Hot questions for Using Enterprise JavaBeans in ssl

Question:

I have written a simple ejb thin client to look up the bean deployed in IBM WebSphere 8.5.

When SSL was not enabled on the server I was successfully able to lookup the bean , but as soon as I enabled the SSL , I started getting the below mentioned exception.

This is how I enabled the security thru admin console :

Exception:

javax.naming.NamingException: Error getting WsnNameService properties [Root exception is org.omg.CORBA.TRANSIENT: initial and forwarded IOR inaccessible  vmcid: IBM  minor code: E07  completed: No]
at com.ibm.ws.naming.util.WsnInitCtxFactory.mergeWsnNSProperties(WsnInitCtxFactory.java:1552)
at com.ibm.ws.naming.util.WsnInitCtxFactory.getRootContextFromServer(WsnInitCtxFactory.java:1042)
at com.ibm.ws.naming.util.WsnInitCtxFactory.getRootJndiContext(WsnInitCtxFactory.java:962)
at com.ibm.ws.naming.util.WsnInitCtxFactory.getInitialContextInternal(WsnInitCtxFactory.java:614)
at com.ibm.ws.naming.util.WsnInitCtx.getContext(WsnInitCtx.java:128)
at com.ibm.ws.naming.util.WsnInitCtx.getContextIfNull(WsnInitCtx.java:765)
at com.ibm.ws.naming.util.WsnInitCtx.lookup(WsnInitCtx.java:164)
at com.ibm.ws.naming.util.WsnInitCtx.lookup(WsnInitCtx.java:179)
at javax.naming.InitialContext.lookup(InitialContext.java:436)
at nh.indi.test.S2SCommTest.lookupServiceEJB(S2SCommTest.java:55)
at nh.indi.test.S2SCommTest.main(S2SCommTest.java:22) 
Caused by: org.omg.CORBA.TRANSIENT: initial and forwarded IOR inaccessible  vmcid: IBM  minor code: E07  completed: No
at com.ibm.rmi.corba.ClientDelegate.createRequest(ClientDelegate.java:1276)
at com.ibm.CORBA.iiop.ClientDelegate.createRequest(ClientDelegate.java:1342)
at com.ibm.rmi.corba.ClientDelegate.createRequest(ClientDelegate.java:1164)
at com.ibm.CORBA.iiop.ClientDelegate.createRequest(ClientDelegate.java:1308)
at com.ibm.rmi.corba.ClientDelegate.request(ClientDelegate.java:1886)
at com.ibm.CORBA.iiop.ClientDelegate.request(ClientDelegate.java:1264)
at org.omg.CORBA.portable.ObjectImpl._request(ObjectImpl.java:458)
at com.ibm.WsnBootstrap._WsnNameServiceStub.getProperties(_WsnNameServiceStub.java:38)
at com.ibm.ws.naming.util.WsnInitCtxFactory.mergeWsnNSProperties(WsnInitCtxFactory.java:1549)
... 10 more

Code :

public static void main(String args[]) throws NamingException {

    Properties ejbProps = new Properties();
    ejbProps.put("org.omg.CORBA.ORBClass", "com.ibm.CORBA.iiop.ORB");
    ejbProps.put(Context.INITIAL_CONTEXT_FACTORY,
            "com.ibm.websphere.naming.WsnInitialContextFactory");
    ejbProps.put(Context.PROVIDER_URL, "corbaloc:iiop:160.XX.XX.XX:2809");

    InitialContext ffmContext = new InitialContext(ejbProps);
    Object remoteObject = ffmContext
            .lookup("ejb/MyAppEar-CLUSTER/MyAppEJB.jar/BatchIdTrackingBean#indi.nh.business.framework.bos.di.BatchIdTrackingBeanRemote");

    BatchIdTrackingBeanRemote serviceTester = (BatchIdTrackingBeanRemote) PortableRemoteObject
            .narrow(remoteObject, BatchIdTrackingBeanRemote.class);

    System.out.println(serviceTester);

}

While running the program I am also passing the sas.client.props file location present in my local file system as mentioned here. 1

-Dcom.ibm.CORBA.ConfigURL=file:///C:/Temp/docs/S2S_Docs/sas.client.props

1 : How to connect to a websphere Application Server 8.5 Message Queue while Administrative Security is enabled

Can anybody please help me how to test it successfully with SSL enabled on the websphere app server or what i am missing in my client side or server side configuration.


Answer:

You also need to add this property to java command: -Dcom.ibm.CORBA.ConfigURL=file:///home/user1/sas.client.props

You can copy the ssl.client.props file (in addition to sas.client.props) from the WebSphere Application Server installation. You need to at least update the location of the key files in the ssl.client.props file to the match where you created or copied the key files. For example,

-Dcom.ibm.ssl.keyStore=/home/user1/etc/key.p12 -Dcom.ibm.ssl.trustStore=/home/user1/etc/trust.p12

When you run the client again, it should prompt you to add signer to the trust store if it is not there.

More details at: https://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tcli_ejbthinclient.html

Question:

I am trying to enable TLSv1.3 in jboss 7.0.0 GA as given below

<https-listener name="default-https" enabled-protocols="TLSv1.1,TLSv1.2,TLSv1.3" security-realm="ApplicationRealm" socket-binding="https"/>

I can able to connet via TLSv1.1 and TLSv1.2 but while trying to connect via TLSv1.3 am getting the below error.

Caused by: java.security.NoSuchAlgorithmException: TLSv1.3 SSLContext not available
    at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) ~[?:1.8.0_144]
    at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156) ~[?:1.8.0_144]
    at org.xnio.ssl.JsseSslUtils.createSSLContext(JsseSslUtils.java:90) ~[jboss-client-7.0.0.GA-redhat-2.jar:7.0.0.GA-redhat-2]
    at org.xnio.ssl.JsseSslUtils.createSSLContext(JsseSslUtils.java:67) ~[jboss-client-7.0.0.GA-redhat-2.jar:7.0.0.GA-redhat-2]
    at org.xnio.ssl.JsseXnioSsl.<init>(JsseXnioSsl.java:79) ~[jboss-client-7.0.0.GA-redhat-2.jar:7.0.0.GA-redhat-2]
    at org.xnio.Xnio.getSslProvider(Xnio.java:272) ~[jboss-client-7.0.0.GA-redhat-2.jar:7.0.0.GA-redhat-2]
    at org.jboss.remoting3.remote.RemoteConnectionProvider.connect(RemoteConnectionProvider.java:207) ~[jboss-client-7.0.0.GA-redhat-2.jar:7.0.0.GA-redhat-2]
    at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:326) ~[jboss-client-7.0.0.GA-redhat-2.jar:7.0.0.GA-redhat-2]
    ... 68 more

Answer:

The TLS 1.3 specification is still in draft and not yet available in Java.

The Java Secure Socket Extension reference guide lists the currently supported protocols.

Update

TLS 1.3 is now supported in Java 11

Question:

Does anyone know if it is possible to perform a JNDI lookup on Weblogic using a custom SSL socket connection other than the built-in connection method?

Hashtable<String, String> ht = new Hashtable<String, String>();
    ht.put(Context.SECURITY_PROTOCOL, "ssl");
    ht.put(Context.SECURITY_AUTHENTICATION, "simple");
    ht.put("weblogic.socket", "mypackage.MyCustomSSLSocket"); //SOMETHING LIKE THIS
InitialContext context = new InitialContext(ht);

MyCustomSSLSocket will be configured with my trust store...


Answer:

I didn't found the way, I think in this case it is impossible, there is description how to configure T3 client with custom SSLSocketFactory

Question:

I want to implement SSL for ejb call. I tried via the following link, but its not working as expected.

enable SSl in jboss

How to enable SSL in Jboss 7.0.0.GA for EJB calls.


Answer:

Try this tutorial for WildFly 10 - http://middlewaremagic.com/jboss/?p=2783

What you need to change in server configuration is:

  • add SSL as your identity in a SecurityRealm
  • configure HTTPs listener in undertow subsystem
  • configure connector in remoting subsystem which will use the https
  • reference the new remoting connector from ejb3 subsystem

Sample CLI:

/core-service=management/security-realm=ApplicationRealm/server-identity=ssl:add(keystore-path=server.keystore, keystore-relative-to=jboss.server.config.dir, keystore-password=123456)
reload
/subsystem=undertow/server=default-server/https-listener=https:add(socket-binding=https, security-realm=ApplicationRealm)
/subsystem=remoting/http-connector=https-remoting-connector:add(connector-ref=https, sasl-protocol=remote, security-realm=ApplicationRealm)
/subsystem=ejb3/service=remote:write-attribute(name=connector-ref,value=https-remoting-connector)
reload

Then you should use the proper port (8443) in the EJB client configuration.

Question:

I get the exception:

Warning:   StandardWrapperValve[org.netbeans.rest.application.config.ApplicationConfig]: Servlet.service() for servlet org.netbeans.rest.application.config.ApplicationConfig threw exception
javax.ejb.AccessLocalException: Client not authorized for this invocation

This is perfectly normal, as it is not authorized for this methodcall.

Onfortunately, as this EJB is a REST Service as well, it throws a "500 - Bad Request" http status. Instead I would like to have a "401 - Unauthorized".

Should I not use EJB Security or should I catch this AccessLocalException in the ApplicationConfig or should I use Jersey to implement REST Security?

Roles are defined in the web.xml and annotations are put upon the EJB Bean.


Answer:

You can define an ExceptionMapper, that maps a General Exception onto a HTTP Response.

import javax.ejb.EJBAccessException;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.ExceptionMapper;
import javax.ws.rs.ext.Provider;

@Provider
public class EJBAccessExceptionMapper implements
        ExceptionMapper<EJBAccessException>
{
  @Override
  public Response toResponse(EJBAccessException exception)
  {
    return Response.status(Response.Status.UNAUTHORIZED).build();
  }
}