I have an EJB application running on my server. It goes under iiop+ssl and all work. My client side uses IIOP.NET and it works too.
After that, I installed a SSL accelerator card to encrypt and desencrypt the ssl traffic. So, my server is liberated. The SSL card makes that SSL traffic be transparent to the server. Then, I configure Jboss like if the traffic is not under SSL. When I run my application the following error message appear in my client side:
excepcion System.Runtime.Remoting.RemotingException: No se puede crear un receptor de canal para conectarse a la dirección URL IOR:00000000
000000004000000000000001F0000000400000003. Es posible que no se haya registrado un canal correcto.
That IOR is the same that appear in Jboss when I deploy the server side of the EJB.
I contacted technical support of IIOP.NET and they said me the following:
"The problem is, that your the profiles in your IOR don't contain the SSL tagged component (TAG_SSL_SEC_TRANS). This component inside an IOR profile specifies, what's the SSL policy supported by the server, e.g. client authentication required or not.
If this component is missing, IIOP.NET is not able to connect to the server with the SSL transport. (Other Corba IIOP clients would throw a NO_PERMISSION exception in this case).
As a workaround, you could possibly try to add an IOR interceptor on the server side (install it in jacorb) to add this component.
I'm not sure, how this problem is solved in the CORBA field. Are there possibly some CORBA aware SSL cards? "
Does anybody know how add this IOR interceptor?
Any help will be useful.
Thanks and best regards
I don't know exactly how ssl accelerators works, but would the exported IOR need to contain the host/ssl port of the accelerator?
Another idea to try may be to configure normally the server for ssl, but use a plain (non-ssl) connection factory, maybe?
First at all, thanks
The ssl accelerator create a proxy with an external port and an internal port. SSL traffic enter to external port. The card desencrypts the traffic and moves it (now it's plain text) to the internal port.
I configured the proxy with 3529 (external port) and 3528(internal port). The key and certificate pair is created and stored in the card.
I'll try to use a plain connection factory with SSL configuration.
Do you have any other idea?
Thanks and regards
Could you say in what file I have to change the connection factory, and which are the factories?
I just checked and it probably won't work because SSLServerSocketFactory is a subinterface of ServerSocketFactory, so it'll probably won't accept a value of org.jacorb.orb.factory.DefaultServerSocketFactory
(try that anyways :)
All the relevant entries are in conf/jacorb.properties (in the 'all' configuration).
You can try also to see if that does the trick
I guess you want to set those 2 as well, to the address/port of the accelerator card:
I tried you said me and these are the results:
If I launch the server with ssl configuratin changing the factories, i.e., jacorb.ssl.socket_factory=org.jacorb.orb.factory.DefaultSocketFactory
appear the following error:
12:41:25,578 ERROR [giop] org.jacorb.orb.factory.DefaultSocketFactory.(org.jacorb.orb.ORB)
12:41:25,593 ERROR [CorbaORBService] Starting failed jboss:service=CorbaORB
java.lang.RuntimeException: SSL support is on, but the ssl socket factory can't be instantiated (org.jacorb.orb.factory.DefaultSocketFactor
If I launch server with ssl configuration but with
this error appears in the client side:
excepcion System.IO.IOException: no GIOP-Message
Server stack trace:
at Ch.Elca.Iiop.GiopHeader..ctor(CdrInputStreamImpl stream)
at Ch.Elca.Iiop.GiopTransportClientMsgHandler.ReceiveResponseMessage(UInt32 reqNr)
at Ch.Elca.Iiop.GiopTransportClientMsgHandler.ProcessResponse(UInt32 forReqId, ITransportHeaders& responseHeaders)
at Ch.Elca.Iiop.IiopClientTransportSink.ProcessMessage(IMessage msg, ITransportHeaders requestHeaders, Stream requestStream, ITransportH
eaders& responseHeaders, Stream& responseStream)
at Ch.Elca.Iiop.IiopClientFormatterSink.SyncProcessMessage(IMessage msg)
Exception rethrown at :
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at omg.org.CosNaming.NamingContext.resolve(NameComponent nameComponents)
at clientedotnet.CMyClase.Main(String args) in d:\ejemplo jose luis\clientenfastultra\Class1.cs:line 84
With regard to
In proxy host I write my IP server, but what port have I write in proxy_port?
The only one that don't throw an error message is 3528, with non ssl configuration but the client side throw the same error above.
Thanks and regards
Maybe the IORInterceptor is the cleanest solution after all :) It needs some more careful examination since the various pieces are already there and it could just be a matter of configuration, I just haven't looked at it in much detail...
Franscisco may know how to setup this?
A little dirty hack would be to just subclass DefaultServerSocketFactory and privide dummy implementions for the 2-3 extra SSLServerSocketFactory methods to pass the initial construction step. Then configure for ssl as usual...
Thank you very much,
I'll wait your solution.
Do you have any new news about my problem?
Didn't have time for that, sorry :(
Apparently this discussion should be probably moved to a user forum.