Hi,
By default in domain.xml there are two SSL IIOP listeners, one that has mutual auth switched OFF and another that has it ON.
<iiop-listener address="0.0.0.0" enabled="true" id="SSL_MUTUALAUTH" port="3920" security-enabled="true">
<ssl cert-nickname="s1as" client-auth-enabled="true" ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/>
</iiop-listener>
So all connections to port 3920 would have Client Certificate Authentication.
However EJB Applications can configure the following in sun-ejb-jar.xml :
<ior-security-config>
<transport-config>
<integrity>required</integrity>
<confidentiality>required</confidentiality>
<establish-trust-in-target>supported</established-trustin-
target>
<establish-trust-in-client>required</establish-trustin-
client>
</transport-config>
.....
So by setting <confidentiality>required</confidentiality>, one can automatically enforce the use of SSL for that EJB Access (not worrying about the listener's/port number etc).
And by setting <establish-trust-in-client>required</establish-trustin-client> one can enforce client cert authentication (or SSL Mutual Authentication) for that EJB Access.
The <ssl cert-nickname="s1as" ...> attribute in sun-acc.xml is the nickname of the server certificate in the certificate database. It is not the Client Certificate. The client certificate is picked up by setting the javax.net.ssl.keyStore property.
See :
http://blogs.sun.com/swchan/entry/enterprise_java_bean_over_ssl
http://docs.sun.com/source/817-2173-10/dcacc.html
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]
http://forums.java.net/jive/thread.jspa?messageID=287271