This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes EJB and other Java EE Technologies and the fly likes JavaEE - EJB over SSL works only if client and server are at the same host Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "JavaEE - EJB over SSL works only if client and server are at the same host" Watch "JavaEE - EJB over SSL works only if client and server are at the same host" New topic
Forums: Security EJB and other Java EE Technologies
Author

JavaEE - EJB over SSL works only if client and server are at the same host

Pasha Turok
Greenhorn

Joined: Jun 09, 2014
Posts: 5
Please help me. I can't do nothing with it. I have gf 4.0.1 and swing client. I want to get EJB over SSL. I've set all certificates. However, I can get it work only when client and server are at the same host. What I see in tcpdump when they are at the same host:

........
10.0.17.2.48524 > 10.0.17.2.3820: Flags [P.], cksum 0x378f (incorrect -> 0xf2b6), seq 399:756, ack 1085, win 273, options [nop,nop,TS val 347297976 ecr 347297966], length 357
13:01:26.334898 IP (tos 0x0, ttl 64, id 51559, offset 0, flags [DF], proto TCP (6), length 665)
10.0.17.2.3820 > 10.0.17.2.48524: Flags [P.], cksum 0x388f (incorrect -> 0x626d), seq 1085:1698, ack 756, win 273, options [nop,nop,TS val 347297977 ecr 347297976], length 613
13:01:26.374075 IP (tos 0x0, ttl 64, id 39617, offset 0, flags [DF], proto TCP (6), length 52)
10.0.17.2.48524 > 10.0.17.2.3820: Flags [.], cksum 0x9282 (correct), seq 756, ack 1698, win 289, options [nop,nop,TS val 347298017 ecr 347297977], length 0
13:01:26.375662 IP (tos 0x0, ttl 64, id 15848, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.42403 > 127.0.0.1.3820: Flags [S], cksum 0x7255 (correct), seq 2517132554, win 32792, options [mss 16396,sackOK,TS val 347298018 ecr 0,nop,wscale 7], length 0
13:01:26.375678 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.3820 > 127.0.0.1.42403: Flags [S.], cksum 0x21e9 (correct), seq 2013817557, ack 2517132555, win 32768, options [mss 16396,sackOK,TS val 347298018 ecr 347298018,nop,wscale 7], length 0
........
That is it starts working from one port but at some places it changes to 127.0.0.1 and a new connection is established.

When client and server at different host I don't get any exception but the client hangs. On server in log I have:

[2014-06-09T13:09:07.367+0400] [glassfish 4.0] [INFO] [] [] [tid: _ThreadID=139 _ThreadName=Thread-8] [timeMillis: 1402304947367] [levelValue: 800] [[
p: thread-pool-1; w: 1, WRITE: TLSv1 Handshake, length = 48]]
[2014-06-09T13:09:07.367+0400] [glassfish 4.0] [INFO] [] [] [tid: _ThreadID=139 _ThreadName=Thread-8] [timeMillis: 1402304947367] [levelValue: 800] [[
%% Cached server session: [Session-15, TLS_RSA_WITH_AES_256_CBC_SHA]]]
[2014-06-09T13:09:07.404+0400] [glassfish 4.0] [INFO] [] [] [tid: _ThreadID=139 _ThreadName=Thread-8] [timeMillis: 1402304947404] [levelValue: 800] [[
p: thread-pool-1; w: 1, READ: TLSv1 Application Data, length = 352]]
[2014-06-09T13:09:07.408+0400] [glassfish 4.0] [INFO] [] [] [tid: _ThreadID=139 _ThreadName=Thread-8] [timeMillis: 1402304947408] [levelValue: 800] [[
p: thread-pool-1; w: 1, WRITE: TLSv1 Application Data, length = 608]]

And on client I get endlessly the following message (with different cipher suite):
.......
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
.......

How can it be fixed?
Michael Remijan
Author
Ranch Hand

Joined: May 29, 2002
Posts: 120
    
    5

EJB SSL communication is tricky. It took me a couple weeks and I was working with a GlassFish security developer on it. I have a HOW-TO blogger article on it. http://mjremijan.blogspot.com/2011/06/secure-ssl-ejb-communication-with.html. This was written before GlassFish 4 but hopefully it is still applicable.


Java EE Evangelist — Author, EJB 3 in Action 2nd Edition — Java Community Process Member
Pasha Turok
Greenhorn

Joined: Jun 09, 2014
Posts: 5
Michael Remijan wrote:EJB SSL communication is tricky. It took me a couple weeks and I was working with a GlassFish security developer on it. I have a HOW-TO blogger article on it. http://mjremijan.blogspot.com/2011/06/secure-ssl-ejb-communication-with.html. This was written before GlassFish 4 but hopefully it is still applicable.

Thank you for your time and post. I totally agree that is REALLY TRICKY! I've done it. The problem was in my settings of /etc/hosts The full topic is http://stackoverflow.com/questions/24117040/javaee-ejb-over-ssl-works-only-if-client-and-server-are-at-the-same-host
Michael Remijan
Author
Ranch Hand

Joined: May 29, 2002
Posts: 120
    
    5

And this solved the issue having the client and server on different hosts?
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: JavaEE - EJB over SSL works only if client and server are at the same host
 
Similar Threads
A doubt about Runtime.exec() implementation and command input to programs through it
Deploying JAX-WS Webservice on glassfish AppServer
java.lang.NoClassDefFoundError: Could not initialize class xxx
Rollback transaction in hibernate
Error with @WebListener Annotation