2 Replies Latest reply on Feb 1, 2004 1:38 PM by Adrian Brock

    JMS client and MDB over SSL

    belaf Newbie

       

      "Belaf" wrote:
      I am trying to send messages to a Message Driven Bean (MDB) from a JMS client via SSL. I am successfully calling a session bean from a client program via SSL. However, the MDB keeps coming up on the default non-SSL instead of the SSL (4447--see below) defined port. I am listing the definitions that I include in the ear file containing the MDB. What is missing in these three definition files:

      jbossmq-service:
      +++++++++++

      <?xml version="1.0" encoding="UTF-8"?>

      <!-- The SSL domain setup -->
      <mbean code="org.jboss.mq.il.uil2.UILServerILService"
      name="jboss.mq:service=InvocationLayer,type=HTTPSUIL2">
      <depends optional-attribute-name="Invoker">jboss.mq:service=Invoker

      HTTPSUIL2ConnectionFactory

      HTTPSUIL2XAConnectionFactory
      org.jboss.security.ssl.ClientSocketFactory
      org.jboss.security.ssl.DomainServerSocketFactory
      java:/jaas/RMI+SSL2




      chap8.keystore
      rmi+ssl


      jboss-service
      +++++++++

      <?xml version="1.0" encoding="UTF-8"?>



      <!-- The SSL domain setup -->
      <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
      name="jboss.security:service=JaasSecurityDomain,domain=RMI+SSL2">



      chap8.keystore
      rmi+ssl


      <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
      name="jboss:service=invoker,type=jrmp,socketType=SSL">
      4447

      org.jboss.security.ssl.RMISSLClientSocketFactory


      org.jboss.security.ssl.RMISSLServerSocketFactory

      java:/jaas/RMI+SSL2




      jboss.xml
      +++++++

      <?xml version="1.0"?>

      <enterprise-beans>
      <message-driven>
      <ejb-name>TextMDB</ejb-name>
      <destination-jndi-name>queue/B</destination-jndi-name>
      <resource-ref>
      <res-ref-name>jms/QCF</res-ref-name>
      <jndi-name>ConnectionFactory</jndi-name>
      </resource-ref>
      <configuration-name>Standard Message Driven Bean</configuration-name>
      <home-invoker>jboss:service=invoker,type=jrmp,socketType=SSL</home-invoker>
      <bean-invoker>jboss:service=invoker,type=jrmp,socketType=SSL</bean-invoker>
      <message-invoker>jboss:service=invoker,type=jrmp,socketType=SSL</message-invoker>
      </message-driven>
      </enterprise-beans>


      The snippet of the bat file that executes the JMS client program:
      -Djava.security.manager -Djava.security.policy="C:/UserInfo/app.policy" -Djavax.net.ssl.trustStore="C:/UserInfo/chap8.keystore"


        • 1. Re: JMS client and MDB over SSL
          belaf Newbie

           

          "Belaf" wrote:

          I made additional progress in this area and now I am getting SSL working with JMS, but I need additional verification. I made the following changes:

          Updated jboss-service.xml with the following statements:

          <!-- The SSL domain setup -->
          <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
          name="jboss.security:service=JaasSecurityDomain,domain=SSL">
          <constructor>
          <arg type="java.lang.String" value="SSL"/>
          </constructor>
          <attribute name="KeyStoreURL">chap8.keystore</attribute>
          <attribute name="KeyStorePass">rmi+ssl</attribute>
          </mbean>

          Updated jbossmq-service with the following statements:

          <mbean code="org.jboss.mq.il.uil.UILServerILService"
          name="jboss.mq:service=InvocationLayer,type=UIL">
          <depends optional-attribute-name="Invoker">jboss.mq:service=Invoker</depends>
          <attribute name="ConnectionFactoryJNDIRef">
          HTTPSUIL2ConnectionFactory</attribute>
          <attribute name="XAConnectionFactoryJNDIRef">
          HTTPSUIL2XAConnectionFactory</attribute>
          <attribute name="ClientSocketFactory">org.jboss.security.ssl.ClientSocketFactory</attribute>
          <attribute name="ServerSocketFactory">org.jboss.security.ssl.DomainServerSocketFactory</attribute>
          <attribute name="SecurityDomain">java:/jaas/SSL</attribute>
          <attribute name="ServerBindPort">8091</attribute>
          <attribute name="PingPeriod">60000</attribute>
          <attribute name="EnableTcpNoDelay">true</attribute>

          </mbean>

          When I specify the javax.net.ssl.trustStore in my client JMS program, everything works. However, when I don't specify the javax.net.ssl.trustStore in my client JMS program, I get an abend because the trustStore is missing.

          I was wondering if there are any additional verification that I can run to see if SSL is working properly? Obviously, the final verification is to get a sniffer, but I am thinking about non-sniffer verification methods because it is difficult to get the sniffer in place.






          • 2. Re: JMS client and MDB over SSL
            Adrian Brock Master

            Use a truststore that doesn't have the certificate.

            You can also enable logging (see the jsse doco provided by sun).

            Regards,
            Adrian