15.4. EJB3 RMI via HTTPS Configuration

Procedure 15.5. Configure EJB3 RMI via HTTPS Overview

This procedure configures tunneling of Remote Method Invocation traffic over SSL-encrypted HTTP. This has the dual effect of encrypting the traffic and allowing it to traverse firewalls that block the RMI port.
  1. Generate encryption keys and certificates.
  2. Configure RMI via HTTPS web connector.
  3. Configure Servlets.
  4. Configure secure remoting connector for RMI via HTTPS.
  5. Configure EJB3 beans for HTTPS transport.
  6. Configure clients for RMI via HTTPS.
Generating encryption keys and certificates is covered in Section 15.2, “Generate encryption keys and certificate” .

Procedure 15.6. Configure RMI via HTTPS web connector

This procedure creates a web connector that listens on port 8443 and accepts SSL connections from clients.
  • Edit the file jboss-as/server/$PROFILE/deploy/jbossweb.sar/server.xml and uncomment the HTTPS connector.
    <!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
    <Connector protocol="HTTP/1.1" SSLEnabled="true"
       port="8443" address="${jboss.bind.address}"
       scheme="https" secure="true" clientAuth="false"
       keystoreFile="${jboss.server.home.dir}/conf/localhost.keystore"
       keystorePass="KEYSTORE_PASSWORD" sslProtocol = "TLS" />
Result:

You create a web connector to accept SSL connections.

Procedure 15.7. Configure Servlets

This procedure configures a servlet that passes requests from the web connector to the ServletServerInvoker .
  1. Create a directory named servlet-invoker.war in jboss-as/server/$PROFILE/deploy/.
  2. Create a WEB-INF directory in the servlet-invoker.war directory.
  3. Create a file named web.xml in that WEB-INF directory, with the following content:
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE web-app PUBLIC
       "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
       "http://java.sun.com/dtd/web-app_2_3.dtd">
    
    
    <web-app>
        <servlet>
            <servlet-name>ServerInvokerServlet</servlet-name>
            <description>The ServerInvokerServlet receives requests via HTTP
               protocol from within a web container and passes it onto the
               ServletServerInvoker for processing.
            </description>
            <servlet-class>org.jboss.remoting.transport.servlet.web.ServerInvokerServlet</servlet-class>
    
            <init-param>
                <param-name>locatorUrl</param-name>
                <param-value>servlet://${jboss.bind.address}:8080/servlet-invoker/ServerInvokerServlet</param-value>
                <description>The servlet server invoker</description>
            </init-param>
    
            <load-on-startup>1</load-on-startup>
        </servlet>
    
    
        <servlet>
            <servlet-name>SSLServerInvokerServlet</servlet-name>
            <description>The ServerInvokerServlet receives requests via HTTPS
               protocol from within a web container and passes it onto the
               ServletServerInvoker for processing.
            </description>
            <servlet-class>org.jboss.remoting.transport.servlet.web.ServerInvokerServlet</servlet-class>
    
            <init-param>
                <param-name>locatorUrl</param-name>
                <param-value>sslservlet://${jboss.bind.address}:8443/servlet-invoker/SSLServerInvokerServlet</param-value>
                <description>The servlet server invoker</description>
            </init-param>
    
            <load-on-startup>2</load-on-startup>
        </servlet>
    
        <servlet-mapping>
            <servlet-name>ServerInvokerServlet</servlet-name>
            <url-pattern>/ServerInvokerServlet/*</url-pattern>
        </servlet-mapping>
    
        <servlet-mapping>
            <servlet-name>SSLServerInvokerServlet</servlet-name>
            <url-pattern>/SSLServerInvokerServlet/*</url-pattern>
        </servlet-mapping>
    
    </web-app>
    Result:

    You create a servlet to forward SSL requests from the web container to a server invoker.

The locatorUrl is used to connect the servlet to the remoting connector through the " InvokerLocator attribute of the remoting connector we define in Procedure 15.8, “Configure secure remoting connector for RMI via HTTPS” .

Procedure 15.8. Configure secure remoting connector for RMI via HTTPS

This procedure creates the Server Invoker that implements RMI.
  • Create a file named servlet-invoker-service.xml in jboss-as/server/$PROFILE/deploy/, with the following content:
    <?xml version="1.0" encoding="UTF-8"?>
    
    <server>
       <mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:service=connector,transport=servlet"
        display-name="Servlet transport Connector">
          <attribute name="InvokerLocator">servlet://${jboss.bind.address}:8080/servlet-invoker/ServerInvokerServlet</attribute>
          <attribute name="Configuration">
             <handlers>
                <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
             </handlers>
          </attribute>
       </mbean>
    
       <mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:service=connector,transport=sslservlet"
        display-name="Servlet transport Connector">
          <attribute name="InvokerLocator">sslservlet://${jboss.bind.address}:8443/servlet-invoker/SSLServerInvokerServlet</attribute>
          <attribute name="Configuration">
             <handlers>
                <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
             </handlers>
          </attribute>
       </mbean>
    </server>
Result:

You create a remoting connector that can receive requests from a servlet, and invoke methods of an EJB3.

Procedure 15.9. Configure EJB3 beans for HTTPS transport

This procedure configures the EJB3 to bind to the HTTPS transport.
  • Annotate the bean for RMI via HTTPS:

    Example 15.5. Annotating an EJB3 for RMI via HTTPS

    // RMI tunneled over HTTPS
    @Stateless
    @RemoteBinding(clientBindUrl = "https://0.0.0.0:8443/servlet-invoker/SSLServerInvokerServlet")
    @Remote(Calculator.class)
    @SecurityDomain("other")
    public class CalculatorHttpsBean implements Calculator
    {
    ....
    Result:

    The EJB3 is now available for remote invocation via HTTPS.

Annotating a bean for RMI via HTTP

Optionally, you can annotate the bean for invocation via RMI via HTTP. This can be useful for testing, as it allows you to tunnel RMI calls through firewalls that block RMI ports, but removes the extra layer of the security configuration.

Example 15.6. Annotating a bean for RMI via HTTP

// RMI tunneled over HTTP
@Stateless
@RemoteBinding(clientBindUrl = "http://0.0.0.0:8080/servlet-invoker/ServerInvokerServlet")
@Remote(Calculator.class)
@SecurityDomain("other")
public class CalculatorHttpBean extends CalculatorImpl
{
....
Configure clients for RMI via HTTPS

The EJB client should use the following properties for the JNDI lookup when looking up beans:

Client access to RMI via HTTP(S)

HTTPS
Properties props = new Properties();
props.put("java.naming.factory.initial", "org.jboss.naming.HttpNamingContextFactory");
props.put("java.naming.provider.url", "https://localhost:8443/invoker/JNDIFactory");
props.put("java.naming.factory.url.pkgs", "org.jboss.naming");
Context ctx = new InitialContext(props);
props.put(Context.SECURITY_PRINCIPAL, username);
props.put(Context.SECURITY_CREDENTIALS, password);
Calculator calculator = (Calculator) ctx.lookup(jndiName);
// use the bean to do any operations
HTTP
Properties props = new Properties();
props.put("java.naming.factory.initial", "org.jboss.naming.HttpNamingContextFactory");
props.put("java.naming.provider.url", "http://localhost:8080/invoker/JNDIFactory");
props.put("java.naming.factory.url.pkgs", "org.jboss.naming");
Context ctx = new InitialContext(props);
props.put(Context.SECURITY_PRINCIPAL, username);
props.put(Context.SECURITY_CREDENTIALS, password);
Calculator calculator = (Calculator) ctx.lookup(jndiName);
// use the bean to do any operations
In Client access to RMI via HTTP(S) , the user name and password values correspond to a valid user name and password for the security domain that is used to secure the http-invoker. This security domain is set in jboss-as/$PROFILE/deploy/http-invoker.sar/invoker.war/WEB-INF/jboss-web.xml .