Skip to main content

ACC, Web Start and IIOP/SSL

11 replies [Last post]
jkreed
Offline
Joined: 2007-04-30

The automatic Web Start availability of enterprise application clients is very convenient, but only if the client-server communication is encrypted (at least in our environment). I pieced together what I think needs to happen to encrypt client/server communication (add ior-security-config to sun-ejb-jar.xml; specify IIOP/SSL port in target-server in sun-acc.xml, and possibly add a client-credentials tag in sun-acc.xml; specify VMARGS for certs), however, significant parts of the process require modifying sun-acc.xml.

I am unsure how to specify values in the (apparently) auto-generated sun-acc.xml used by ACC apps deployed with Web Start. I initially tried modifying /config, but to no avail. The sun-acc.xml distributed via Web Start (found on my Windows machine in /Local Settings/Temp) bears no resemblance to the file I modified on the server.

Is there a way to control the sun-acc.xml for ACC applications deployed with Web Start? Or is there another/better way of setting up IIOP/SSL communication?

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
dkoper
Offline
Joined: 2005-10-27

When I read your initial question I thought you were running the client using appclient. All your settings look fine to run SSL using appclient, there is no need to add additional settings on the server side, nor to the sun-acc.xml.

bertusdotcom
Offline
Joined: 2008-01-16

Hi,

I must be doing something terribly wrong, as I cannot get things working using the appclient -client way either...

The (successfully deployed) bean has the following:
[b]-- Interface:[/b]
import javax.ejb.Remote;

@Remote
public interface IJustABean2 {
public String sayHello(String in);
}

[b]-- Class:[/b]
import javax.annotation.security.RolesAllowed;
import javax.ejb.Stateless;

@Stateless(name="JustABean2", mappedName="ejb/JustABean2")
@RolesAllowed("appuser")
public class JustABean2 implements IJustABean2 {

@Override
public String sayHello(String in) {
if (in == null) {
return "JustABean2 says hello to nobody";
}

return "JustABean2 says hello to " + in ;
}

}

[b]-- META-INF/sun-ejb-jar.xml:[/b]




appuser
appuser



JustABean2
ejb/JustABean2

required
required
supported
supported

username_password
default
true




My standalone client looks like this:
[b]-- Class:[/b]
import javax.naming.InitialContext;

import nl.teamsoft.sjsas.ejb.IJustABean2;

public class JustABean2Client {

public static void main(String[] args) {

InitialContext ic = null;
IJustABean2 aBean = null;

System.out.println("starting");

try {

System.out.println("trying");

System.setProperty("javax.net.ssl.trustStore", "C:/Java/Jre1.6.0_04/lib/security/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
System.setProperty("javax.net.ssl.keyStore", "C:/Java/Jre1.6.0_04/lib/security/.keystore");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("org.omg.CORBA.ORBInitialHost","PCUP");
System.setProperty("org.omg.CORBA.ORBInitialPort","3700");

ic = new InitialContext();
aBean = (IJustABean2) ic.lookup("ejb/JustABean2");

System.out.println( aBean.sayHello("world") );
} catch (Exception e) {
System.out.println("oops.... " + e.getLocalizedMessage());
}

System.out.println("finished");

}

}

I jarred the client and saved it in the %server_home%\bin directory.
This way I have direct access to the appclient tool provided by the server itself (assuming that all needed server classes/properties/... are directly available).

The only extra thing I did was to redirect the logservice of the %server-home%\domain\domain1\config\sun-acc.xml to a file (with loglevel of INFO) using the following:

Running the client with: [i]appclient -client JustABean2Client.jar[/i] results in the following logfile c:/sun-acc.log:
13-mrt-2008 10:02:14 com.sun.enterprise.appclient.MainWithModuleSupport prepareSecurity
INFO: Security Manager is OFF.
13-mrt-2008 10:02:15 com.sun.enterprise.appclient.MainWithModuleSupport setTargetServerProperties
INFO: ACC001:Using ClientContainer file: [C:\Java\J2ee\sdk\domains\domain1\config\sun-acc.xml].
13-mrt-2008 10:02:15 com.sun.enterprise.appclient.MainWithModuleSupport
INFO: ACC024: IIOP endpoint(s) = PCUP:3700
13-mrt-2008 10:02:17 com.sun.enterprise.appclient.MainWithModuleSupport loadMainClientClass
INFO: ACC009: Load Application Class: [nl.teamsoft.sjsas.client.JustABean2Client]
[b]13-mrt-2008 10:02:17 com.sun.corba.ee.impl.orbutil.threadpool.ThreadPoolImpl$WorkerThread run
WARNING: "IOP00710311: (INTERNAL) Worker thread Thread[p: default-threadpool; w: 3,5,ORB ThreadGroup] caught throwable org.omg.CORBA.COMM_FAILURE: vmcid: SUN minor code: 203 completed: No while executing work."
org.omg.CORBA.INTERNAL: vmcid: SUN minor code: 311 completed: No
at com.sun.corba.ee.impl.logging.ORBUtilSystemException.workerThreadDoWorkThrowable(ORBUtilSystemException.java:7706)
at com.sun.corba.ee.impl.logging.ORBUtilSystemException.workerThreadDoWorkThrowable(ORBUtilSystemException.java:7730)
at com.sun.corba.ee.impl.orbutil.threadpool.ThreadPoolImpl$WorkerThread.run(ThreadPoolImpl.java:558)[/b]

The warning entry is being repeated in the log until I kill the program.

I'm getting afraid to ask but do you have any clues/hints/ideas/...?

Bart.

bertusdotcom
Offline
Joined: 2008-01-16

Hi,

Thanks for your responses.

The bug I'm referring to is: Issue 3900
See: https://glassfish.dev.java.net/issues/show_bug.cgi?id=3900

The blog from Shing Wai Chang you mentioned is one of the several options I did try.
Unfortunately his explanation (being good as it is) did not solve my problem that my ACC Client is not connecting over IIOP + SSL.

To me it looks like the problem is primarily related to the SSL internal handling of the server because when I 'downgrade' the confidentiality and integrity to 'supported' I can access the method in the bean.

The main problem now is that I'm pretty much stuck.
Even after setting the debugging to ALL the log file of the server does not give me enough clues as to where to look any further.

I already re-installed the server (SJSAS 9.1_1) and jre (1.6.0_4) again.
I exported the s1as certificate from the server keystore and imported that certificate into the client truststore.
I created a new client keystore and imported that one into the server truststore.
I redeployed the ejb and client from my IDE (Eclipse 3.3 with GlassFish V2 plugin)
Lastly I ran the clientApp using webstart immediately after server startup.
I get (as expected) the login window asking for a username/password.
After entering the correct credentials, the GUI of my client never shows up (even after waiting 5 minutes)

[b]Here are the - to me - most remarkable entries in the server.log after startup of the server:[/b][i]
:
:
:
[#|2008-03-12T13:47:10.265+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=10;_ThreadName=main;|X509KeyManager passed to SSLContext.init(): [b]need an X509ExtendedKeyManager for SSLEngine use|#][/b]
:
:
:
[#|2008-03-12T13:47:15.937+0100|INFO|sun-appserver9.1|javax.enterprise.system.container.ejb|_ThreadID=10;_ThreadName=main;|EJBSCLookup:: sc.getEjbContainerAvailabilityEnabledFromConfig() ==> false|#]

[#|2008-03-12T13:47:16.343+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=Finalizer;|
Finalizer, called close()|#]

[#|2008-03-12T13:47:16.343+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=Finalizer;|
Finalizer, called closeInternal(true)|#]

[#|2008-03-12T13:47:16.343+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=Finalizer;|
Finalizer|#]

[#|2008-03-12T13:47:16.343+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=Finalizer;|, SEND TLSv1 ALERT: |#]

[#|2008-03-12T13:47:16.343+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=Finalizer;|warning, |#]

[#|2008-03-12T13:47:16.343+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=Finalizer;|description = close_notify|#]

[#|2008-03-12T13:47:16.343+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=Finalizer;|
Finalizer, WRITE: TLSv1 Alert, length = 2|#]

[#|2008-03-12T13:47:17.031+0100|INFO|sun-appserver9.1|javax.enterprise.system.core.transaction|_ThreadID=10;_ThreadName=main;3700;|JTS5014: Recoverable JTS instance, serverId = [3700]|#]

[#|2008-03-12T13:47:17.109+0100|INFO|sun-appserver9.1|javax.enterprise.system.core|_ThreadID=10;_ThreadName=main;|About to load the system app: MEjbApp|#]

[#|2008-03-12T13:47:17.750+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=Finalizer;|
Finalizer, called close()|#]

[#|2008-03-12T13:47:17.750+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=Finalizer;|
Finalizer, called closeInternal(true)|#]

[#|2008-03-12T13:47:17.750+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=Finalizer;|
Finalizer|#]

[#|2008-03-12T13:47:17.750+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=Finalizer;|, SEND TLSv1 ALERT: |#]

[#|2008-03-12T13:47:17.750+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=Finalizer;|warning, |#]

[#|2008-03-12T13:47:17.750+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=Finalizer;|description = close_notify|#]

[#|2008-03-12T13:47:17.750+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=14;_ThreadName=Finalizer;|
Finalizer, WRITE: TLSv1 Alert, length = 2|#]
[/i]

[b]When the login window is shown but before confirming credentials (using button OK) the log shows these 'remarkable' entries:[/b][i]
:
:
:
[#|2008-03-12T13:52:39.703+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=p: thread-pool-1; w: 7;|
p: thread-pool-1; w: 7, READ: [b]SSL v2[/b], contentType = Handshake, translated length = 73|#]
:
:
:
[#|2008-03-12T13:52:39.734+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=p: thread-pool-1; w: 7;|
p: thread-pool-1; w: 7, WRITE: TLSv1 Handshake, length = 790|#]

[#|2008-03-12T13:52:39.750+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=p: thread-pool-1; w: 7;|
p: thread-pool-1; w: 7, READ: TLSv1 Alert, length = 2|#]

[#|2008-03-12T13:52:39.750+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=p: thread-pool-1; w: 7;|
p: thread-pool-1; w: 7|#]

[#|2008-03-12T13:52:39.750+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=p: thread-pool-1; w: 7;|, RECV TLSv1 ALERT: |#]

[#|2008-03-12T13:52:39.750+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=p: thread-pool-1; w: 7;|fatal, |#]

[#|2008-03-12T13:52:39.750+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=p: thread-pool-1; w: 7;|internal_error|#]

[#|2008-03-12T13:52:39.750+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=p: thread-pool-1; w: 7;|
p: thread-pool-1; w: 7, called closeSocket()|#]

[#|2008-03-12T13:52:39.750+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=p: thread-pool-1; w: 7;|
p: thread-pool-1; w: 7, handling exception: javax.net.ssl.SSLException: Received fatal alert: internal_error|#]

[#|2008-03-12T13:52:39.750+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=p: thread-pool-1; w: 7;|
p: thread-pool-1; w: 7, called close()|#]

[#|2008-03-12T13:52:39.750+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=p: thread-pool-1; w: 7;|
p: thread-pool-1; w: 7, called closeInternal(true)|#]

[#|2008-03-12T13:52:39.750+0100|WARNING|sun-appserver9.1|javax.enterprise.resource.corba.ee._CORBA_.rpc.transport|_ThreadID=16;_ThreadName=p: thread-pool-1; w: 7;Thread[p: thread-pool-1; w: 7,5,main];org.omg.CORBA.COMM_FAILURE: vmcid: SUN minor code: 203 completed: No;_RequestID=acb3642c-5d94-4027-ae79-b09e2f4d1fc5;|"IOP00710311: (INTERNAL) Worker thread Thread[p: thread-pool-1; w: 7,5,main] caught throwable org.omg.CORBA.COMM_FAILURE: vmcid: SUN minor code: 203 completed: No while executing work."
org.omg.CORBA.INTERNAL: vmcid: SUN minor code: 311 completed: No
at com.sun.corba.ee.impl.logging.ORBUtilSystemException.workerThreadDoWorkThrowable(ORBUtilSystemException.java:7706)
at com.sun.corba.ee.impl.logging.ORBUtilSystemException.workerThreadDoWorkThrowable(ORBUtilSystemException.java:7730)
at com.sun.corba.ee.impl.orbutil.threadpool.ThreadPoolImpl$WorkerThread.run(ThreadPoolImpl.java:558)
|#]
[/i]

When reading the logfile up to the login window being shown, it looks to me that SSL is succeeding because in the logfile there are lines about:
a trusted certificate being found,
Client key exchange,
connection keygen,
Client MAC write secret and Server MAC write secret,
client write and server write key
and a Finished occurs.

But at the end of this part things already seem to have gone wrong, because there's already a fatal internal error reported including a socketClose.

One general thing I find strange is that it looks like the server is doing the SSL stuff repeatedly.
Maybe it it just looks to be so or maybe it's normal (and can be explained) but to me - being a newbee and not familiar with the servers internal behavior - this looks somewhat like an overload of happenings...

To give you guys the complete picture of the things happening from startup until the login window is shown, I've attached that part of the server.log.

I also wondered if my problem could be related to the stuff I'm using:
WinXP Pro
client and server both on same system.
Server 9.1_1
Jre 1.6.0_4
Eclipse 3.3
GlassFish V2 Plugin for Eclipse

I hope not but .... ?

ps.
I did not alter any server parameters for ORB and the ORB-listeners (in fact I did not alter any server parameter whatsoever).
Nor did I specify any security options in the server sun-acc.xml or did I modify any other xml/properties file of the server.
Maybe I should have. If so, can you tell me what I should do where?

I really hope you gurus will be able to assist me to a glorious end.

Anyway, thanks in advance for the response.

Bart.

tjquinn
Offline
Joined: 2005-03-30

In case it was not clear from earlier entries... This will not work in Java Web Start launches until we address issue 3900. Until then nothing you do with your configuration will be able to resolve this for the built-in Java Web Start support. I believe that fixing issue 3900 will allow this to work, but there is always the chance that we will then find some other problem.

As I mentioned earlier, I am looking into this now to see if we can provide a fix in the near-term.

- Tim

bertusdotcom
Offline
Joined: 2008-01-16

Hi Tim,

Sorry for not having seen your response before I posted my reply.
I was so busy putting together a 'solid' reply that I missed yours completely.
Hope you accept my apologies.

But does your earlier reply mean that using the appclient tooling (using -client xx.jar) is the only working option at the moment.
If so, are there special points I should take care of when configuring this kind of appclient to use SSL (ORB/ORB-listener parameters, sun-acc-xml settings, ejb settings supplied in (sun-)ejb-jar.xml)?

Wish you're still willing to respond.

Bart.

tjquinn
Offline
Joined: 2005-03-30

Hey, no problem. Forum posting collisions/overlaps happen all the time.

I believe that you should be able to get SSL working using the appclient command by following Shing-Wai's post (http://blogs.sun.com/swchan/entry/enterprise_java_bean_over_ssl and pointed to earlier in this thread). The product documentation also discusses this (http://docs.sun.com/app/docs/doc/819-3672/gckgn?a=view). Yes, that's the only working choice currently. I am not sure if that is a usable approach for you or if you really are relying on the Java Web Start feature. That path - using Java Web Start to launch app clients - won't work for you with SSL until we address 3900.

Does your solution need this to work via Java Web Start or would the appclient command approach be OK for you (if not ideal)?

- Tim

kumarjayanti
Offline
Joined: 2003-12-10

Hi,

>
> I've been trying to get to get IIOP + SSL to work
>
> Up until now I've not been able to get things working
>
> See the last posts of thread
> http://forums.java.net/jive/thread.jspa?messageID=2631
> 56&tstart=0 for my efforts so far.
>
> But according to the posts in this thread it is
> currently NOT possible to use SSL with ACC/Web start
> and we will have to wait until the bug_ID mentioned
> is closed (and we have a bit of a showstopper in our
> company's project)?

Can you tell me the bug_ID that you mention above ?.

In general ACC + IIOP over SSL should work. Please see if this helps :

http://blogs.sun.com/swchan/entry/enterprise_java_bean_over_ssl

Thanks.

tjquinn
Offline
Joined: 2005-03-30

I think the issue is using SSL during a Java Web Start launch of the app client, not using the appclient command directly.

This is not currently supported and is the subject of Issue 3900. This is what I'm currently looking into to see if we can offer a fix soon.

- Tim

tjquinn
Offline
Joined: 2005-03-30

Hi.

I don't think there is a way to accomplish this currently. I need to check a couple of other things to be sure, but I suspect that's the case.

This is a reasonable thing to want to do, but it's not a use case that the current implementation handles. The basic problem is that the Java Web Start support logic does not use the sun-acc.xml you have modified as it prepares the temporary sun-acc.xml that is generated - as you found - for the Java Web Start case. The logic does find out from the server what the IIOP addresses are for the ORB(s) running there (there could be multiple ones if the server is in a cluster) and those values are used in preparing that temp file. But there's no provision for influencing other parts of that temporary sun-acc.xml.

I have entered Issue 3900 https://glassfish.dev.java.net/issues/show_bug.cgi?id=3900 to track this bug.

Sorry this is not working for your case.

bertusdotcom
Offline
Joined: 2008-01-16

Hi,

I've been trying to get to get IIOP + SSL to work
That is: I've made an appclient module and an secure ejb module that is configured to use SSL in the sun-ejb-jar.xml.
The client = jre 1.6.0_04
Server = 9.1_1 PE
IDE = Eclipse 3.3 (Europe) with GlassFish plugin for GlassFish V2.

Up until now I've not been able to get things working
See the last posts of thread http://forums.java.net/jive/thread.jspa?messageID=263156&tstart=0 for my efforts so far.

But according to the posts in this thread it is currently NOT possible to use SSL with ACC/Web start and we will have to wait until the bug_ID mentioned is closed (and we have a bit of a showstopper in our company's project)?

Any response is more than welcome.

Thanks.

Bart.

tjquinn
Offline
Joined: 2005-03-30

I will look into this again more closely and see if there is something we can do near-term.

- Tim