[jboss-user] [EJB 3.0] - Securing EJB3 traffic with mutual authentication using certificates

Fri Aug 20 03:25:21 EDT 2010

Glenn Bech [http://community.jboss.org/people/glenn.bech] created the discussion

"Securing EJB3 traffic with mutual authentication using certificates"

To view the discussion, visit: http://community.jboss.org/message/558279#558279

--------------------------------------------------------------
Hi,

I am atempting to secure traffic between an Oracle Weblogic 10 and JBOSS 5.1.0 server. Our project is required to both encrypt the traffic and provide mutual authentication. 

I know that my aproach does not secure the JNDI lookup, and that it will configure the entire server, and not just my application. I think however that this is the fastest way to reach our deadline, withour having to add annotations and such to our beans. 

So far I have done the following; 

* Created a self signed server certificate using keytool:  +keytool -genkey -alias server -keyalg RSA -keystore server.keystore+
* Configured the invokerLocator of the bean org.jboss.ejb3.RemotingConnector to use sslsocket transport.

<bean name="org.jboss.ejb3.RemotingConnector">
    <property name="invokerLocator">
      <value-factory bean="ServiceBindingManager"
        method="getStringBinding">
        <parameter>
          jboss.remoting:type=Connector,name=DefaultEjb3Connector,handler=ejb3
        </parameter>
        <parameter>
          <null />
        </parameter>
        <parameter>sslsocket://${jboss.bind.address}:${port}</parameter>
        <parameter>
          <null />
        </parameter>
        <parameter>3873</parameter>
      </value-factory>
    </property>
    <property name="serverConfiguration">
      <inject bean="ServerConfiguration" />
    </property>
</bean>

* On the client side, I also generate a self signed certificate: keytool -genkey -alias client -keyalg RSA -keystore client.keystore
* I then establish mutual authentication
* I export the server certificate from the server keystore and import it into what becomes the client truststore
* I export the client certificate from the client keystore and import it into what becomes the server truststor
* I then configure both weblogic and JBOSS with the comamnd line arguments

-Djavax.net.ssl.keyStore
-Djavax.net.ssl.keyStorePassword
-Djavax.net.ssl.trustStore=
-Djavax.net.ssl.trustStorePassword

I have one-way SSL up and running. If I remove the server certificate from the Client trust store, the handshake 
fails.

My problem is; JBOSS does not authenticate the client certificate and accepts all incoming traffic. It seems to be 
ignoring the configured truststore. I have searched all documentation and have found nothing on EJB3 over SSL & mutual authentication 
in JBOSS 5.1.0AS

Can anyone help? 

--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/558279#558279]

Start a new discussion in EJB 3.0 at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2029]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20100820/da26b921/attachment-0001.html 