Glenn Bech [http://community.jboss.org/people/glenn.bech] created the discussion "Securing EJB3 traffic with mutual authentication using certificates" To view the discussion, visit: http://community.jboss.org/message/558279#558279 -------------------------------------------------------------- Hi, I am atempting to secure traffic between an Oracle Weblogic 10 and JBOSS 5.1.0 server. Our project is required to both encrypt the traffic and provide mutual authentication. I know that my aproach does not secure the JNDI lookup, and that it will configure the entire server, and not just my application. I think however that this is the fastest way to reach our deadline, withour having to add annotations and such to our beans. So far I have done the following; * Created a self signed server certificate using keytool:  +keytool -genkey -alias server -keyalg RSA -keystore server.keystore+ * Configured the invokerLocator of the bean org.jboss.ejb3.RemotingConnector to use sslsocket transport. <bean name="org.jboss.ejb3.RemotingConnector">     <property name="invokerLocator">       <value-factory bean="ServiceBindingManager"         method="getStringBinding">         <parameter>           jboss.remoting:type=Connector,name=DefaultEjb3Connector,handler=ejb3         </parameter>         <parameter>           <null />         </parameter>         <parameter>sslsocket://${jboss.bind.address}:${port}</parameter>         <parameter>           <null />         </parameter>         <parameter>3873</parameter>       </value-factory>     </property>     <property name="serverConfiguration">       <inject bean="ServerConfiguration" />     </property> </bean> * On the client side, I also generate a self signed certificate: keytool -genkey -alias client -keyalg RSA -keystore client.keystore * I then establish mutual authentication * I export the server certificate from the server keystore and import it into what becomes the client truststore * I export the client certificate from the client keystore and import it into what becomes the server truststor * I then configure both weblogic and JBOSS with the comamnd line arguments -Djavax.net.ssl.keyStore -Djavax.net.ssl.keyStorePassword -Djavax.net.ssl.trustStore= -Djavax.net.ssl.trustStorePassword I have one-way SSL up and running. If I remove the server certificate from the Client trust store, the handshake fails. My problem is; JBOSS does not authenticate the client certificate and accepts all incoming traffic. It seems to be ignoring the configured truststore. I have searched all documentation and have found nothing on EJB3 over SSL & mutual authentication in JBOSS 5.1.0AS Can anyone help? -------------------------------------------------------------- Reply to this message by going to Community [http://community.jboss.org/message/558279#558279] Start a new discussion in EJB 3.0 at Community [http://community.jboss.org/choose-container!input.jspa?contentType=1&...]