|
Replies:
3
-
Last Post:
Oct 13, 2008 4:13 AM
by: candlejack
|
|
|
|
|
|
|
How to establish trust between two GFv2 servers?
Posted:
Oct 9, 2008 5:02 AM
|
|
|
Hi all,
I am trying to setup two GFv2 servers so that a trust is created between those too. According to documentation and several inet resources this can be achieved by setting up mutual ssl between those two servers.
To achieve this I set the clientAuth property in the certificate realm of the second server (the callee) to true. That way mutual ssl is enforced for all applications and the corresponding settings in the deployment descirptors of my test EJBs do not matter anymore, right?
Now the servers have to trust each others certificates, so i set the truststore properties of each server to the keystore.jks file used by the other server, since keystore.jks contains all keys and certificates used by the server.
But so far I could not make a successful call to the EJB on the callee side, instead after setting javax.net.debug=ssl:handshake I see certificate_unknown messages in the server logs when the ssl handshake should take place. I have been trying several combinations of key- and truststores using keystore.jks and cacerts.jks (whereas the latter should not be necessary as far as I understood) but still no joy.
Does anyone have a clue what I am doing wrong here?
Cheers,
Chris
P.S: In case it matters, both GFv2 instances are running on the same machine and I set the ports of the callee instance to the 1500 port range (1548,1537,1538,1539..). In the caller EJB I set InitialHost to localhost ad InitialPort to 1537.
Message was edited by: candlejack
|
|
|
|
|
|
|
Re: How to establish trust between two GFv2 servers?
Posted:
Oct 10, 2008 7:11 AM
in response to: candlejack
|
|
|
Okay, now I am completely stumped.
I spent the last days trying all kinds of stuff and just now I decided to go back to my starting point and restart from there. So I set up my client to call the second EJB directly without using the caller EJB, removed clientAuth from the certificate realm and set all transport-config properties in sun-ejb-jar.xml to supported in order to allow access without SSL.
Now I was able to call the EJB without sepcifying key- and truststores on client side, as expected. So I added the clientAuth property to certificate realm again. Still no trust- or keystored defined in the clients VM parameters. And the call STILL succeeds!!
Can anyone explain this to me? I thought activating client auth enforces two way ssl and since the client has no keystore and more important does not reference the truststore containing the servers certificate that call should fail miserably. But it does not. I am really lost here any help welcome.
Thanks, Chris
|
|
|
|
|
|
|
|
|
Re: How to establish trust between two GFv2 servers?
Posted:
Oct 13, 2008 2:43 AM
in response to: candlejack
|
|
|
In the meanwhile I was able to enforce mutual ssl when calling the second EJB directly from the client by setting the deployment descriptor elements accordingly:
<ior-security-config>
<transport-config>
<integrity>required</integrity>
<confidentiality>required</confidentiality>
<establish-trust-in-target>
supported
</establish-trust-in-target>
<establish-trust-in-client>
required
</establish-trust-in-client>
</transport-config>
<sas-context>
<caller-propagation>supported</caller-propagation>
</sas-context>
</ior-security-config>
But only after creating my own certificate which I put in a keystore that i referenced as key- and truststore on both sides.
But still activating clientAuth in the certificate realm does not change the behaviour at all. Any ideas where I can get more detailed information about this?
Cheers,
Chris
Message was edited by: candlejack
Message was edited by: candlejack
|
|
|
|
|
|
|
|
|
Re: How to establish trust between two GFv2 servers?
Posted:
Oct 13, 2008 4:11 AM
in response to: candlejack
|
|
|
And once again replying to myself.
Now the scenrio is up completely. Standalone client calling EJB on server one which is in turn calling EJB on server two. Both calls are set up with mutual ssl enforced by the EJB deployment descriptors. ClientAuth property on both servers enabled or disabled does not make any difference but the desired effect, a trusted domain, should be enforced by the deployment descriptors alone anyways.
But the authenticated subject is not propagated through the call stack by the CSIv2 layer as it should. Instead the calling subject on both servers is shown as the certificated used to authenticate the client side.
All I wann know is, if there is any mistake on my side or if this is some kind of bug.
Cheers,
Chris
|
|
|
|
|
java.net RSS
