users@glassfish.java.net

Securing RMI/IIOP conversation with application client

From: <forums_at_java.net>
Date: Fri, 26 Oct 2012 04:02:36 -0500 (CDT)

G'day I'd like to secure the RMI/IIOP conversation between my application
client and Glassfish. After looking at a lot of documents about making socket
factories and such I finally discovered that Glassfish now supports this
natively. As I understand it Glassfish has three ORB listeners - one
insecure, one with SSL without client authentication, and one with SSL with
client authentication. (Strictly these are listeners for the naming service
but I assume that the subsequent conversation is secured as the name
suggests.) My first attempt was to force the client to contact glassfish on
the port (3820) used by the the 'SSL without client authentication listener'
(by putting -Dorg.omg.CORBA.ORBInitialPort=3820 in the Netbeans -> project
properties -> Run -> VM options field of the application client). This caused
an IIOP hernia within glassfish when the application client was run. The root
error appears to be either an IOException End of Stream or a JNDI lookup
failure (not sure which as both are listed as causes in the stack trace.) My
second attempt was to remove the above JVM option from the application client
and instead use the glassfish admin server to secure the conversation on port
3700 (the default). I did this by checking 'Security: Enabled' in
orb-listener-1 (the insecure listener that uses port 3700). The client then
executed without error. My question is, have I actually secured the
conversation by doing this ? Or have I only secured the conversation with the
naming service.

--
[Message sent by forum member 'ianblav']
View Post: http://forums.java.net/node/891795