Red Hat Training

A Red Hat training course is available for Red Hat JBoss Enterprise Application Platform

Chapter 14. ORB Configuration

14.1. About Common Object Request Broker Architecture (CORBA)

Common Object Request Broker Architecture (CORBA) is a standard that enables applications and services to work together even when they are written in multiple, otherwise-incompatible, languages or hosted on separate platforms. CORBA requests are brokered by a server-side component called an Object Request Broker (ORB). JBoss EAP provides an ORB instance, by means of the Open JDK ORB component.

The ORB is used internally for Java Transaction Service (JTS) transactions, and is also available for use by your own applications.

14.2. Configure the ORB for JTS Transactions

In a default installation of JBoss EAP, the ORB support for transactions is disabled. You can configure ORB settings in the iiop-openjdk subsystem using the management CLI or the management console.

Note

The iiop-openjdk subsystem is available when using the full or full-ha profile in a managed domain, or the standalone-full.xml or standalone-full-ha.xml configuration file for a standalone server.

For a listing of the available configuration options for the iiop-openjdk subsystem, see IIOP Subsystem Attributes.

Configure the ORB Using the Management CLI

You can configure each aspect of the ORB using the management CLI. This is the minimum configuration for the ORB to be used with JTS.

The following management CLI commands are configured for a managed domain using the full profile. If necessary, change the profile to suit the one you need to configure. If you are using a standalone server, omit the /profile=full portion of the commands.

Enable the Security Interceptors

Enable the security attribute by setting the value to identity.

/profile=full/subsystem=iiop-openjdk:write-attribute(name=security,value=identity)
Enable Transactions in the IIOP Subsystem

To enable the ORB for JTS, set the value of transactions attribute to full, rather than the default spec.

/profile=full/subsystem=iiop-openjdk:write-attribute(name=transactions, value=full)
Enable JTS in the Transactions Subsystem
/profile=full/subsystem=transactions:write-attribute(name=jts,value=true)
Note

For JTS activation, the server must be restarted as reload is not enough.

Configure the ORB Using the Management Console

  1. Select the Configuration tab from the top of the management console.
  2. Select Subsystems. In a managed domain, you will need to select the appropriate profile first.
  3. Select the IIOP subsystem and click View.
  4. Click the Edit button and modify the attributes as needed. Click on the Need Help? link for detailed explanations of each field.
  5. Click Save to save the changes.

14.3. Configure IIOP to Use SSL/TLS with the Elytron Subsystem

You can configure the iiop-openjdk subsystem to use SSL/TLS to secure communication between clients and servers. The elytron subsystem, as well as the legacy security subsystem, provide the necessary components for configuring SSL/TLS for the iiop-openjdk subsystem as well as other subsystems within JBoss EAP. Use the following steps to configure the iiop-openjdk subsystem to use the elytron subsystem for SSL/TLS.

  1. Use the following management CLI command to display the current legacy SSL/TLS configuration in the iiop-openjdk subsystem.

    /subsystem=iiop-openjdk:read-attribute(name=security-domain)
    {
        "outcome" => "success",
        "result" => "iiopSSLSecurityDomain"
    }

    The iiop-openjdk subsystem must use either the legacy security subsystem or the elytron subsystem for SSL/TLS. You cannot use both at the same time. The above command shows the iiop-openjdk subsystem is using a legacy security domain for handling SSL/TLS. Before you can configure the iiop-openjdk subsystem to use the elytron subsystem for SSL/TLS, you need to remove this reference:

    /subsystem=iiop-openjdk:undefine-attribute(name=security-realm)

    If the security-domain attribute in the iiop-openjdk is not defined, you can proceed to the next step.

  2. Create a server-ssl-context.

    To use SSL/TLS with the iiop-openjdk subsystem, you need to define a server-ssl-context. JBoss EAP uses the configuration provided by the server-ssl-context when making an SSL/TLS connection as a server. You can find more details on creating a server-ssl-context in Enable One-way SSL/TLS for Applications using the Elytron Subsystem in How to Configure Server Security guide.

  3. Create a client-ssl-context.

    To use SSL/TLS with the iiop-openjdk subsystem, you need to define a client-ssl-context. JBoss EAP uses the configuration provided by the client-ssl-context when making an SSL/TLS connection as a client. You can find more details on creating a client-ssl-context in Using a client-ssl-context in the How to Configure Server Security guide.

  4. Configure the iiop-openjdk subsystem to use the client-ssl-context and server-ssl-context.

    Example: Setting client-ssl-context and server-ssl-context

    batch
    
    /subsystem=iiop-openjdk:write-attribute(name=client-ssl-context,value=iiopClientSSC)
    
    /subsystem=iiop-openjdk:write-attribute(name=server-ssl-context,value=iiopServerSSC)
    
    run-batch
    
    reload

  5. Configure the connection to and from the iiop-openjdk subsystem.

    You can indicate whether or not SSL/TLS connections are required when connecting to and from the iiop-openjdk subsystem by adjusting the following attributes:

    • To enable support for SSL in the iiop-openjdk subsystem, set support-ssl to true. Defaults to false.
    • To require SSL/TLS connections from the iiop-openjdk subsystem, set client-requires-ssl to true. Defaults to false.
    • To require SSL/TLS connections to the iiop-openjdk subsystem, set server-requires-ssl to true. Defaults to false.
    • To adjust the socket-binding, set ssl-socket-binding to the desired binding. Defaults to iiop-ssl.

    Example: Setting SSL/TLS Connections to and from IIOP as Required

    /subsystem=iiop-openjdk:write-attribute(name=support-ssl,value=true)
    
    /subsystem=iiop-openjdk:write-attribute(name=client-requires-ssl,value=true)
    
    /subsystem=iiop-openjdk:write-attribute(name=server-requires-ssl,value=true)
    
    /subsystem=iiop-openjdk:write-attribute(name=ssl-socket-binding,value=iiop-ssl)
    
    reload