I'm stuck in a scenario to use EJB Client over SSL. Usually, EJB Client is within LAN and RMI is the protocol to communication to EJB container. For some reason, EJB client is required outside of the firewall and the firewall is configured to allow such communication. How should EJB container and EJB client configured so that EJB client communicates with EJB container over SSL? Could someone give some comment on this scenario?(or some links to this topic) Thanks
That's a good one! I've never seen that issue before, since in the world at large, EJBs in Internet clients are impractical - they get blocked by firewalls - if not on the server side, then on the client side. It's going to be some work, I know that much - both the client and server machines would require components for RMI tunnelling through SSL, including their own TCP/IP port. SSL isn't the only, or maybe even the best way to secure your traffic. You might also checkout TLS. Also, as I understand it, IPv6 is may provide generally secure transmissions in a transparent manner - if the world ever switches over!
Customer surveys are for companies who didn't pay proper attention to begin with.
Quote In the J2EE architecture,....A Deployer must configure the containers involved in a call to implement integrity mechanisms. .... When integrity mechanisms are configured by the Deployer, the calling container must compute and attach a message signature to the call request, and verify the correspondence between the call response and the message signature attached to the call response. The called container must verify the correspondence between the call request and the attached message signature, and compute and attach a message signature to the call response. Unquote So, EJB container should be configurable to accept EJC client calls over SSL(RMI over SSL). I could easily find codes sample from a client side that initiates JDNI lookup from a secured socket. But how is the EJB container side configured to accept incoming calls over SSL? WebLogic has a IIOP Listener/Handler which can be configured to accept IIOP over SSL. (http://edocs.bea.com/wle/wle50/security/concepts.htm#1039095). Oracle 9i has something similar (http://download-west.oracle.com/otndoc/oracle9i/901_doc/java.901/a90188/secure.htm#1011903) Does this mean EJB container can be configured to accept client calls over SSL? Please clarify it! Thanks
Joined: Dec 02, 2001
One other possible solution is HTTPS tunneling. But, how much does it slows down the response time? Thanks