I have read this entire thread a number of times and have tried implementing some of the suggestions but after quite a few number of days I am still not getting SSL communication to work. I can get NON-SSL remote calls over the IIOP Listener on port 3700 to work fine.
I have 2 "GlassFish Server Open Source Edition 3.0.1 (build 22)" servers. One for the web-tier (servlet/jsf) one for the business-tier (ejbs). I need to secure the EJB communication between the web-tier and the business-tier, and I want to use the SSL_MUTUALAUTH IIOP Listener on port 3920.
Below is a summary of my configuration. What about this is not correct?
[b]~~~CLIENT WEB-TIER~~~[/b]
The web-tier is a "GlassFish Server Open Source Edition 3.0.1 (build 22)" server.
The web-tier's <domain-dir>/config/cacerts.jks has been updated with the trustedCertEntry of the s1as alias exported from the business-tier's <domain-dir>/config/keystore.jks -- the keystore.jks is the DEFAULT one generated by GlassFish.
The web-tier's <domain-dir>/config/sun-acc.xml has been updated with:
[i]<target-server name="business-services.ferrisbank.com" address="business-services.ferrisbank.com" port="3920">
<security>
<ssl/>
</security>
</target-server>[/i]
The WAR client app contains the interfaces of the remote EJBs it needs to call.
The WAR client app attempts to inject an EJB using:
[i]
@EJB(lookup="java:comp/env/ejb/Sam")
AccountService accountService;[/i]
The WAR client app has the following in web.xml
[i] <ejb-ref>
<ejb-ref-name>ejb/Sam</ejb-ref-name>
<remote>org.ferris.ejb.account.AccountService</remote>
</ejb-ref>[/i]
The WAR client app has the following sun-web.xml
[i]<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD
GlassFish Application Server 3.0 Servlet 3.0//EN"
"
http://www.sun.com/software/appserver/dtds/sun-web-app_3_0-0.dtd">
<sun-web-app>
<context-root>research</context-root>
<ejb-ref>
<ejb-ref-name>ejb/Sam</ejb-ref-name>
<jndi-name>
corbaname:iiop:business-services.ferrisbank.com:3920#java:global/ferris-bank-business-services/account/AccountServiceBean!org.ferris.ejb.account.AccountService
</jndi-name>
</ejb-ref>
</sun-web-app>[/i]
[b]~~~SERVER BUSINESS-TIER~~~[/b]
The business-tier is a "GlassFish Server Open Source Edition 3.0.1 (build 22)" server.
The business-tier's <domain-dir>/config/cacerts.jks has been updated with the trustedCertEntry of the s1as alias exported from the web-tier's <domain-dir>/config/keystore.jks -- the keystore.jks is the DEFAULT one generated by GlassFish.
The EJB server app has the following remote interface:
[i]
@Remote
public interface AccountService { . . . }[/i]
The EJB server app has the following bean implementation:
[i]
@Stateless
public class AccountServiceBean implements AccountService { . . . }[/i]
The EJB server app has the following in sun-ejb-jar.xml:
[i]
<enterprise-beans>
<ejb>
<ejb-name>AccountServiceBean</ejb-name>
<ior-security-config>
<transport-config>
<integrity>REQUIRED</integrity>
<confidentiality>REQUIRED</confidentiality>
<establish-trust-in-target>SUPPORTED</establish-trust-in-target>
<establish-trust-in-client>REQUIRED</establish-trust-in-client>
</transport-config>
<as-context>
<auth-method>none</auth-method>
<realm>default</realm>
<required>false</required>
</as-context>
<sas-context>
<caller-propagation>none</caller-propagation>
</sas-context>
</ior-security-config>
</ejb>
</enterprise-beans>[/i]
The problem I have when I try to use this configuration is the same as what's described in this thread. When the web client tries to make a connection to the ejb, it looks like it is trying to do so plaintext. I get this in the server log:
[i]Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?[/i]
How can I get this configured properly??
[Message sent by forum member 'mjremijan']
http://forums.java.net/jive/thread.jspa?messageID=486017