Setting up SSL for use in EJB3 involves creating a keystore and making sure the correct transport is available in the EJB3 configuration. After which you only have to use the RemoteBinding annotation with a clientBindUrl to make sure the bean is called through SSL.
This tutorial assumes you've setup JBoss 4.0.4.GA with EJB3 support. Make sure the enviroment variable JBOSS_HOME refers to the
installation directory.
TODO: simple SSL remoting doesn't work in 4.0.4.GA, only advanced.
$ cd $JBOSS_HOME/server/default/conf/ $ keytool -genkey -alias ejb3-ssl -keypass opensource -keystore localhost.keystore Enter keystore password: opensource What is your first and last name? [Unknown]: What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes
Since we have not signed our certificate through any certification authoritiy, we also need to create a truststore for the client, explicitly saying that we trust the certificate we just created. The first step is to export the certificate using the JDK keytool:
$ keytool -export -alias ejb3-ssl -file mycert.cer -keystore localhost.keystore Enter keystore password: opensource Certificate stored in file <mycert.cer>
Then we need to create the truststore if it does not exist and import the certificate into the trueststore:
$ keytool -import -alias ejb3-ssl -file mycert.cer -keystore localhost.truststore Enter keystore password: opensource Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: 43bff927 Valid from: Sat Jan 07 18:23:51 CET 2006 until: Fri Apr 07 19:23:51 CEST 2006 Certificate fingerprints: MD5: CF:DC:71:A8:F4:EA:8F:5A:E9:94:E3:E6:5B:A9:C8:F3 SHA1: 0E:AD:F3:D6:41:5E:F6:84:9A:D1:54:3D:DE:A9:B2:01:28:F6:7C:26 Trust this certificate? [no]: yes Certificate was added to keystore
<mbean code="org.jboss.remoting.transport.Connector" name="jboss.remoting:type=Connector,transport=socket3843,handler=ejb3"> <depends>jboss.aop:service=AspectDeployer</depends> <attribute name="InvokerLocator">sslsocket://0.0.0.0:3843</attribute> <attribute name="Configuration"> <handlers> <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler> </handlers> </attribute> </mbean>
$ cd $JBOSS_HOME/bin $ ./run.sh -Djavax.net.ssl.keyStore=../server/default/conf/localhost.keystore -Djavax.net.ssl.keyStorePassword=opensource
@RemoteBinding(clientBindUrl="sslsocket://0.0.0.0:3843")For the purpose this tutorial an example bean is provided (see src/org/jboss/tutorial/ssl/bean/CalculatorBean.java). To compile and deploy the example simple execute ant ejbjar.
$ java -Djavax.net.ssl.trustStore=$JBOSS_HOME/server/default/conf/localhost.truststore -Djavax.net.ssl.trustStorePassword=opensource org.jboss.tutorial.ssl.client.ClientOr better yet, just run ant run.
TODO: better explanation here!