6 Replies Latest reply on Feb 16, 2005 3:47 PM by alt_amit

    JMS over SSL

    rmathew

      Hi, I am a newbie to JBOSS and JMS, and have set up a basic mesaging client. I manage to connect to the server. Alls hunky dory thus far.

      However, I would like to run this whole setup on a more secure basis, using SSL and I might need to use HTTP tunneling as well.
      I was looking around for docs, posts on this forum and other JBOSS forums for some information to get started with. Couldnt find ne info
      Would be very grateful someone could point me to some info on this.
      Rajesh[/img]

        • 1. Re: JMS over SSL

          If you have jboss-3.2.3:

          you can find an example ssl configuration in docs/examples/jms

          jms over http is already deployed by default, but you'll need configure https
          for tomcat and use the https naming factory in your jndi.properties.

          Regards,
          Adrian

          • 2. Re: JMS over SSL
            rmathew

            Hi Adrian, thanks a lot. I am kinda lost here. As I said, I got basic messaging in place. Would be grateful if you could point me to some resource which would give me step by step info on how to go abt using HTTPS.
            I did buy the admin guide, but it does not tell me how/where to specify use of the HTTP Invocation Layer.
            Thanks a lot.

            • 3. Re: JMS over SSL

              The http invocation layer is bound at: HTTPConnectionFactory in jndi
              If you also want to use JNDI over HTTP you need to use the
              HTTPNamingContextFactory - there are examples with the book.

              Once you have that working, you will need to configure SSL on the server
              and the client.

              If you are just want a tcp/ip connection using ssl look at the misnamed
              docs/examples/jms/https-service.xml

              Regards,
              Adrian

              • 4. Re: JMS over SSL
                rmathew

                Hey,
                Adrian, thanks a lot for your prompt replies. So let me get this str8.
                i) all i need to get the lookup over http is to use the httpconnectionfactory in the properties file?
                ii) all i need to use JMS over http is to do something like this?
                TopicConnectionFactory cF= (TopicConnectionFactory)jndi.lookup("HTTPXAConnectionFactory");
                And I am up and running?
                Shall get to https later :-)
                Thanks a lot,
                Rajesh

                • 5. Re: JMS over SSL
                  rmathew

                  Hi,
                  I have JNDI and JMS running over HTTP. All fine. But I would like to move on to HTTPS and am facing problems. Any help would be gr8. Kinda stuck. I have modified the SSl connector configuration in jboss-service.xml in jbossweb-tomcat41.sar\META-INF
                  Its now as shown below.

                  ************************************************************
                  Connector className = "org.apache.coyote.tomcat4.CoyoteConnector"
                  address="" port = "8443" scheme = "https" secure = "true">
                  Factory className = "org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
                  keystoreFile="/conf/server.keystore"
                  keystorePass="changeit"
                  protocol = "TLS"/>

                  ************************************************************

                  I am able to telnet into my machine on port 8443 from another machine, and when i start up the browser and try going to
                  https://192.168.x.y:8443/ from that remote machine, it shows up the "Security Alert" prompting me abt the certificate, though it goes on to say
                  "HTTP Status 500 - No Context configured to process this request", which shouldnt be a problem I guess. Atleast the server is accepting https reuqests.
                  However, when I startup my JMS client and try to connect to the server, I get the following exception, when I try to do a JNDI lookup using the file
                  jndi.properties shown below

                  javax.naming.NamingException: Failed to retrieve Naming interface [Root exception is java.io.IOException]

                  jndi.properties
                  ************************************************************
                  #java.naming.provider.url=http://192.168.3.42:8080/invoker/JNDIFactory
                  java.naming.provider.url=https://192.168.3.42:8443/invoker/JNDIFactory
                  java.naming.factory.initial=org.jboss.naming.HttpNamingContextFactory
                  java.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces
                  ************************************************************

                  The JNDI lookup works with the http line tho if the https one is commented.

                  I would be grateful if someone could guide me along a lil.
                  Thanks a lot,
                  Rajesh Mathew.

                  • 6. Re: JMS over SSL
                    alt_amit

                    I know it's been a year since the last post, but here are some things that should be done:

                    the certificate should be stored back to the cacerts repository on the server, so server authentication doesnt throw exception

                    use host ip not name if that's how the HTTPServerILService is configured.

                    use correct keystoretype

                    disable client auth, if not doing so (server auth should be enough)

                    Add the following in client code:

                    HostnameVerifier hv = new HostnameVerifier() {
                    public boolean verify(String urlHostName, SSLSession session) {
                    System.out.println("Warning: URL Host: "+urlHostName+" vs. "+session.getPeerHost());
                    return true;
                    }
                    };

                    HttpsURLConnection.setDefaultHostnameVerifier(hv);