The sslsocket transport is derived from the socket transport (The socket transport) and differs only in the use of javax.net.ssl.SSLSockets and javax.net.ssl.SSLServerSockets instead of the usual Java sockets and server sockets. Similarly, the sslbisocket transport is derived from the bisocket transport (The bisocket transport) and differs only in the use of SSLSockets and SSLServerSockets.
Remoting provides a configurable extension of javax.net.ssl.SSLServerSocketFactory called org.jboss.remoting.security.SSLSocketFactoryService. It depends on an instance of org.jboss.remoting.security.SSLSocketBuilder, which creates and configures an instance of javax.net.ssl.SSLContext and uses it to create an instance of javax.net.SSLServerSocketFactory. It is the SSLSocketBuilder which can be configured with keystores, etc. SSLSocketBuilder is described in more detail in the Remoting Guide.
For example, JBoss Messaging uses instances of SSLSocketFactoryService and SSLSocketBuilder as follows in its configuration of the sslbisocket transport:
<mbean code="org.jboss.remoting.security.SSLServerSocketFactoryService"
name="jboss.messaging:service=ServerSocketFactory,type=SSL"
display-name="SSL Server Socket Factory">
<depends optional-attribute-name="SSLSocketBuilder"
proxy-type="attribute">jboss.messaging:service=SocketBuilder,type=SSL</depends>
</mbean>
<mbean code="org.jboss.remoting.security.SSLSocketBuilder"
name="jboss.messaging:service=SocketBuilder,type=SSL"
display-name="SSL Server Socket Factory Builder">
<!--
IMPORTANT - If making ANY customizations, this MUST be set to false.
Otherwise, will use default settings and the following attributes will be ignored.
-->
<attribute name="UseSSLServerSocketFactory">false</attribute>
<attribute name="KeyStoreURL">${jboss.server.home.url}/deploy/messaging/messaging.keystore</attribute>
<attribute name="KeyStorePassword">secureexample</attribute>
<attribute name="KeyPassword">secureexample</attribute>
<attribute name="SecureSocketProtocol">TLS</attribute>
<attribute name="KeyStoreAlgorithm">SunX509</attribute>
<attribute name="KeyStoreType">JKS</attribute>
</mbean>
Through these two MBeans, JBoss Messaging provides itself with a suitably configured instance of an SSLServerSocketFactory on the server side.
Although a SSLSocketBuilder can be used to create a javax.net.SSLSocketFactory, the one on the server side typically will not be available on the client side, so it is the responsibility of the particular subsystem (JBoss Messaging, EJB2, EJB3) to create a RemoteClientInvoker with a suitable SSLSocketFactory. For example, JBoss Messaging takes two steps:
Map configuration = new HashMap();
String trustStoreLoc = System.getProperty("org.jboss.remoting.trustStore");
if (trustStoreLoc != null)
{
configuration.put("org.jboss.remoting.trustStore", trustStoreLoc);
String trustStorePassword = System.getProperty("org.jboss.remoting.trustStorePassword");
if (trustStorePassword != null)
{
configuration.put("org.jboss.remoting.trustStorePassword", trustStorePassword);
}
}
...
Client client = new Client(new InvokerLocator(serverLocatorURI), configuration);
...
The following parameters are applicable to both the client and server sides for the sslsocket and sslbisocket transports:
enabledCipherSuites - a String array which is passed to SSLSocket.setEnabledCipherSuites()
enabledProtocols - a String array which is passed to SSLSocket.setEnabledProtocols()
enableSessionCreation - a boolean value which is passed to SSLSocket.setEnableSessionCreation()