15.3. EJB3 RMI + SSL Configuration

Procedure 15.4. Configure RMI + SSL for EJB3 Overview

This procedure configures SSL encryption of Remote Method Invocation traffic between EJB3 beans on the server and a fat client running on another machine on the network.
  1. Generate encryption keys and certificate
  2. Configure a secure remote connector for RMI
  3. Annotate EJB3 beans to use the secure RMI connector
Generating encryption keys and certificates is covered in Section 15.2, “Generate encryption keys and certificate” .
Create a secure remoting connector for RMI

The file ejb3-connectors-jboss-beans.xml in a JBoss Application Server profile deploy directory contains JBoss Remoting connector definitions for EJB3 remote method invocation.

Example 15.2. Sample Secure EJB3 Connector

The beans described in the code sample are appended to the ejb3-connectors-jboss-beans.xml file. Both beans are required to configure a secure connector for EJB3 using the key pair created in Procedure 15.1, “Generate a new key pair and add it to the key store "localhost.keystore" in the conf directory.”.
The keyPassword property in the sample configuration is the key pair password specified when the key pair was created.
The sample configuration creates a connector that listens for SSL connections on port 3843. This port needs to be open on the server firewall for access by clients. 
<bean name="EJB3SSLRemotingConnector" class="org.jboss.remoting.transport.Connector">
	<property name="invokerLocator">sslsocket://${jboss.bind.address}:3843</property>
	<property name="serverConfiguration">
		<inject bean="ServerConfiguration" />
	</property>
	<property name="serverSocketFactory">
		<inject bean="sslServerSocketFactory" />
	</property>
</bean>

<bean name="sslServerSocketFactory" class="org.jboss.security.ssl.DomainServerSocketFactory">
	 <constructor>
			<parameter><inject bean="EJB3SSLDomain"/></parameter>
	 </constructor>
</bean>

<bean name="EJB3SSLDomain" class="org.jboss.security.plugins.JaasSecurityDomain">
	 <constructor>
			<parameter>EJB3SSLDomain</parameter>
	 </constructor>
	 <property name="keyStoreURL">resource:localhost.keystore</property>
	 <property name="keyStorePass">KEYSTORE_PASSWORD</property>
</bean>

Note

The key store (localhost.keystore) may contain multiple key pairs. The EJB connector will use the key pair with the defined keyAlias (ejb-ssl).
Configure EJB3 Beans for SSL Transport

All EJB3 beans use the unsecured RMI connector by default. To enable remote invocation of a bean via SSL, annotate the bean with @org.jboss.annotation.ejb.RemoteBinding .

Example 15.3. EJB3 bean annotation to enable secure remote invocation

The annotation binds an EJB3 bean to the JNDI name StatefulSSL . The proxy implementing the remote interface, returned to a client when the bean is requested from JNDI, communicates with the server via SSL. 
@RemoteBinding(clientBindUrl="sslsocket://0.0.0.0:3843", jndiBinding="StatefulSSL")
  @Remote(BusinessInterface.class)
  public class StatefulBean implements BusinessInterface
  {
     ...
  }

Note

In Example 15.3, “EJB3 bean annotation to enable secure remote invocation” the IP address is specified as 0.0.0.0, meaning "all interfaces". Change this to the value of the ${jboss.bind.address} system property.
Enabling both secure and insecure invocation of an EJB3 bean

You can enable both secure and insecure remote method invocation of the same EJB3 bean. Example 15.4, “EJB3 Bean annotation for secure and unsecured invocation” demonstrates the annotations to do this.

Example 15.4. EJB3 Bean annotation for secure and unsecured invocation

 @RemoteBindings({
     @RemoteBinding(clientBindUrl="sslsocket://0.0.0.0:3843", jndiBinding="StatefulSSL")
     @RemoteBinding(jndiBinding="StatefulNormal")
  })
  @Remote(BusinessInterface.class)
  public class StatefulBean implements BusinessInterface
  {
     ...
  }

Note

In Example 15.4, “EJB3 Bean annotation for secure and unsecured invocation”, the IP address is specified as 0.0.0.0, meaning "all interfaces". Change this to the value of the ${jboss.bind.address} system property.
If a client requests StatefulNormal from JNDI, the returned proxy implementing the remote interface communicates with the server via the unencrypted socket protocol; and if StatefulSSL is requested, the returned proxy implementing the remote interface communicates with the server via SSL.