Monday Mar 29, 2010

Accessing ORB service securely in GlassFish v3

Transport Security in EJB is indicated by the IOR  (Interoperable Object Reference ) security representation of the ORB (Object Request Broker) layer. In Glassfish, the security-configuration information for the ORB is specified using the <ior-security-config> element of the sun-ejb-jar.xml.  The <transport-config> is a child element of the <ior-security-config> and is the root element for security between the end points.

<!ELEMENT transport-config ( integrity, confidentiality, establish-trust-in-target, establish-trust-in-client )>

The integrity and confidentiality child elements indicate if the target requires/supports integrity-protected or privacy-protected messages. The valid values are NONE, SUPPORTED or REQUIRED.

<!ELEMENT integrity ( #PCDATA)>
<!ELEMENT confidentiality ( #PCDATA)>

The establish-trust-in-target and establish-trust-in-client elements indicate if the target (server) is capable of authenticating to a client.

The transport between the client and the server can be secured with an <ior-security-config> element that is similar to :

 <ior-security-config>
                <transport-config>
                        <integrity>
                               REQUIRED
                        </integrity>
                        <confidentiality>
                              REQUIRED
                       </confidentiality>
                      <establish-trust-in-target>SUPPORTED</establish-trust-in-target>
                      <establish-trust-in-client>SUPPORTED</establish-trust-in-client>
               </transport-config>

<ior-security-config>

However with the above IOR configuration, the client is not guaranteed to contact the name service securely (the service that is invoked by a call to InitialContext.lookup() ). This service usually runs on port 3700 non-securely and on port 3820 securely in Glassfish. By default, the client contacts the name service of the application server non-securely on port 3700 . To secure this connection in GlassFish v3, the following techniques could be used:

1. When using an application client, the sun-acc.xml in <domain-dir>/config should be modified to include a security element inside the target-server parent element:

<target-server name="localhost" address="localhost" port="3820">
       <security>
               <ssl/>
       </security>

 </target-server>

This indicates to the server that the client demands a secure ORB connection. While running the appclient, the following system properties are passed:

-Djavax.net.ssl.trustStore=<domain-dir>/config/cacerts.jks

-Djavax.net.ssl.keyStore=<domain-dir>/config/keystore.jks

-Djavax.net.ssl.trustStorePassword=<password>

-Djavax.net.ssl.keyStorePassword=<password>

-Dorg.omg.CORBA.ORBInitialPort=3820 (This forces the client to contact the secure ORB service provided by the application server.

Now, on running the appclient with the above system properties, the name service connection is also secured along with the other transport.

2. When using a standalone POJO client, in addition to setting the above system properties , an additional property for indicating the client's preference for secure ORB connection is to be set:

-Dcom.sun.CSIV2.ssl.standalone.client.required=true

With this, the client can contact the name service of the server securely. This feature is available in the latest trunk builds of GlassFish v3.

About

nitkal

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Bookmarks