| <!DOCTYPE html> |
| <html lang="en"> |
| |
| <head> |
| <meta charset="UTF-8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge"> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| <title>Apache TomEE</title> |
| <meta name="description" |
| content="Apache TomEE is a lightweight, yet powerful, JavaEE Application server with feature rich tooling." /> |
| <meta name="keywords" content="tomee,asf,apache,javaee,jee,shade,embedded,test,junit,applicationcomposer,maven,arquillian" /> |
| <meta name="author" content="Luka Cvetinovic for Codrops" /> |
| <link rel="icon" href="../../favicon.ico"> |
| <link rel="icon" type="image/png" href="../../favicon.png"> |
| <meta name="msapplication-TileColor" content="#80287a"> |
| <meta name="theme-color" content="#80287a"> |
| <link rel="stylesheet" type="text/css" href="../../css/normalize.css"> |
| <link rel="stylesheet" type="text/css" href="../../css/bootstrap.css"> |
| <link rel="stylesheet" type="text/css" href="../../css/owl.css"> |
| <link rel="stylesheet" type="text/css" href="../../css/animate.css"> |
| <link rel="stylesheet" type="text/css" href="../../fonts/font-awesome-4.1.0/css/font-awesome.min.css"> |
| <link rel="stylesheet" type="text/css" href="../../fonts/eleganticons/et-icons.css"> |
| <link rel="stylesheet" type="text/css" href="../../css/jqtree.css"> |
| <link rel="stylesheet" type="text/css" href="../../css/idea.css"> |
| <link rel="stylesheet" type="text/css" href="../../css/cardio.css"> |
| |
| <script type="text/javascript"> |
| <!-- Matomo --> |
| var _paq = window._paq = window._paq || []; |
| /* tracker methods like "setCustomDimension" should be called before "trackPageView" */ |
| /* We explicitly disable cookie tracking to avoid privacy issues */ |
| _paq.push(['disableCookies']); |
| _paq.push(['trackPageView']); |
| _paq.push(['enableLinkTracking']); |
| (function () { |
| var u = "//matomo.privacy.apache.org/"; |
| _paq.push(['setTrackerUrl', u + 'matomo.php']); |
| _paq.push(['setSiteId', '5']); |
| var d = document, g = d.createElement('script'), s = d.getElementsByTagName('script')[0]; |
| g.async = true; |
| g.src = u + 'matomo.js'; |
| s.parentNode.insertBefore(g, s); |
| })(); |
| <!-- End Matomo Code --> |
| </script> |
| </head> |
| |
| <body> |
| <div class="preloader"> |
| <img src="../../img/loader.gif" alt="Preloader image"> |
| </div> |
| <nav class="navbar"> |
| <div class="container"> |
| <div class="row"> <div class="col-md-12"> |
| |
| <!-- Brand and toggle get grouped for better mobile display --> |
| <div class="navbar-header"> |
| <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1"> |
| <span class="sr-only">Toggle navigation</span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| </button> |
| <a class="navbar-brand" href="/" title="Apache TomEE"> |
| <span> |
| |
| |
| <img |
| src="../../img/apache_tomee-logo.svg" |
| onerror="this.src='../../img/apache_tomee-logo.jpg'" |
| height="50" |
| > |
| |
| |
| </span> |
| </a> |
| </div> |
| <!-- Collect the nav links, forms, and other content for toggling --> |
| <div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1"> |
| <ul class="nav navbar-nav navbar-right main-nav"> |
| <li><a href="../../docs.html">Documentation</a></li> |
| <li><a href="../../community/index.html">Community</a></li> |
| <li><a href="../../security/security.html">Security</a></li> |
| <li><a class="btn btn-accent accent-orange no-shadow" href="../../download.html">Downloads</a></li> |
| </ul> |
| </div> |
| <!-- /.navbar-collapse --> |
| </div></div> |
| </div> |
| <!-- /.container-fluid --> |
| </nav> |
| |
| |
| <div id="main-block" class="container main-block"> |
| <div class="row title"> |
| <div class="col-md-12"> |
| <div class='page-header'> |
| |
| <h1>EJB over SSL</h1> |
| </div> |
| </div> |
| </div> |
| <div class="row"> |
| |
| <div class="col-md-12"> |
| <div id="preamble"> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>It is possible to setup client/server requests over SSL. EJB requests |
| from a remote client can happen two different ways:</p> |
| </div> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p><strong>https</strong> for when an EJB is running in TomEE</p> |
| </li> |
| <li> |
| <p><strong>ejbds</strong> for when an EJB is running in OpenEJB Standalone</p> |
| </li> |
| </ul> |
| </div> |
| <div class="paragraph"> |
| <p>Note, TomEE can be setup to support <strong>ejbds</strong>.</p> |
| </div> |
| </div> |
| </div> |
| <div class="sect1"> |
| <h2 id="_https">https</h2> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>First, you’ll need to setup Tomcat (TomEE) with SSL as described here:</p> |
| </div> |
| <div class="paragraph"> |
| <p><a href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html" class="bare">http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html</a></p> |
| </div> |
| <div class="paragraph"> |
| <p>Once that is done and the <code>tomee</code> webapp can be accessed with <code>https</code>, |
| an EJB client can invoke over <code>https</code> using the following |
| <code>InitialContext</code> setup:</p> |
| </div> |
| <div class="listingblock"> |
| <div class="content"> |
| <pre class="highlight"><code class="language-java" data-lang="java">Properties p = new Properties(); |
| p.put("java.naming.factory.initial", "org.apache.openejb.client.RemoteInitialContextFactory"); |
| p.put("java.naming.provider.url", "https://127.0.0.1:8443/tomee/ejb"); |
| // user and pass optional |
| p.put("java.naming.security.principal", "myuser"); |
| p.put("java.naming.security.credentials", "mypass"); |
| |
| InitialContext ctx = new InitialContext(p); |
| |
| MyBean myBean = (MyBean) ctx.lookup("MyBeanRemote");</code></pre> |
| </div> |
| </div> |
| <div class="paragraph"> |
| <p>If you setup Tomcat (TomEE) to use the APR (Apache Portable Runitme) |
| implementation of SSL on the server side, and you have connection issues |
| like connection reset, you’ll have to set 'https.protocols' system |
| property. 'https.protocols' property must be set according to the |
| SSLProtocol parameter of the HTTPS connector configuration :</p> |
| </div> |
| <div class="paragraph"> |
| <p><a href="http://tomcat.apache.org/tomcat-7.0-doc/config/http.html" class="bare">http://tomcat.apache.org/tomcat-7.0-doc/config/http.html</a></p> |
| </div> |
| <div class="paragraph"> |
| <p>You can also have a look a this :</p> |
| </div> |
| <div class="paragraph"> |
| <p><a href="http://docs.oracle.com/javase/1.4.2/docs/guide/plugin/developer_guide/faq/troubleshooting.html" class="bare">http://docs.oracle.com/javase/1.4.2/docs/guide/plugin/developer_guide/faq/troubleshooting.html</a></p> |
| </div> |
| </div> |
| </div> |
| <div class="sect1"> |
| <h2 id="_ejbds">ejbds</h2> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>The SSL version of the <code>ejbd</code> protocol is called <code>ejbds</code> and is enabled |
| and setup in OpenEJB Standalone by default.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Its configuration <code>conf/ejbds.properties</code> looks like this:</p> |
| </div> |
| <div class="listingblock"> |
| <div class="content"> |
| <pre class="highlight"><code class="language-properties" data-lang="properties">server = org.apache.openejb.server.ejbd.EjbServer |
| bind = 127.0.0.1 |
| port = 4203 |
| disabled = false |
| threads = 200 |
| backlog = 200 |
| secure = true |
| discovery = ejb:ejbds://{bind}:{port}</code></pre> |
| </div> |
| </div> |
| <div class="paragraph"> |
| <p>To access this service from a remote client, the <code>InitialContext</code> would |
| be setup like the following:</p> |
| </div> |
| <div class="listingblock"> |
| <div class="content"> |
| <pre class="highlight"><code class="language-java" data-lang="java">Properties p = new Properties(); |
| p.put("java.naming.factory.initial", "org.apache.openejb.client.RemoteInitialContextFactory"); |
| p.put("java.naming.provider.url", "ejbd://localhost:4201"); |
| // user and pass optional |
| p.put("java.naming.security.principal", "myuser"); |
| p.put("java.naming.security.credentials", "mypass"); |
| |
| InitialContext ctx = new InitialContext(p); |
| |
| MyBean myBean = (MyBean) ctx.lookup("MyBeanRemote");</code></pre> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="_changing_the_cipher_suite">Changing the Cipher Suite</h3> |
| <div class="paragraph"> |
| <p><a href="https://issues.apache.org/jira/browse/OPENEJB-1856">This is a pending |
| feature</a> By default, the ejbds protocol connects with |
| SSL_DH_anon_WITH_RC4_128_MD5. That means your connection is encrypted |
| and the integrity of the transmission is verified. However, this only |
| protects your from eavesdroppers, it offers absolutely zero protection |
| from Man in the Middle attacks. This sort of attack could be pulled off |
| without your knowledge and the attacker has the ability to intercept, |
| monitor, and even modify your messages. If the attacker could control a |
| router on your connection path, this attack could be trivially pulled |
| off with nothing more but the OpenEJB server and client.</p> |
| </div> |
| <div class="paragraph"> |
| <p>To secure your connections against this sort of attack, your client can |
| cryptographically prove it’s talking to the correct server before |
| sending any data. To do this, simply select one or more secure cipher |
| suites that your J2SE provider supports from |
| <a href="http://docs.oracle.com/cd/E19728-01/820-2550/cipher_suites.html">this |
| listing</a>.</p> |
| </div> |
| <div class="paragraph"> |
| <p>You must now instruct the client and server to use that suite.</p> |
| </div> |
| <div class="paragraph"> |
| <p>On the server:</p> |
| </div> |
| <div class="listingblock"> |
| <div class="content"> |
| <pre class="highlight"><code class="language-properties" data-lang="properties">server = org.apache.openejb.server.ejbd.EjbServer |
| bind = 127.0.0.1 |
| port = 4203 |
| disabled = false |
| threads = 200 |
| backlog = 200 |
| secure = true |
| enabledCipherSuites = TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA |
| discovery = ejb:ejbds://{bind}:{port}</code></pre> |
| </div> |
| </div> |
| <div class="paragraph"> |
| <p>On the client, you must supply a property:</p> |
| </div> |
| <div class="listingblock"> |
| <div class="content"> |
| <pre class="highlight"><code class="language-properties" data-lang="properties">-Dopenejb.client.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA</code></pre> |
| </div> |
| </div> |
| <div class="paragraph"> |
| <p>The final piece is to make sure your server has available a private |
| certificate that the the client can trust. This can be certificate from |
| an authority or a self signed certificate. The javax.net.ssl.trustStore |
| and javax.net.ssl.keyStore JVM properties |
| <a href="http://fusesource.com/docs/broker/5.3/security/SSL-SysProps.html">are |
| used to set this up.</a></p> |
| </div> |
| </div> |
| </div> |
| </div> |
| </div> |
| |
| </div> |
| </div> |
| <div style="margin-bottom: 30px;"></div> |
| <footer> |
| <div class="container"> |
| <div class="row"> |
| <div class="col-sm-6 text-center-mobile"> |
| <h3 class="white">Be simple. Be certified. Be Tomcat.</h3> |
| <h5 class="light regular light-white">"A good application in a good server"</h5> |
| <ul class="social-footer"> |
| <li><a href="https://www.facebook.com/ApacheTomEE/"><i class="fa fa-facebook"></i></a></li> |
| <li><a href="https://twitter.com/apachetomee"><i class="fa fa-twitter"></i></a></li> |
| </ul> |
| <h5 class="light regular light-white"> |
| <a href="../../privacy-policy.html" class="white">Privacy Policy</a> |
| </h5> |
| </div> |
| <div class="col-sm-6 text-center-mobile"> |
| <div class="row opening-hours"> |
| <div class="col-sm-3 text-center-mobile"> |
| <h5><a href="../../latest/docs/" class="white">Documentation</a></h5> |
| <ul class="list-unstyled"> |
| <li><a href="../../latest/docs/admin/configuration/index.html" class="regular light-white">How to configure</a></li> |
| <li><a href="../../latest/docs/admin/file-layout.html" class="regular light-white">Dir. Structure</a></li> |
| <li><a href="../../latest/docs/developer/testing/index.html" class="regular light-white">Testing</a></li> |
| <li><a href="../../latest/docs/admin/cluster/index.html" class="regular light-white">Clustering</a></li> |
| </ul> |
| </div> |
| <div class="col-sm-3 text-center-mobile"> |
| <h5><a href="../../latest/examples/" class="white">Examples</a></h5> |
| <ul class="list-unstyled"> |
| <li><a href="../../latest/examples/simple-cdi-interceptor.html" class="regular light-white">CDI Interceptor</a></li> |
| <li><a href="../../latest/examples/rest-cdi.html" class="regular light-white">REST with CDI</a></li> |
| <li><a href="../../latest/examples/ejb-examples.html" class="regular light-white">EJB</a></li> |
| <li><a href="../../latest/examples/jsf-managedBean-and-ejb.html" class="regular light-white">JSF</a></li> |
| </ul> |
| </div> |
| <div class="col-sm-3 text-center-mobile"> |
| <h5><a href="../../community/index.html" class="white">Community</a></h5> |
| <ul class="list-unstyled"> |
| <li><a href="../../community/contributors.html" class="regular light-white">Contributors</a></li> |
| <li><a href="../../community/social.html" class="regular light-white">Social</a></li> |
| <li><a href="../../community/sources.html" class="regular light-white">Sources</a></li> |
| </ul> |
| </div> |
| <div class="col-sm-3 text-center-mobile"> |
| <h5><a href="../../security/index.html" class="white">Security</a></h5> |
| <ul class="list-unstyled"> |
| <li><a href="https://apache.org/security" target="_blank" class="regular light-white">Apache Security</a></li> |
| <li><a href="https://apache.org/security/projects.html" target="_blank" class="regular light-white">Security Projects</a></li> |
| <li><a href="https://cve.mitre.org" target="_blank" class="regular light-white">CVE</a></li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| </div> |
| <div class="row bottom-footer text-center-mobile"> |
| <div class="col-sm-12 light-white"> |
| <p>Copyright © 1999-2022 The Apache Software Foundation, Licensed under the Apache License, Version 2.0. Apache TomEE, TomEE, Apache, the Apache feather logo, and the Apache TomEE project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.</p> |
| </div> |
| </div> |
| </div> |
| </footer> |
| <!-- Holder for mobile navigation --> |
| <div class="mobile-nav"> |
| <ul> |
| <li><a hef="../../latest/docs/admin/index.html">Administrators</a> |
| <li><a hef="../../latest/docs/developer/index.html">Developers</a> |
| <li><a hef="../../latest/docs/advanced/index.html">Advanced</a> |
| <li><a hef="../../community/index.html">Community</a> |
| </ul> |
| <a href="#" class="close-link"><i class="arrow_up"></i></a> |
| </div> |
| <!-- Scripts --> |
| <script src="../../js/jquery-1.11.1.min.js"></script> |
| <script src="../../js/owl.carousel.min.js"></script> |
| <script src="../../js/bootstrap.min.js"></script> |
| <script src="../../js/wow.min.js"></script> |
| <script src="../../js/typewriter.js"></script> |
| <script src="../../js/jquery.onepagenav.js"></script> |
| <script src="../../js/tree.jquery.js"></script> |
| <script src="../../js/highlight.pack.js"></script> |
| <script src="../../js/main.js"></script> |
| </body> |
| |
| </html> |
| |