[jboss-user] [EJB3] - Accessing_EJB3s_over_SSL

Administrator Administrator do-not-reply at jboss.com
Thu Jan 20 10:58:46 EST 2011 

Administrator Administrator [http://community.jboss.org/people/admin] modified the document:

"Accessing_EJB3s_over_SSL"

To view the document, visit: http://community.jboss.org/docs/DOC-9050

--------------------------------------------------------------
h2. EJB3 over SSL
This tutorial shows you how to invoke remote EJBs over an SSL connection.

Setting up SSL for use in EJB3 involves creating a keystore and making sure the correct transport
is available in the EJB3 configuration. After which you only have to use the RemoteBinding annotation
with a clientBindUrl to make sure the bean is called through SSL.

This tutorial assumes you've setup JBoss 4.x with EJB3 support. Make sure the enviroment variable
JBOSS_HOME refers to the installation directory.

h3.  Creating a keystore
For SSL to work we need to create a public/private key pair, which will be stored in a keystore. Generate this using the genkey command that comes with the JDK.

   $ cd $JBOSS_HOME/server/default/conf/
   $ keytool -genkey -alias ejb3-ssl -keypass opensource -keystore localhost.keystore
   Enter keystore password:  opensource
   What is your first and last name?
     [Unknown]:
   What is the name of your organizational unit?
     [Unknown]:
   What is the name of your organization?
     [Unknown]:
   What is the name of your City or Locality?
     [Unknown]:
   What is the name of your State or Province?
     [Unknown]:
   What is the two-letter country code for this unit?
     [Unknown]:
   Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
     [no]:  yes


Since we have not signed our certificate through any certification authoritiy, we also need to create a truststore for the client, explicitly saying that we trust the certificate we just created. The first step is to export the certificate using the JDK keytool:

   $ keytool -export -alias ejb3-ssl -file mycert.cer -keystore localhost.keystore
   Enter keystore password:  opensource
   Certificate stored in file <mycert.cer>


Then we need to create the truststore if it does not exist and import the certificate into the trueststore:

   $ keytool -import -alias ejb3-ssl -file mycert.cer -keystore localhost.truststore
   Enter keystore password:  opensource
   Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
   Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
   Serial number: 43bff927
   Valid from: Sat Jan 07 18:23:51 CET 2006 until: Fri Apr 07 19:23:51 CEST 2006
   Certificate fingerprints:
            MD5:  CF:DC:71:A8:F4:EA:8F:5A:E9:94:E3:E6:5B:A9:C8:F3
            SHA1: 0E:AD:F3:D6:41:5E:F6:84:9A:D1:54:3D:DE:A9:B2:01:28:F6:7C:26
   Trust this certificate? [no]:  yes
   Certificate was added to keystore 



h3.  Setting up the transport
To setup the transport open $JBOSS_HOME/server/default/deploy/ejb3.deployer/META-INF/jboss-service.xml in your
favorite text editor. Add the following mbean to it:

  
   <mbean code="org.jboss.remoting.transport.Connector"
      name="jboss.remoting:type=Connector,transport=socket3843,handler=ejb3">
      <depends>jboss.aop:service=AspectDeployer</depends>
      <attribute name="InvokerLocator">sslsocket://0.0.0.0:3843</attribute>
      <attribute name="Configuration">
         <handlers>
            <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
         </handlers>
      </attribute>
   </mbean>


h3.  Starting JBoss
We need to tell JBoss Remoting where to find the keystore to be used for SSl and its password. This is done using
the javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword=opensource system properties when starting JBoss, as
the following example shows:

    $ cd $JBOSS_HOME/bin
    $ ./run.sh -Djavax.net.ssl.keyStore=../server/default/conf/localhost.keystore -Djavax.net.ssl.keyStorePassword=opensource


h3.  Creating your beans
Create your EJBs as usual and add the following annotation to bind it to the SSL invoker.

import org.jboss.annotation.ejb.RemoteBinding;

@RemoteBinding(clientBindUrl="sslsocket://0.0.0.0:3843")


For the purpose this tutorial an example bean is provided (see src/org/jboss/tutorial/ssl/bean/CalculatorBean.java).
To compile and deploy the example simple execute ant ejbjar.

h3.  Running your client
While making sure all the correct libraries are on the classpath we can run the provided client.

    $ java -Djavax.net.ssl.trustStore=$JBOSS_HOME/server/default/conf/localhost.truststore -Djavax.net.ssl.trustStorePassword=opensource org.jboss.tutorial.ssl.client.Client


Or better yet, just run ant run.
--------------------------------------------------------------

Comment by going to Community
[http://community.jboss.org/docs/DOC-9050]

Create a new document in EJB3 at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=102&containerType=14&container=2029]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20110120/89d7c7c9/attachment.html

More information about the jboss-user mailing list