15.5. EJB2 RMI + SSL Configuration
Procedure 15.10. Configure SSL for EJB2 Overview
- Generate encryption keys and certificate
- Configure Unified Invoker for SSL
Generating encryption keys and certificates is covered in Section 15.2, “Generate encryption keys and certificate” .
Configured Unified Invoker for SSL
EJB2 remote invocation uses a single unified invoker, which runs by default on port 4446. The configuration of the unified invoker used for EJB2 remote method invocation is defined in the $JBOSS_HOME/server/deploy/remoting-jboss-beans.xml file of a JBoss Application Server profile. Add the following SSL Socket Factory bean and an SSL Domain bean in this file.
Example 15.7. SSL Server Factory for EJB2
<bean name="sslServerSocketFactoryEJB2" class="org.jboss.security.ssl.DomainServerSocketFactory">
<constructor>
<parameter><inject bean="EJB2SSLDomain"/></parameter>
</constructor>
</bean>
<bean name="EJB2SSLDomain" class="org.jboss.security.plugins.JaasSecurityDomain">
<constructor>
<parameter>EJB2SSLDomain</parameter>
</constructor>
<property name="keyStoreURL">resource:localhost.keystore</property>
<property name="keyStorePass">changeit</property>
<property name="keyAlias">ejb-ssl</property>
<property name="keyPassword">EJB-SSL_KEYPAIR_PASSWORD</property>
</bean>
Now customize the SSLSocketBuilder, by adding the following to the
$JBOSS_HOME/server/$PROFILE/conf/jboss-service.xml file of a JBoss Application Server profile:
Example 15.8. SSLSocketBuilder configuration
<!-- This section is for custom (SSL) server socket factory -->
<mbean code="org.jboss.remoting.security.SSLSocketBuilder"
name="jboss.remoting:service=SocketBuilder,type=SSL"
display-name="SSL Server Socket Factory Builder">
<!-- IMPORTANT - If making ANY customizations, this MUST be set to false. -->
<!-- Otherwise, will used default settings and the following attributes will be ignored. -->
<attribute name="UseSSLServerSocketFactory">false</attribute>
<!-- This is the url string to the key store to use -->
<attribute name="KeyStoreURL">localhost.keystore</attribute>
<!-- The password for the key store -->
<attribute name="KeyStorePassword">sslsocket</attribute>
<!-- The password for the keys (will use KeystorePassword if this is not set explicitly. -->
<attribute name="KeyPassword">sslsocket</attribute>
<!-- The protocol for the SSLContext. Default is TLS. -->
<attribute name="SecureSocketProtocol">TLS</attribute>
<!-- The algorithm for the key manager factory. Default is SunX509. -->
<attribute name="KeyManagementAlgorithm">SunX509</attribute>
<!-- The type to be used for the key store. -->
<!-- Defaults to JKS. Some acceptable values are JKS (Java Keystore - Sun's keystore format), -->
<!-- JCEKS (Java Cryptography Extension keystore - More secure version of JKS), and -->
<!-- PKCS12 (Public-Key Cryptography Standards #12
keystore - RSA's Personal Information Exchange Syntax Standard). -->
<!-- These are not case sensitive. -->
<attribute name="KeyStoreType">JKS</attribute>
</mbean>
<mbean code="org.jboss.remoting.security.SSLServerSocketFactoryService"
name="jboss.remoting:service=ServerSocketFactory,type=SSL"
display-name="SSL Server Socket Factory">
<depends optional-attribute-name="SSLSocketBuilder"
proxy-type="attribute">jboss.remoting:service=SocketBuilder,type=SSL</depends>
</mbean>
Configure SSL Transport for Beans
In the deploy/remoting-jboss-beans.xml file in the JBoss Application Server profile, update the code to reflect the information below:
Example 15.9. SSL Transport for Beans
...
<bean name="UnifiedInvokerConnector" class="org.jboss.remoting.transport.Connector">
<annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.remoting:service=Connector,transport=socket", exposedInterface=org.jboss.remoting.transport.ConnectorMBean.class,registerDirectly=true)
</annotation>
<property name="serverConfiguration"><inject bean="UnifiedInvokerConfiguration"/></property>
<property name="serverSocketFactory"><inject bean="sslServerSocketFactoryEJB2"/></property>
<!-- add this to configure the SSL socket for the UnifiedInvoker -->
</bean>
...
<bean name="UnifiedInvokerConfiguration" class="org.jboss.remoting.ServerConfiguration">
<constructor>
<!-- transport: Others include sslsocket, bisocket, sslbisocket, http, https, rmi, sslrmi, servlet, sslservlet. -->
<parameter>sslsocket</parameter><!-- changed from socket to sslsocket -->
</constructor>
...
</bean>
...