Enterprise Java Bean over SSL

Enterprise Java Bean provides a component based architecture for distributed business application. Security is very important in the enterprise environment. SSL/TLS provides security at the transport layer to meet the security requirement in an enterprise environment. In this blog, we discuss how to configure SSL for use with enterprise beans and how to access enterprise bean from a client.

Note

  • In the Java EE 5 SDK, Glassfish and the Sun Java System Application Server (SJSAS), the keystore password and key passwords are the same, and the keystore and truststore passwords are the same for a given domain.
  • The SJSAS EE uses NSS for keystore management. The SJSAS PE uses JKS keystores for keystore management. The application client containers, however, use JKS keystores for keystore management regardless of whether the Application Server is EE or PE.

Running Enterprise Beans over SSL

In SSL/TLS, there are two kinds of authentication: SSL server authentication and SSL mutual authentication. To specify SSL/TLS for an enterprise application, use the <transport-config> subelement of the corresponding <ejb> element in the runtime deployment descriptor, sun-ejb-jar.xml.

The two options are specified in slightly different ways, as shown in the following examples:

  • SSL: Server Authentication

    In this case, the client verifies the identity of the server by checking its certificate in the truststore. When using sever authentication, make sure that the truststore of the client trusts the certificate of the server. To do SSL server authentication, set the integrity element and confidentiality element to required. For instance,
    <sun-ejb-jar>
      <enterprise-beans>
        <ejb>
          <ejb-name>SSLTheConverter</ejb-name>
          <jndi-name>SSLconverter</jndi-name>
          <ior-security-config>
            <transport-config>
              <integrity>required</integrity>
              <confidentiality>required</confidentiality>

              <establish-trust-in-target>supported</establish-trust-in-target>
              <establish-trust-in-client>supported</establish-trust-in-client>
            </transport-config>
            <sas-context>
              <caller-propagation>supported</caller-propagation>
            </sas-context>
          </ior-security-config>
        </ejb>
      </enterprise-beans>
    </sun-ejb-jar>

  • SSL Mutual authentication

    In this case, both the client and the server verify the identity of each other by checking certificates in mutual truststores. When using mutual authentication, make sure that the truststore of the client trusts the certificate of the server and the truststore of the server trusts the certificate of the client. To do SSL mutual authentication, set the integrity element, the confidentiality element, and the establish-trust-in-client to required. For instance,
    <sun-ejb-jar>
      <enterprise-beans>
        <ejb>
          <ejb-name>SSLTheConverter</ejb-name>
          <jndi-name>SSLconverter</jndi-name>
          <ior-security-config>
            <transport-config>
              <integrity>required</integrity>
              <confidentiality>required</confidentiality>

              <establish-trust-in-target>supported</establish-trust-in-target>
              <establish-trust-in-client>required</establish-trust-in-client>

            </transport-config>
            <sas-context>
              <caller-propagation>supported</caller-propagation>
            </sas-context>
          </ior-security-config>
        </ejb>
      </enterprise-beans>
    </sun-ejb-jar>

    Using SSL with the Applicaton Client Container

    To use SSL with the Application Client Container (ACC), you need to set VMARGS environment variable.
  • Set environment variable VMARGS in shell.

    For example, in ksh or bash shell the command to set this environment variable would be:
    export VMARGS=" -Djavax.net.ssl.keyStore=${keystore.db.file} -Djavax.net.ssl.trustStore=${truststore.db.file} -Djavax.net.ssl.keyStorePass word=${ssl.password} -Djavax.net.ssl.trustStorePassword=${ssl.password}"

  • Set the env element in the ant script. For instance,
    <target name="runclient">
      <exec executable="${S1AS_HOME}/bin/appclient">
        <env key="VMARGS" value=" -Djavax.net.ssl.keyStore=${keystore.db.file} -Djavax.net.ssl.trustStore=${truststore.db.file} -Djavax.net.ssl.keyStorePasword=${ssl.password} -Djavax.net.ssl.trustStorePassword=${ssl.password}"/>
        <arg value="-client"/>
        <arg value="${appClient.jar}"/>
      </exec>
    </target>

    Using SSL with Standalone Client

    When the application client, the enterprise bean is looked up using the ejb-ref-name element, as shown in the following example sun-application-client.xml:
    <sun-application-client>
      <ejb-ref>
      <ejb-ref-name>ejb/SSLSimpleConverter</ejb-ref-name>
      <jndi-name>SSLconverter</jndi-name>
      </ejb-ref>
    </sun-application-client>

    When using a standalone client, however, we use JNDI name for the lookup. So, in the standalone client class, we have:
        context = new InitialContext();
        obj = context.lookup("SSLConverter");

    To run the standalone client, make sure your classpath contains the following:

    • appserv-rt.jar, this will have an implementation ORB with the implementation of CSIv2
    • j2ee.jar in SJSAS 8.x or javaee.jar in Glassfish
    • the interfaces class of the corresponding EJBs and other library classes needed

    The following ant target provides an example of how to configure an ant target for running over SSL:
    <target name="run-standalone-client">
      <java classname="${test.client}"
          classpath="${test.classpath} failonerror="true" fork="true">
        <jvmarg value="-Dorg.omg.CORBA.ORBInitialHost=${orb.host}"/>
        <jvmarg value="-Dorg.omg.CORBA.ORBInitialPort=${orb.port}"/>
        <jvmarg value="-Djavax.net.ssl.keyStore=${keystore.db.file}"/>
        <jvmarg value="-Djavax.net.ssl.keyStorePassword=${ssl.password}"/>
        <jvmarg value="-Djavax.net.ssl.trustStore=${truststore.db.file}"/>
        <jvmarg value="-Djavax.net.ssl.trustStorePassword=${ssl.password}"/>
      </java>
    </target>

    Debugging SSL Communication

    To enable debug messages for SSL communication, pass the jvm option -Djavax.net.debug=all, which will show all the information during SSL communications.
  • Comments:

    I'm using glassfish 9.1_01 (b09d-fcs).
    On the client side I have Jre 1.6.0_04
    My IDE is Eclipse 3.3 (Europa)

    I've been trying for days now to get IIOP/SSL working on my GlassFish server but it just doesn't seem to get going.

    I've read numerous threads, post, blogs and howto from sun, java, glassfish and other guru's involved but nothing led me to the solution yet.
    My last hope was your blog...

    But following the steps in your blog, my client apps (be it ACC or stand alone) still reach out to 'neverneverland' SSL as soon as I set the integrity and confidentiality of the transport-config to required . (when choosing supported it works but then there's no real SSL)
    Please can you help me?
    Any help would be welcome.
    Thnkx in advance.
    Bart

    Posted by Bart on March 07, 2008 at 01:48 AM PST #

    Post a Comment:
    Comments are closed for this entry.
    About

    Shing Wai Chan

    Search

    Categories
    Archives
    « April 2014
    SunMonTueWedThuFriSat
      
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
       
           
    Today