[jboss-user] [EJB3] - Accessing_EJB3s_over_SSL

Administrator Administrator do-not-reply at jboss.com
Thu Jan 20 10:58:46 EST 2011

Administrator Administrator [http://community.jboss.org/people/admin] modified the document:


To view the document, visit: http://community.jboss.org/docs/DOC-9050

h2. EJB3 over SSL
This tutorial shows you how to invoke remote EJBs over an SSL connection.

Setting up SSL for use in EJB3 involves creating a keystore and making sure the correct transport
is available in the EJB3 configuration. After which you only have to use the RemoteBinding annotation
with a clientBindUrl to make sure the bean is called through SSL.

This tutorial assumes you've setup JBoss 4.x with EJB3 support. Make sure the enviroment variable
JBOSS_HOME refers to the installation directory.

h3.  Creating a keystore
For SSL to work we need to create a public/private key pair, which will be stored in a keystore. Generate this using the genkey command that comes with the JDK.

   $ cd $JBOSS_HOME/server/default/conf/
   $ keytool -genkey -alias ejb3-ssl -keypass opensource -keystore localhost.keystore
   Enter keystore password:  opensource
   What is your first and last name?
   What is the name of your organizational unit?
   What is the name of your organization?
   What is the name of your City or Locality?
   What is the name of your State or Province?
   What is the two-letter country code for this unit?
   Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
     [no]:  yes

Since we have not signed our certificate through any certification authoritiy, we also need to create a truststore for the client, explicitly saying that we trust the certificate we just created. The first step is to export the certificate using the JDK keytool:

   $ keytool -export -alias ejb3-ssl -file mycert.cer -keystore localhost.keystore
   Enter keystore password:  opensource
   Certificate stored in file <mycert.cer>

Then we need to create the truststore if it does not exist and import the certificate into the trueststore:

   $ keytool -import -alias ejb3-ssl -file mycert.cer -keystore localhost.truststore
   Enter keystore password:  opensource
   Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
   Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
   Serial number: 43bff927
   Valid from: Sat Jan 07 18:23:51 CET 2006 until: Fri Apr 07 19:23:51 CEST 2006
   Certificate fingerprints:
            MD5:  CF:DC:71:A8:F4:EA:8F:5A:E9:94:E3:E6:5B:A9:C8:F3
            SHA1: 0E:AD:F3:D6:41:5E:F6:84:9A:D1:54:3D:DE:A9:B2:01:28:F6:7C:26
   Trust this certificate? [no]:  yes
   Certificate was added to keystore 

h3.  Setting up the transport
To setup the transport open $JBOSS_HOME/server/default/deploy/ejb3.deployer/META-INF/jboss-service.xml in your
favorite text editor. Add the following mbean to it:

   <mbean code="org.jboss.remoting.transport.Connector"
      <attribute name="InvokerLocator">sslsocket://</attribute>
      <attribute name="Configuration">
            <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>

h3.  Starting JBoss
We need to tell JBoss Remoting where to find the keystore to be used for SSl and its password. This is done using
the javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword=opensource system properties when starting JBoss, as
the following example shows:

    $ cd $JBOSS_HOME/bin
    $ ./run.sh -Djavax.net.ssl.keyStore=../server/default/conf/localhost.keystore -Djavax.net.ssl.keyStorePassword=opensource

h3.  Creating your beans
Create your EJBs as usual and add the following annotation to bind it to the SSL invoker.

import org.jboss.annotation.ejb.RemoteBinding;


For the purpose this tutorial an example bean is provided (see src/org/jboss/tutorial/ssl/bean/CalculatorBean.java).
To compile and deploy the example simple execute ant ejbjar.

h3.  Running your client
While making sure all the correct libraries are on the classpath we can run the provided client.

    $ java -Djavax.net.ssl.trustStore=$JBOSS_HOME/server/default/conf/localhost.truststore -Djavax.net.ssl.trustStorePassword=opensource org.jboss.tutorial.ssl.client.Client

Or better yet, just run ant run.

Comment by going to Community

Create a new document in EJB3 at Community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20110120/89d7c7c9/attachment.html 

More information about the jboss-user mailing list