Using RMI/IIOP Over SSL (Oracle GlassFish Server 3.0.1 Application Development Guide)

Oracle GlassFish Server 3.0.1 Application Development Guide

Using RMI/IIOP Over SSL

You can configure RMI/IIOP over SSL in two ways: using a username and password, or using a client certificate.

To use a username and password, configure the ior-security-config element in the sun-ejb-jar.xml file. The following configuration establishes SSL between an application client and an EJB component using a username and password. The user has to login to the ACC using either the sun-acc.xml mechanism or the Programmatic Login mechanism.

<ior-security-config>
  <transport-config>
    <integrity>required</integrity>
    <confidentiality>required</confidentiality>
    <establish-trust-in-target>supported</establish-trust-in-target>
    <establish-trust-in-client>none</establish-trust-in-client>
  </transport-config>
  <as-context>
    <auth-method>username_password</auth-method>
    <realm>default</realm>
    <required>true</required>
  </as-context>
 <sas-context>
    <caller-propagation>none</caller-propagation>
 </sas-context>
</ior-security-config>

For more information about the sun-ejb-jar.xml and sun-acc.xml files, see the Oracle GlassFish Server 3.0.1 Application Deployment Guide.

To use a client certificate, configure the ior-security-config element in the sun-ejb-jar.xml file. The following configuration establishes SSL between an application client and an EJB component using a client certificate.

<ior-security-config>
  <transport-config>
    <integrity>required</integrity>
    <confidentiality>required</confidentiality>
    <establish-trust-in-target>supported</establish-trust-in-target>
    <establish-trust-in-client>required</establish-trust-in-client>
  </transport-config>
  <as-context>
    <auth-method>none</auth-method>
    <realm>default</realm>
    <required>false</required>
  </as-context>
  <sas-context>
    <caller-propagation>none</caller-propagation>
  </sas-context>
</ior-security-config>

To use a client certificate, you must also specify the system properties for the keystore and truststore to be used in establishing SSL. To use SSL with the Application Client Container (ACC), you need to set these system properties in one of the following ways:

Use the new syntax of the appclient script and specify the system properties as JVM options. See Running an Application Client Using the appclient Script.

Set the environment variable VMARGS in the shell. For example, in the ksh or bash shell, the command to set this environment variable would be as follows:

export VMARGS="-Djavax.net.ssl.keyStore=${keystore.db.file} 
-Djavax.net.ssl.trustStore=${truststore.db.file} 
-Djavax.net.ssl.keyStorePass word=${ssl.password} 
-Djavax.net.ssl.trustStorePassword=${ssl.password}"

Set the env element using Ant (see Chapter 3, Using Ant with GlassFish^TM Server). For example:

<target name="runclient">
  <exec executable="${S1AS_HOME}/bin/appclient">
    <env key="VMARGS" value=" -Djavax.net.ssl.keyStore=${keystore.db.file} 
      -Djavax.net.ssl.trustStore=${truststore.db.file} 
      -Djavax.net.ssl.keyStorePasword=${ssl.password} 
      -Djavax.net.ssl.trustStorePassword=${ssl.password}"/>
    <arg value="-client"/>
    <arg value="${appClient.jar}"/>
  </exec>
</target>