11 Replies Latest reply on Aug 4, 2012 4:06 AM by ybxiang.china

    Remoting-connector with SSL

    mates1234

      How can I configure remoting-connector with SSL?

       

      I try configure security-realm with ssl server-identifier and then use it as security-realm in remoting-connector but it does not work

        • 1. Re: Remoting-connector with SSL
          dlofthouse

          Could you please elaborate further on what you mean whey you say it does not work?

           

          What kind of client are you trying to connect to the connector?  Also could you please show some of the relevent configuration of both the realm and the connector.

          • 2. Re: Remoting-connector with SSL
            mates1234

            standalone.xml

             

            <security-realm name="SSLRealm">

              <server-identities>

                <ssl>

                  <keystore path="localhost.keystore" password="EJB-SSL_KEYPAIR_PASSWORD" relative-to="jboss.server.config.dir"/>

                </ssl>

              </server-identities>

              <authentication>

                   <jaas name="bean-sec-domain" />

               </authentication>

            </security-realm>

            ....

            <connector name="remoting-connector" socket-binding="remoting" security-realm="SSLRealm" />

            ...

             

            ejb: client

            Properties p = new Properties();

            p.setProperty(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");

            p.put("jboss.naming.client.ejb.context", true);

            InitialContext c = new InitialContext(p);

            TestBeanRemote vLookup = (TestBeanRemote) c.lookup("ejb:TestEar/TestEjb/TestBean!"+ TestBeanRemote.class.getName());

             

            jboss-ejb-client.properties

            remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=true

            remote.connections=x1

            remote.connection.x1.host=127.0.0.1

            remote.connection.x1.port = 4447

            remote.connection.x1.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false

            remote.connection.x1.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false

            remote.connection.x1.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER

             

            and result is

             

            ERROR: JBREM000200: Remote connection failed: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

            28.2.2012 8:23:28 org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector setupEJBReceivers

            WARN: Could not register a EJB receiver for connection to remote://127.0.0.1:4447

            java.lang.RuntimeException: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

                at org.jboss.ejb.client.remoting.IoFutureHelper.get(IoFutureHelper.java:91)

            • 3. Re: Remoting-connector with SSL
              dlofthouse

              There is one additional option you need on the client: -

               

              remote.connectionprovider.create.options.org.xnio.Options.SSL_STARTTLS=true

              • 4. Re: Remoting-connector with SSL
                mates1234

                I've got same problem with SSL_STARTTLS=true

                 

                It looks like there is no SSL connection on server side.

                 

                Server configuration is correct?

                • 5. Re: Remoting-connector with SSL
                  dlofthouse

                  Can you try setting the option on 'remote.connection.x1.connect.options' instead?

                  • 6. Re: Remoting-connector with SSL
                    mates1234

                    That is it. Thanks

                     

                    remote.connection.x1.connect.options.org.xnio.Options.SSL_STARTTLS=true

                     

                    solve the problem.

                    • 7. Re: Remoting-connector with SSL
                      mates1234

                      For lookup with "remote://" protocol I've construct Properties for InitialContext like

                       

                      p.put("jboss.naming.client.remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED","true");

                      p.put("jboss.naming.client.connect.options.org.xnio.Options.SSL_STARTTLS","true");

                       

                      and now it works.

                      • 8. Re: Remoting-connector with SSL
                        mrusinak

                        Hello, I have a followup question. Is there any way to make the client ignore the server's certificate? We want to use SSL for encryption on remote EJB queries, but do not have control over the JVM the client runs to set the JVM level truststore / certificates to trust.

                         

                        Using:

                        remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=true
                        
                        remote.connections = x1
                         
                        remote.connection.x1.host       = 127.0.0.1
                        remote.connection.x1.port       = 9112
                        remote.connection.x1.username   = admin
                        remote.connection.x1.password   = admin
                        remote.connection.x1.connect.options.org.xnio.Options.SSL_STARTTLS=true
                        remote.connection.x1.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=true
                        remote.connection.x1.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=true
                        remote.connection.x1.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER
                        

                        On running my client (which just tries to initiate a connection), I get an error on client during EJB reciever registration:

                         INFO [main] (EndpointImpl.java:70) - JBoss Remoting version 3.2.3.GA
                         ERROR [Remoting "config-based-ejb-client-endpoint" read-1] (RemoteConnection.java:99) - JBREM000200: Remote connection failed: java.io.IOException: JBREM000202: Abrupt close on Remoting connection 76933bcb to computer/127.0.0.1:9112
                         WARN [main] (ConfigBasedEJBClientContextSelector.java:133) - Could not register a EJB receiver for connection to remote://127.0.0.1:9112
                        java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
                        

                         

                        With this jboss-side error:

                        ERROR [org.jboss.remoting.remote.connection] (Remoting "computer" read-1) JBREM000200: Remote connection failed: javax.net.ssl.SSLException: Fatal Alert received: Certificate Unknown

                         

                        Thanks for any help!

                        • 9. Re: Remoting-connector with SSL
                          dlofthouse

                          No you do need the truststore on the client side to be able to verify the certificate although you should be able to use the following properties on the client without affecting the JVM installation: -

                           

                          -Djavax.net.ssl.trustStore=client.truststore -Djavax.net.ssl.trustStorePassword=truststore_password

                           

                          The issue is that if the client is inadvertantly forwarded to connect to a different address a man in the middle type attack with a fake private key is fairly simple with that intermediarry now having full access to the data being exchanged.

                          • 10. Re: Remoting-connector with SSL
                            mrusinak

                            Sorry, what I meant when I said JVM-level was exactly what you typed - the client is more or less a plugin to running framework, so it isn't started in its own command windows / environment. And while I can certainly access/change those via System, that affects every other "plugin" as well.

                             

                            I do realize not validating the certificate can lead to man-in-the-middle, but since we currently do not use SSL at all we have other means of validating who we are talking to. This is just a first step to get encrypted traffic. If we can't allow the client to ignore the certificate, then is there a way to be able to pass in our certificate to the properties used for .lookup()?

                            • 11. Re: Remoting-connector with SSL
                              ybxiang.china

                              Hello Mates,

                               

                                   In JBoss 6, We can use bellow annotations on an EJB,

                               

                              @RemoteBindings({

                                  @RemoteBinding(clientBindUrl="sslsocket://${jboss.bind.address}:3843", jndiBinding="nms-ear/SSLSecuredRemoteSession/remote")

                                  ,@RemoteBinding(jndiBinding="nms-ear/SecuredRemoteSession/remote")

                              })

                              @Remote

                              public interface ISecuredRemoteSession extends ILogin{

                              ....

                               

                               

                              But, in JBoss 7, this annotation is NOT supported by default. How do you bind your EJB interface to an SSL IP and port?