth looking at from that perspective. If your pki phobic its a good alternative.

          • 2. Re: JBoss & Kerberos
            Roger Smith Newbie

            I have tried out SRP example "ex3" in chapter 8 of the Admin & Development guide v3.2.3. This example shows how to performs authentication using SRP but the RMI data is still transferred without encryption.

            In order to add the encryption part I believe that I would have to create Custom RMIServerFactorys to that use an SRP session key to encrypt/decrypt the RMI data between the client and server.

            If this is correct, how do I get the SRP session key on both ends (client/server)?

            • 3. Re: JBoss & Kerberos
              Roger Smith Newbie

              RMIServerFactorys above should be RMISocketFactory. Sorry for the typo.

              • 4. Re: JBoss & Kerberos
                Scott Stark Master

                The session key is available as a javax.crypto.SecretKey in the Subject private credentials set populated by the SRPLoginModule. There is an example of a custom pair of client/server interceptors in the org.jboss.test.security.interceptors package of the testuite that illustrate using the srp session key to encrypt just the arguments of ejb invocations using SealedObjects.

                • 5. Re: JBoss & Kerberos
                  Roger Smith Newbie

                  Thanks for your help I can't tell you much it has helped so far. Unfortunately, I have run into another problem.

                  I would like to create custom RMI server and client socket factories that encrypt and decrypt the entire RMI message using the SRP SecretKey created during login.

                  On the client I am able to get the SecretKey from the Subject and create encryption/decryption Ciphers based on the SecretKey. The problem is on the server. How do I get the Subject for the client that is connecting to the server? I tried to do this after the socket accept but it returned null:

                  Subject subject = SecurityAssociation.getSubject();

                  How does the RMIServerSocket retrieve the apprioprate Subject so the server side socket can access a SecretKey that matches the clients so it can setup ciphers for input and output communication?

                  I am using v3.2.3, with the service code from chap8 ex to perform the login.
                  Thanks for all your help.

                  • 6. Re: JBoss & Kerberos
                    Scott Stark Master

                    It would have to be done through some out of band mechanism. The RMIServerSocket is used when a connection is created and there will be no user information associated with the thread. The only way this could be done is to read the Subject or key to obtain the Subject from the socket as sent by the client.