Google Git
Sign in
apache / tomee-site-pub / 43cf80e624a0cecf0f38bef5ef2614bfb2410f57 / . / tomee-9.0 / docs / ejb-over-ssl.html
blob: d6029bc2a3f153b09cc0c0fd5365e42014b5340e [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Apache TomEE</title>
<meta name="description"
content="Apache TomEE is a lightweight, yet powerful, JavaEE Application server with feature rich tooling." />
<meta name="keywords" content="tomee,asf,apache,javaee,jee,shade,embedded,test,junit,applicationcomposer,maven,arquillian" />
<meta name="author" content="Luka Cvetinovic for Codrops" />
<link rel="icon" href="../../favicon.ico">
<link rel="icon" type="image/png" href="../../favicon.png">
<meta name="msapplication-TileColor" content="#80287a">
<meta name="theme-color" content="#80287a">
<link rel="stylesheet" type="text/css" href="../../css/normalize.css">
<link rel="stylesheet" type="text/css" href="../../css/bootstrap.css">
<link rel="stylesheet" type="text/css" href="../../css/owl.css">
<link rel="stylesheet" type="text/css" href="../../css/animate.css">
<link rel="stylesheet" type="text/css" href="../../fonts/font-awesome-4.1.0/css/font-awesome.min.css">
<link rel="stylesheet" type="text/css" href="../../fonts/eleganticons/et-icons.css">
<link rel="stylesheet" type="text/css" href="../../css/jqtree.css">
<link rel="stylesheet" type="text/css" href="../../css/idea.css">
<link rel="stylesheet" type="text/css" href="../../css/cardio.css">
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-2717626-1']);
_gaq.push(['_setDomainName', 'apache.org']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
</head>
<body>
<div class="preloader">
<img src="../../img/loader.gif" alt="Preloader image">
</div>
<nav class="navbar">
<div class="container">
<div class="row"> <div class="col-md-12">
<!-- Brand and toggle get grouped for better mobile display -->
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="/">
<span>
<img src="../../img/logo-active.png">
</span>
Apache TomEE
</a>
</div>
<!-- Collect the nav links, forms, and other content for toggling -->
<div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
<ul class="nav navbar-nav navbar-right main-nav">
<li><a href="../../docs.html">Documentation</a></li>
<li><a href="../../community/index.html">Community</a></li>
<li><a href="../../security/security.html">Security</a></li>
<li><a href="../../download-ng.html">Downloads</a></li>
</ul>
</div>
<!-- /.navbar-collapse -->
</div></div>
</div>
<!-- /.container-fluid -->
</nav>
<div id="main-block" class="container main-block">
<div class="row title">
<div class="col-md-12">
<div class='page-header'>
<h1>EJB over SSL</h1>
</div>
</div>
</div>
<div class="row">
<div class="col-md-12">
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>It is possible to setup client/server requests over SSL. EJB requests
from a remote client can happen two different ways:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><strong>https</strong> for when an EJB is running in TomEE</p>
</li>
<li>
<p><strong>ejbds</strong> for when an EJB is running in OpenEJB Standalone</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Note, TomEE can be setup to support <strong>ejbds</strong>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_https">https</h2>
<div class="sectionbody">
<div class="paragraph">
<p>First, you&#8217;ll need to setup Tomcat (TomEE) with SSL as described here:</p>
</div>
<div class="paragraph">
<p><a href="http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html" class="bare">http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html</a></p>
</div>
<div class="paragraph">
<p>Once that is done and the <code>tomee</code> webapp can be accessed with <code>https</code>,
an EJB client can invoke over <code>https</code> using the following
<code>InitialContext</code> setup:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-java" data-lang="java">Properties p = new Properties();
p.put("java.naming.factory.initial", "org.apache.openejb.client.RemoteInitialContextFactory");
p.put("java.naming.provider.url", "https://127.0.0.1:8443/tomee/ejb");
// user and pass optional
p.put("java.naming.security.principal", "myuser");
p.put("java.naming.security.credentials", "mypass");
InitialContext ctx = new InitialContext(p);
MyBean myBean = (MyBean) ctx.lookup("MyBeanRemote");</code></pre>
</div>
</div>
<div class="paragraph">
<p>If you setup Tomcat (TomEE) to use the APR (Apache Portable Runitme)
implementation of SSL on the server side, and you have connection issues
like connection reset, you&#8217;ll have to set 'https.protocols' system
property. 'https.protocols' property must be set according to the
SSLProtocol parameter of the HTTPS connector configuration :</p>
</div>
<div class="paragraph">
<p><a href="http://tomcat.apache.org/tomcat-7.0-doc/config/http.html" class="bare">http://tomcat.apache.org/tomcat-7.0-doc/config/http.html</a></p>
</div>
<div class="paragraph">
<p>You can also have a look a this :</p>
</div>
<div class="paragraph">
<p><a href="http://docs.oracle.com/javase/1.4.2/docs/guide/plugin/developer_guide/faq/troubleshooting.html" class="bare">http://docs.oracle.com/javase/1.4.2/docs/guide/plugin/developer_guide/faq/troubleshooting.html</a></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_ejbds">ejbds</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The SSL version of the <code>ejbd</code> protocol is called <code>ejbds</code> and is enabled
and setup in OpenEJB Standalone by default.</p>
</div>
<div class="paragraph">
<p>Its configuration <code>conf/ejbds.properties</code> looks like this:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-properties" data-lang="properties">server = org.apache.openejb.server.ejbd.EjbServer
bind = 127.0.0.1
port = 4203
disabled = false
threads = 200
backlog = 200
secure = true
discovery = ejb:ejbds://{bind}:{port}</code></pre>
</div>
</div>
<div class="paragraph">
<p>To access this service from a remote client, the <code>InitialContext</code> would
be setup like the following:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-java" data-lang="java">Properties p = new Properties();
p.put("java.naming.factory.initial", "org.apache.openejb.client.RemoteInitialContextFactory");
p.put("java.naming.provider.url", "ejbd://localhost:4201");
// user and pass optional
p.put("java.naming.security.principal", "myuser");
p.put("java.naming.security.credentials", "mypass");
InitialContext ctx = new InitialContext(p);
MyBean myBean = (MyBean) ctx.lookup("MyBeanRemote");</code></pre>
</div>
</div>
<div class="sect2">
<h3 id="_changing_the_cipher_suite">Changing the Cipher Suite</h3>
<div class="paragraph">
<p><a href="https://issues.apache.org/jira/browse/OPENEJB-1856">This is a pending
feature</a> By default, the ejbds protocol connects with
SSL_DH_anon_WITH_RC4_128_MD5. That means your connection is encrypted
and the integrity of the transmission is verified. However, this only
protects your from eavesdroppers, it offers absolutely zero protection
from Man in the Middle attacks. This sort of attack could be pulled off
without your knowledge and the attacker has the ability to intercept,
monitor, and even modify your messages. If the attacker could control a
router on your connection path, this attack could be trivially pulled
off with nothing more but the OpenEJB server and client.</p>
</div>
<div class="paragraph">
<p>To secure your connections against this sort of attack, your client can
cryptographically prove it&#8217;s talking to the correct server before
sending any data. To do this, simply select one or more secure cipher
suites that your J2SE provider supports from
<a href="http://docs.oracle.com/cd/E19728-01/820-2550/cipher_suites.html">this
listing</a>.</p>
</div>
<div class="paragraph">
<p>You must now instruct the client and server to use that suite.</p>
</div>
<div class="paragraph">
<p>On the server:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-properties" data-lang="properties">server = org.apache.openejb.server.ejbd.EjbServer
bind = 127.0.0.1
port = 4203
disabled = false
threads = 200
backlog = 200
secure = true
enabledCipherSuites = TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
discovery = ejb:ejbds://{bind}:{port}</code></pre>
</div>
</div>
<div class="paragraph">
<p>On the client, you must supply a property:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-properties" data-lang="properties">-Dopenejb.client.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA</code></pre>
</div>
</div>
<div class="paragraph">
<p>The final piece is to make sure your server has available a private
certificate that the the client can trust. This can be certificate from
an authority or a self signed certificate. The javax.net.ssl.trustStore
and javax.net.ssl.keyStore JVM properties
<a href="http://fusesource.com/docs/broker/5.3/security/SSL-SysProps.html">are
used to set this up.</a></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<footer>
<div class="container">
<div class="row">
<div class="col-sm-6 text-center-mobile">
<h3 class="white">Be simple. Be certified. Be Tomcat.</h3>
<h5 class="light regular light-white">"A good application in a good server"</h5>
<ul class="social-footer">
<li><a href="https://www.facebook.com/ApacheTomEE/"><i class="fa fa-facebook"></i></a></li>
<li><a href="https://twitter.com/apachetomee"><i class="fa fa-twitter"></i></a></li>
<li><a href="https://plus.google.com/communities/105208241852045684449"><i class="fa fa-google-plus"></i></a></li>
</ul>
</div>
<div class="col-sm-6 text-center-mobile">
<div class="row opening-hours">
<div class="col-sm-3 text-center-mobile">
<h5><a href="../../latest/docs/" class="white">Documentation</a></h5>
<ul class="list-unstyled">
<li><a href="../../latest/docs/admin/configuration/index.html" class="regular light-white">How to configure</a></li>
<li><a href="../../latest/docs/admin/file-layout.html" class="regular light-white">Dir. Structure</a></li>
<li><a href="../../latest/docs/developer/testing/index.html" class="regular light-white">Testing</a></li>
<li><a href="../../latest/docs/admin/cluster/index.html" class="regular light-white">Clustering</a></li>
</ul>
</div>
<div class="col-sm-3 text-center-mobile">
<h5><a href="../../latest/examples/" class="white">Examples</a></h5>
<ul class="list-unstyled">
<li><a href="../../latest/examples/simple-cdi-interceptor.html" class="regular light-white">CDI Interceptor</a></li>
<li><a href="../../latest/examples/rest-cdi.html" class="regular light-white">REST with CDI</a></li>
<li><a href="../../latest/examples/ejb-examples.html" class="regular light-white">EJB</a></li>
<li><a href="../../latest/examples/jsf-managedBean-and-ejb.html" class="regular light-white">JSF</a></li>
</ul>
</div>
<div class="col-sm-3 text-center-mobile">
<h5><a href="../../community/index.html" class="white">Community</a></h5>
<ul class="list-unstyled">
<li><a href="../../community/contributors.html" class="regular light-white">Contributors</a></li>
<li><a href="../../community/social.html" class="regular light-white">Social</a></li>
<li><a href="../../community/sources.html" class="regular light-white">Sources</a></li>
</ul>
</div>
<div class="col-sm-3 text-center-mobile">
<h5><a href="../../security/index.html" class="white">Security</a></h5>
<ul class="list-unstyled">
<li><a href="http://apache.org/security" target="_blank" class="regular light-white">Apache Security</a></li>
<li><a href="http://apache.org/security/projects.html" target="_blank" class="regular light-white">Security Projects</a></li>
<li><a href="http://cve.mitre.org" target="_blank" class="regular light-white">CVE</a></li>
</ul>
</div>
</div>
</div>
</div>
<div class="row bottom-footer text-center-mobile">
<div class="col-sm-12 light-white">
<p>Copyright &copy; 1999-2016 The Apache Software Foundation, Licensed under the Apache License, Version 2.0. Apache TomEE, TomEE, Apache, the Apache feather logo, and the Apache TomEE project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.</p>
</div>
</div>
</div>
</footer>
<!-- Holder for mobile navigation -->
<div class="mobile-nav">
<ul>
<li><a hef="../../latest/docs/admin/index.html">Administrators</a>
<li><a hef="../../latest/docs/developer/index.html">Developers</a>
<li><a hef="../../latest/docs/advanced/index.html">Advanced</a>
<li><a hef="../../community/index.html">Community</a>
</ul>
<a href="#" class="close-link"><i class="arrow_up"></i></a>
</div>
<!-- Scripts -->
<script src="../../js/jquery-1.11.1.min.js"></script>
<script src="../../js/owl.carousel.min.js"></script>
<script src="../../js/bootstrap.min.js"></script>
<script src="../../js/wow.min.js"></script>
<script src="../../js/typewriter.js"></script>
<script src="../../js/jquery.onepagenav.js"></script>
<script src="../../js/tree.jquery.js"></script>
<script src="../../js/highlight.pack.js"></script>
<script src="../../js/main.js"></script>
</body>
</html>