X

Technology insights, news and tips.

  • Sun
    April 8, 2006

Enterprise Java Bean over SSL

Enterprise Java Bean provides a component based architecture for
distributed business application. Security is very important in the
enterprise environment. SSL/TLS provides security at the transport layer
to meet the security requirement in an enterprise environment.
In this blog, we discuss how to configure SSL for use with enterprise beans
and how to access enterprise bean from a client.

Note

  • In the Java EE 5 SDK,
    Glassfish and the
    Sun Java System Application Server (SJSAS),
    the keystore password and key passwords are the same, and the
    keystore and truststore passwords are the same for a given domain.
  • The SJSAS EE uses NSS for keystore management. The SJSAS PE uses
    JKS keystores for keystore management. The application client containers,
    however, use JKS keystores for keystore management regardless of whether
    the Application Server is EE or PE.

Running Enterprise Beans over SSL


In SSL/TLS, there are two kinds of authentication: SSL server authentication and SSL mutual
authentication. To specify SSL/TLS for an enterprise application, use the
<transport-config> subelement of the corresponding
<ejb> element in the runtime deployment descriptor,
sun-ejb-jar.xml.

The two options are specified in slightly different ways, as shown in
the following examples:

  • SSL: Server Authentication

    In this case, the client verifies the identity of the server by checking
    its certificate in the truststore. When using sever authentication, make sure
    that the truststore of the client trusts the certificate of the server. To do
    SSL server authentication, set the integrity element and confidentiality
    element to required. For instance,
    <sun-ejb-jar>
      <enterprise-beans>
        <ejb>
          <ejb-name>SSLTheConverter</ejb-name>
          <jndi-name>SSLconverter</jndi-name>
          <ior-security-config>
            <transport-config>
              <integrity>required</integrity>
              <confidentiality>required</confidentiality>

              <establish-trust-in-target>supported</establish-trust-in-target>
              <establish-trust-in-client>supported</establish-trust-in-client>
            </transport-config>
            <sas-context>
              <caller-propagation>supported</caller-propagation>
            </sas-context>
          </ior-security-config>
        </ejb>
      </enterprise-beans>
    </sun-ejb-jar>

  • SSL Mutual authentication

    In this case, both the client and the server verify the identity of each
    other by checking certificates in mutual truststores. When
    using mutual authentication, make sure that the truststore of the client
    trusts the certificate of the server and the truststore of the server trusts
    the certificate of the client. To do SSL mutual authentication, set the integrity element,
    the confidentiality element, and the
    establish-trust-in-client to required. For instance,
    <sun-ejb-jar>
      <enterprise-beans>
        <ejb>
          <ejb-name>SSLTheConverter</ejb-name>
          <jndi-name>SSLconverter</jndi-name>
          <ior-security-config>
            <transport-config>
              <integrity>required</integrity>
              <confidentiality>required</confidentiality>

              <establish-trust-in-target>supported</establish-trust-in-target>
              <establish-trust-in-client>required</establish-trust-in-client>

            </transport-config>
            <sas-context>
              <caller-propagation>supported</caller-propagation>
            </sas-context>
          </ior-security-config>
        </ejb>
      </enterprise-beans>
    </sun-ejb-jar>

    Using SSL with the Applicaton Client Container


    To use SSL with the Application Client Container (ACC), you need to set
    VMARGS environment variable.
  • Set environment variable VMARGS in shell.

    For example, in ksh or bash shell the command to set this environment
    variable would be:
    export VMARGS=" -Djavax.net.ssl.keyStore=${keystore.db.file}
    -Djavax.net.ssl.trustStore=${truststore.db.file} -Djavax.net.ssl.keyStorePass
    word=${ssl.password} -Djavax.net.ssl.trustStorePassword=${ssl.password}"

  • Set the env element in the ant script.
    For instance,
    <target name="runclient">
      <exec executable="${S1AS_HOME}/bin/appclient">
        <env key="VMARGS" value=" -Djavax.net.ssl.keyStore=${keystore.db.file}
    -Djavax.net.ssl.trustStore=${truststore.db.file} -Djavax.net.ssl.keyStorePasword=${ssl.password} -Djavax.net.ssl.trustStorePassword=${ssl.password}"/>
        <arg value="-client"/>
        <arg value="${appClient.jar}"/>
      </exec>
    </target>

    Using SSL with Standalone Client


    When the application client, the enterprise bean is looked up using the
    ejb-ref-name element, as shown in the following example
    sun-application-client.xml:


    <sun-application-client>

      <ejb-ref>

      <ejb-ref-name>ejb/SSLSimpleConverter</ejb-ref-name>

      <jndi-name>SSLconverter</jndi-name>

      </ejb-ref>

    </sun-application-client>

    When using a standalone client, however, we use JNDI name for the lookup.
    So, in the standalone client class, we have:


        context = new InitialContext();

        obj = context.lookup("SSLConverter");

    To run the standalone client, make sure your classpath contains the following:

    • appserv-rt.jar, this will have an implementation ORB with the implementation of CSIv2
    • j2ee.jar in SJSAS 8.x or javaee.jar in Glassfish
    • the interfaces class of the corresponding EJBs and other library classes needed

    The following ant target provides an example of how to configure an
    ant target for running over SSL:


    <target name="run-standalone-client">

      <java classname="${test.client}"

          classpath="${test.classpath} failonerror="true" fork="true">

        <jvmarg value="-Dorg.omg.CORBA.ORBInitialHost=${orb.host}"/>

        <jvmarg value="-Dorg.omg.CORBA.ORBInitialPort=${orb.port}"/>

        <jvmarg value="-Djavax.net.ssl.keyStore=${keystore.db.file}"/>

        <jvmarg value="-Djavax.net.ssl.keyStorePassword=${ssl.password}"/>

        <jvmarg value="-Djavax.net.ssl.trustStore=${truststore.db.file}"/>

        <jvmarg value="-Djavax.net.ssl.trustStorePassword=${ssl.password}"/>

      </java>

    </target>

    Debugging SSL Communication


    To enable debug messages for SSL communication, pass the jvm option
    -Djavax.net.debug=all, which will show all the information during
    SSL communications.
  • Join the discussion

    Comments ( 1 )
    • Bart Friday, March 7, 2008

      I'm using glassfish 9.1_01 (b09d-fcs).

      On the client side I have Jre 1.6.0_04

      My IDE is Eclipse 3.3 (Europa)

      I've been trying for days now to get IIOP/SSL working on my GlassFish server but it just doesn't seem to get going.

      I've read numerous threads, post, blogs and howto from sun, java, glassfish and other guru's involved but nothing led me to the solution yet.

      My last hope was your blog...

      But following the steps in your blog, my client apps (be it ACC or stand alone) still reach out to 'neverneverland' SSL as soon as I set the integrity and confidentiality of the transport-config to required . (when choosing supported it works but then there's no real SSL)

      Please can you help me?

      Any help would be welcome.

      Thnkx in advance.

      Bart


    Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.