Encrypting the communication between client and server provides improved security and privacy protection for your system. This can be an important requirement by the customer, especially if client or server need to work in an unprotected network.
This article shows you how to setup SSL encrypted EJB calls in JBoss AS 7.
There are only two things that need to be done on server side:
- creating a key store with the privat/public pair of keys for the encryption and
- referencing the key store in the server configuration.
The source code of your application stays the same with or without encryption.
Creating the keys
Java provides the tool keytool which we will use to manage the key store and to create the private/public pair of keys. The example below creates a pair of 1024 bit keys using the RSA algorithm and adds them to the key store server.keystore. The key store will be created if it does not exist.
We will need to provide this key store to the JBoss application server. Therefore I prefer to store it in the JBoss configuration directory. But you can store it where ever you want as long as the JBoss server can access it.
Now we have to reference the keystore in the JBoss configuration. Therefore we add a server-identities element to the security realm configuration of the application realm.
The following snippet shows an example configuration using the standard ApplicationRealm configuration and a server.keystore file located in the JBoss configuration directory:
This is all that’s needs to be done on server side.
On client side, we need to do the following things:
- import the public key of the server into the client key store,
- define SSL encryption in the EJBClientProperties and
- provide the location and password of a key store with the public key JVM arguments.
Importing the key
First we need to export the public key of the key pair we added to the server key store. This can be done with the keytool, too:
The key store will be created if it does not exist.
OK, now we can add the key to the client keystore:
There is no big difference in the EJBClientProperties. The properties remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED and remote.connection.default.connect.options.org.xnio.Options.SSL_STARTTLS need to be set to true. The rest stays unchanged.
The following snippet shows the creation of an SSL encrypted connection to the server and the lookup of an SLSB.
OK, now we are nearly done. The only thing missing is the reference to the client key store. This can be done with the JVM arguments javax.net.ssl.trustStore for the location and javax.net.ssl.trustStorePassword for the password of the key store, e.g.:
This is all needs to be done to setup SSL encrypted EJB calls with JBoss AS 7.
If there are any communication problems, you can set -Djavax.net.debug=true to enable debug messages.
In this article we had a look at the configuration and code changes to setup encrypted EJB calls with JBoss AS 7. It can be done in a few minutes and provides an improved security and privacy protection to your communication.