How to enable encryption on a RMIIO stream using JBoss 6

Question

I want to encrypt communications between a JBoss 6.1.0.Final server and my client. To do this I activated SSL over RMI and it works well. However, I use RMIIO too and it was not automatically encrypted when I activated SSL encryption over RMI. In a best case scenario, I would like to use the same encryption technique I used to encrypt RMI communications.

Here is my configuration:

server/myThing/deploy/remoting-jboss-beans.xml

<?xml version="1.0" encoding="UTF-8"?>
<deployment xmlns="urn:jboss:bean-deployer:2.0">

    <deployment xmlns="urn:jboss:bean-deployer:2.0">

       <bean name="UnifiedInvokerConnector" class="org.jboss.remoting.transport.Connector">
          <annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.remoting:service=Connector,transport=socket",exposedInterface=org.jboss.remoting.transport.ConnectorMBean.class,registerDirectly=true)</annotation>
          <property name="serverConfiguration"><inject bean="UnifiedInvokerConfiguration"/></property>
          <!-- add this to configure the SSL socket for the UnifiedInvoker -->
          <property name="serverSocketFactory"><inject bean="SSLServerSocketFactoryEJB2"/></property>
       </bean>

       <!-- Remoting server configuration -->
       <bean name="UnifiedInvokerConfiguration" class="org.jboss.remoting.ServerConfiguration">
          <constructor>
             <!-- Changed from socket to sslsocket -->
             <parameter>sslsocket</parameter>
          </constructor>
          <!-- some other stuff, kept as the default config -->
       </bean>

       <!-- Some stuff removed to simplify the explanation -->

       <!-- Added for SSL security -->
       <bean name="SSLServerSocketFactoryEJB2" class="org.jboss.security.ssl.DomainServerSocketFactory">
         <constructor>
           <parameter><inject bean="EJB2SSLDomain"/></parameter>
         </constructor>
       </bean>

       <!-- Added for SSL security -->
       <bean name="EJB2SSLDomain" class="org.jboss.security.plugins.JaasSecurityDomain">
         <constructor>
           <parameter>EJB2SSLDomain</parameter>
         </constructor>
         <property name="keyStoreURL">C:\MyData\Security\ssl.keystore</property>
         <property name="keyStorePass">MyPassword</property>
         <property name="keyStoreAlias">MyAlias</property>
         <property name="trustStorePass">MyPassword</property>
       </bean>

    </deployment>

server/myThing/deploy/properties-service.xml

<server>

  <!-- some stuff removed -->

  <mbean code="org.jboss.varia.property.SystemPropertiesService" 
     name="jboss:type=Service,name=SystemProperties">

    <attribute name="Properties">
      com.healthmarketscience.rmiio.exporter.port=11099
    </attribute>

  </mbean>
</server>

Answer 1

It's been awhile since i poked at RMI and SSL. However, RMIIO has a specific interface which allows you to customize the underlying "remoting" implementation, the RemoteStreamExporter. If you look at the DefaultRemoteStreamExporter implementation, you can see how the RMI objects are exported by default. My guess is that you want to use similar implementation which calls the 4 parameter export method with the appropriate RMI SSL socket factories.

Answer 2

Here is how I made it work, this was deduced from jtahlborn answer.

I got the JBoss config on RMI which is configured in remoting-jboss-beans.xml and initialise the SSLContext.setDefault with it. The code is called when JBoss is starting. Here is a simplified example of it.

KeyStore lKeyStore = KeyStore.getInstance( KeyStore.getDefaultType() );
InputStream lISKeyStore = new FileInputStream( new File( "C:/Security/ssl.keystore" ) );
try
{
  lKeyStore.load( lISKeyStore, "MyPassword".toCharArray() );
}
finally
{
  lISKeyStore.close();
}
KeyManagerFactory lKeyManagerFactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm() );
lKeyManagerFactory.init(lKeyStore, "MyPassword".toCharArray() );

KeyStore lTrustStore = KeyStore.getInstance(KeyStore.getDefaultType());
InputStream lIStrustStore = new FileInputStream( new File( "C:/Security/ssl.truststore" ) );
try
{
  lTrustStore.load(lIStrustStore, "MyPassword".toCharArray() );
}
finally
{
  lIStrustStore.close();
}

TrustManagerFactory lTrustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm() );
lTrustManagerFactory.init(lTrustStore);

SSLContext lSSLContext = SSLContext.getInstance( "SSL" ); // Don't use SSLContext.getDefault() here it seems it's immutable.
lSSLContext.init( lKeyManagerFactory.getKeyManagers(), lTrustManagerFactory.getTrustManagers(), null );
SSLContext.setDefault( lSSLContext );

I also created my own RemoteStreamExporter

public class SSLRemoteStreamExporter extends DefaultRemoteStreamExporter
{
  @Override
  protected Object exportImpl(RemoteStreamServer<?,?> server)
      throws RemoteException
  {
    // The SslRMIServerSocketFactory uses SSLContext.getDefault() to retrieve the configuration. The default must be initialized with right values.
    return UnicastRemoteObject.exportObject(server, getPort(), new SslRMIClientSocketFactory(), new SslRMIServerSocketFactory() );
  }
}

Afterward, I configured RMIIO to use my own RemoteStreamExporter server/myThing/deploy/properties-service.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE server>
<!-- $Id: properties-service.xml 16662 2003-08-27 04:38:22Z patriot1burke $ -->

    <server>

      <!-- some stuff removed -->

      <mbean code="org.jboss.varia.property.SystemPropertiesService" 
         name="jboss:type=Service,name=SystemProperties">

        <attribute name="Properties">
          com.healthmarketscience.rmiio.exporter.port=11099
          com.healthmarketscience.rmiio.exporter=SSLRemoteStreamExporter
        </attribute>

      </mbean>
    </server>