6 Replies Latest reply on Feb 4, 2009 12:41 PM by biebel1975

    RMI over SSL - mutual authentication

    Eva Kalatova Newbie

      Hello everybody.
      I've tried to configure Jboss to use RMI over SSL to access my Session beans. It works fine only that way, the server sends it's certificate key to the client and client must have it in it's trust store, but the client isn't required to send it's certificate key to the server and server doesn't control it. Could you please help me? What am I doing wrong?

      The service XML file deployed on server:

      <?xml version="1.0" encoding="UTF-8"?>
       <!-- The SSL domain setup -->
       <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
       <arg type="java.lang.String" value="RMI+SSL"/>
       <attribute name="KeyStoreURL">d:/jboss-4.0.4.GA/server/suc/certs/ServerKeyTrust.jks</attribute>
       <attribute name="KeyStorePass">password</attribute>
       <attribute name="TrustStoreURL">d:/jboss-4.0.4.GA/server/suc/certs/ServerKeyTrust.jks</attribute>
       <attribute name="TrustStorePass">password</attribute>
       <attribute name="ManagerServiceName">jboss.security:service=JaasSecurityManager</attribute>
      <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
       <attribute name="RMIObjectPort">14445</attribute>
       <attribute name="RMIClientSocketFactory">org.jboss.security.ssl.RMISSLClientSocketFactory
       <attribute name="RMIServerSocketFactoryBean"
       <property name="bindAddress">${jboss.bind.address}</property>
       <property name="securityDomain">java:/jaas/RMI+SSL</property>
       <property name="wantsClientAuth">true</property>
       <property name="needsClientAuth">true</property>

      Part of the definition in jboss.xml in my deployed application:
       <!-- invoker-mbean>jboss:service=invoker,type=jrmp,socketType=SSL</invoker-mbean -->

        • 1. Re: RMI over SSL - mutual authentication
          Eva Kalatova Newbie

          Oh, I forgot the JBoss version is jboss-4.0.4.GA

          • 2. Re: RMI over SSL - mutual authentication
            Eva Kalatova Newbie

            I am still stuck at this problem. Does anybody have an experience, how to make mutual authentication of RMI call in JBoss, please?
            Any advice will be welcome.

            • 3. Re: RMI over SSL - mutual authentication
              Ruben Trancoso Newbie

              Hello Evka,
              im desesperate trying to achieve at least rmi+ssl handshake. Ive read a lot os documents but nothing. I did one try pretty like the configurations you post here and nothing.

              If you can help-me to start maybe I can reach the solution because my last requeriment (to implement) is that one. To provide a secure media to access EJB3. (im using 4.0.4.GA ).

              Can you give-me some directions of where I can find more about it? or just what you put here can be usefull?

              And another question. How can be safe to do a client authenticate in a ssl session with a certificate? anyone with this will not be able to get this secure connection?

              I saw that none in the whole internet know how to do that! (or just hide it :P)
              You can contact me direct by mail on rubentrancoso a+ gmail d0t com

              • 4. Re: RMI over SSL - mutual authentication
                Eva Kalatova Newbie

                Hello rtrancoso.
                I am afraid, that JBoss doesn't support this functionality - as I described, the only thing to secure the RMI was, that the client had to have server certificate in its trust store. I also browsed over many JBoss tutorials and forums and nothing helped me in this way.

                Some informations can be found here:
                http://itextdocs.lowagie.com/techtips/ssl/ - RMI over SSL
                and here:

                So good luck with solving this problem. We have moved to WebShere, where this security is supported.

                • 5. Re: RMI over SSL - mutual authentication
                  Yukai Wang Newbie

                  I have the same problem. Server certs works but when it comes to mutual certs, never works. Can this be consider as a BUG that even these two parameters were added:


                  but it's not really useful?

                  By the way, the error I got is:

                  16:10:50,328 WARN [ServiceController] Problem starting service jboss:service=in
                  at org.jboss.security.ssl.Context.forDomain(Context.java:66)
                  at org.jboss.security.ssl.DomainServerSocketFactory.initSSLContext(Domai
                  at org.jboss.security.ssl.DomainServerSocketFactory.createServerSocket(D
                  at org.jboss.security.ssl.DomainServerSocketFactory.createServerSocket(D
                  at org.jboss.security.ssl.RMISSLServerSocketFactory.createServerSocket(R
                  at sun.rmi.transport.tcp.TCPEndpoint.newServerSocket(TCPEndpoint.java:61
                  at sun.rmi.transport.tcp.TCPTransport.listen(TCPTransport.java:231)
                  at sun.rmi.transport.tcp.TCPTransport.exportObject(TCPTransport.java:178
                  at sun.rmi.transport.tcp.TCPEndpoint.exportObject(TCPEndpoint.java:382)
                  at sun.rmi.transport.LiveRef.exportObject(LiveRef.java:116)
                  at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:14
                  at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:12

                  • 6. Re: RMI over SSL - mutual authentication
                    biebel1975 Newbie

                    Did you found a solution? I've got the same problem.