Enterprise Java Bean over SSL
Saturday Apr 08, 2006
Enterprise Java Bean provides a component based architecture for distributed business application. Security is very important in the enterprise environment. SSL/TLS provides security at the transport layer to meet the security requirement in an enterprise environment. In this blog, we discuss how to configure SSL for use with enterprise beans and how to access enterprise bean from a client.
Note
- In the Java EE 5 SDK, Glassfish and the Sun Java System Application Server (SJSAS), the keystore password and key passwords are the same, and the keystore and truststore passwords are the same for a given domain.
- The SJSAS EE uses NSS for keystore management. The SJSAS PE uses JKS keystores for keystore management. The application client containers, however, use JKS keystores for keystore management regardless of whether the Application Server is EE or PE.
Running Enterprise Beans over SSL
In SSL/TLS, there are two kinds of authentication: SSL server authentication and SSL mutual authentication. To specify SSL/TLS for an enterprise application, use the<transport-config> subelement of the corresponding
<ejb> element in the runtime deployment descriptor,
sun-ejb-jar.xml.
The two options are specified in slightly different ways, as shown in the following examples:
In this case, the client verifies the identity of the server by checking
its certificate in the truststore. When using sever authentication, make sure
that the truststore of the client trusts the certificate of the server. To do
SSL server authentication, set the integrity element and confidentiality
element to required. For instance,
<sun-ejb-jar>
<enterprise-beans>
<ejb>
<ejb-name>SSLTheConverter</ejb-name>
<jndi-name>SSLconverter</jndi-name>
<ior-security-config>
<transport-config>
<integrity>required</integrity>
<confidentiality>required</confidentiality>
<establish-trust-in-target>supported</establish-trust-in-target>
<establish-trust-in-client>supported</establish-trust-in-client>
</transport-config>
<sas-context>
<caller-propagation>supported</caller-propagation>
</sas-context>
</ior-security-config>
</ejb>
</enterprise-beans>
</sun-ejb-jar>
In this case, both the client and the server verify the identity of each
other by checking certificates in mutual truststores. When
using mutual authentication, make sure that the truststore of the client
trusts the certificate of the server and the truststore of the server trusts
the certificate of the client. To do SSL mutual authentication, set the integrity element,
the confidentiality element, and the
establish-trust-in-client to required. For instance,
<sun-ejb-jar>
<enterprise-beans>
<ejb>
<ejb-name>SSLTheConverter</ejb-name>
<jndi-name>SSLconverter</jndi-name>
<ior-security-config>
<transport-config>
<integrity>required</integrity>
<confidentiality>required</confidentiality>
<establish-trust-in-target>supported</establish-trust-in-target>
<establish-trust-in-client>required</establish-trust-in-client>
</transport-config>
<sas-context>
<caller-propagation>supported</caller-propagation>
</sas-context>
</ior-security-config>
</ejb>
</enterprise-beans>
</sun-ejb-jar>
Using SSL with the Applicaton Client Container
To use SSL with the Application Client Container (ACC), you need to setVMARGS environment variable.
VMARGS in shell.
For example, in ksh or bash shell the command to set this environment
variable would be:
export VMARGS=" -Djavax.net.ssl.keyStore=${keystore.db.file}
-Djavax.net.ssl.trustStore=${truststore.db.file} -Djavax.net.ssl.keyStorePass
word=${ssl.password} -Djavax.net.ssl.trustStorePassword=${ssl.password}"
<target name="runclient">
<exec executable="${S1AS_HOME}/bin/appclient">
<env key="VMARGS" value=" -Djavax.net.ssl.keyStore=${keystore.db.file}
-Djavax.net.ssl.trustStore=${truststore.db.file} -Djavax.net.ssl.keyStorePasword=${ssl.password} -Djavax.net.ssl.trustStorePassword=${ssl.password}"/>
<arg value="-client"/>
<arg value="${appClient.jar}"/>
</exec>
</target>
Using SSL with Standalone Client
When the application client, the enterprise bean is looked up using theejb-ref-name element, as shown in the following example
sun-application-client.xml:
<sun-application-client>
<ejb-ref>
<ejb-ref-name>ejb/SSLSimpleConverter</ejb-ref-name>
<jndi-name>SSLconverter</jndi-name>
</ejb-ref>
</sun-application-client>
When using a standalone client, however, we use JNDI name for the lookup.
So, in the standalone client class, we have:
context = new InitialContext();
obj = context.lookup("SSLConverter");
To run the standalone client, make sure your classpath contains the following:
appserv-rt.jar, this will have an implementation ORB with the implementation of CSIv2j2ee.jarin SJSAS 8.x orjavaee.jarin Glassfish- the interfaces class of the corresponding EJBs and other library classes needed
The following ant target provides an example of how to configure an
ant target for running over SSL:
<target name="run-standalone-client">
<java classname="${test.client}"
classpath="${test.classpath} failonerror="true" fork="true">
<jvmarg value="-Dorg.omg.CORBA.ORBInitialHost=${orb.host}"/>
<jvmarg value="-Dorg.omg.CORBA.ORBInitialPort=${orb.port}"/>
<jvmarg value="-Djavax.net.ssl.keyStore=${keystore.db.file}"/>
<jvmarg value="-Djavax.net.ssl.keyStorePassword=${ssl.password}"/>
<jvmarg value="-Djavax.net.ssl.trustStore=${truststore.db.file}"/>
<jvmarg value="-Djavax.net.ssl.trustStorePassword=${ssl.password}"/>
</java>
</target>
Debugging SSL Communication
To enable debug messages for SSL communication, pass the jvm option-Djavax.net.debug=all, which will show all the information during
SSL communications.
|
|
|
|
I'm using glassfish 9.1_01 (b09d-fcs).
On the clie...