The Java Secure Socket Extension (JSSE) is a set of Java packages that implements SSL and Transport Layer Security, which enables data encryption, server authentication, message integrity, and client authentication. JSSE is a client-side feature, which can be used with EAServer when it has been configured for SSL communication. For more information on SSL, see Chapter 14, “Managing Keys and Certificates.”.
JSSE does not contain any actual cryptographic logic.
You must obtain an API package that performs the cryptographic functions,
such as Bouncy Castle or Cryptix, which are available free over
the Internet.
Setting up your JSSE environment
Download and install the JSSE according to the documentation on the Java Web page. The basic steps are:
Copy the JSSE JAR files to the jre/lib/ext directory in your JDK installation.
Edit the jre/lib/security/java.security file in your JDK installation, and add this line:
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
From the Sun documentation, note the following:
JSSE 1.0.2 requires JDK 1.2.2 or higher.
JRE 1.3.1_02 includes the Java plug-in HTML Converter 1.3.1_02, which works best with JDK 1.3.
JDK/JRE 1.3 or higher is recommended to run HTML applets.
The Java plug-in HTML Converter is recommended for HTML applet clients.
Download and install the Java Plug-in HTML Converter, either version 1.3.1 or 1.4.
If you install version 1.3.1:
Download and install JSSE 1.0.2 in the JDK 1.3.1 jre/lib/ext subdirectory of the JDK installation.
Set up jre/lib/security/java.security according to the JSSE 1.0.2 directions.
The JSSE Samples Web page includes samples that create clients using JSSE. Verify that the samples compile and run with your JDK. You must be able to use the Java samples to request the secure VeriSign Web page at https://www.verisign.com.
Start EAServer and connect using EAServer Manager | Certificates folder.
In the User Certificates folder, highlight the Sample 1 Test ID certificate, and select File | Certificate Info. Confirm that the Sample1 Test ID certificate is valid; that is, that the current date falls between the certificate’s Not Valid Before and Not Valid After dates.
From the User Certificates folder, export Sample1 Test ID as a Binary Encoded X509 Certificate (*.crt). For example, save to a file named eas.crt.
Using the Java keytool, import the eas.crt file; for example:
keytool -import -file eas.crt -keystore $JAGUAR_JDK13/jre/lib/security/ [cacerts | jssecacerts] -trustcacerts
To simplify things, use the default certificate store cacerts; the password is “changeit”.
To run a JSSE client application; for example, ClientApp:
Create a ClientApp.bat file with these lines:
set classpath=%JAGUAR%\java\lib\easclient.jar; \ %JAGUAR%\java\lib\easj2ee.jar;%classpath% java -Djava.protocol.handler.pkgs= com.sun.net.ssl.internal.www.protocol ClientApp
Run ClientApp.bat.
If you do not have a Web proxy, remove the Web proxy settings from your client, and enter the server information; for example:
iiops://localhost:9001, or iiops://<host_name>:9001
The following steps apply only to HTML applets.
Remove these client ORB properties from your HTML applet client, if appropriate:
com.sybase.CORBA.WebProxyHost=localhost
com.sybase.CORBA.WebProxyPort=80
com.sybase.CORBA.LogFile=.\iiop.log
To access your Web page from a Web browser, enter:
http://<host_name>:8080/jssehtml/yourAppClient.html
Where yourAppClient.html is your HTML applet client.
In the applet, enter iiops://<host_name>:9001 as
the connection parameter, and click Connect.
Sybase recommends using a Web browser that supports
the Java Plug-in 1.3.1 or higher and the Java Plug-in Converter
1.3.1 or higher
Direct IIOP connections using JSSE are not supported.
Tunnelling IIOP through HTTPS (JSSE socket) using
HTTP GET requests
IIOP is contained within the HTTP packets.
Set the client URL to iiops://<host_name>:9001.
Set the following client ORB properties. To enable the EAServer message service to access the ORB properties, set the properties using the JMS property names; otherwise, use the CORBA property names.
JMS property |
CORBA property |
Vale |
|---|---|---|
org.omg.CORBA.ORBClass |
org.omg.CORBA.ORBClass |
com.sybase.CORBA.ORB |
com.sybase.jms.https |
com.sybase.CORBA.https |
true |
com.sybase.jms.useJSSE |
com.sybase.CORBA.useJSSE |
true |
com.sybase.jms.forceSSL |
com.sybase.CORBA.forceSSL |
true |
Tunnelling IIOP through HTTPS (JSSE socket) using
HTTP POST requests
IIOP is contained within the HTTP packets.
Set the client URL to iiops://<host_name>:9001
Set the following client ORB properties. To enable the EAServer message service to access the ORB properties, set the properties using the JMS property names; otherwise, use the CORBA property names..
JMS property |
CORBA property |
Vale |
|---|---|---|
org.omg.CORBA.ORBClass |
org.omg.CORBA.ORBClass |
com.sybase.CORBA.ORB |
com.sybase.jms.https |
com.sybase.CORBA.https |
true |
com.sybase.jms.useJSSE |
com.sybase.CORBA.useJSSE |
true |
com.sybase.jms.forceSSL |
com.sybase.CORBA.forceSSL |
true |
com.sybase.jms.HttpUsePost |
com.sybase.CORBA.HttpUsePost |
true |
Tunnelling IIOP through an HTTPS connect (JSSE
socket) using HTTP GET requests
IIOP is contained within the HTTP packets.
Set the client URL to iiops://<host_name>:9001.
Set the following client ORB properties. To enable the EAServer message service to access the ORB properties, set the properties using the JMS property names; otherwise, use the CORBA property names.
JMS property |
CORBA property |
Vale |
|---|---|---|
org.omg.CORBA.ORBClass |
org.omg.CORBA.ORBClass |
com.sybase.CORBA.ORB |
com.sybase.jms.https |
com.sybase.CORBA.https |
true |
com.sybase.jms.WebProxyHost |
com.sybase.CORBA.WebProxyHost |
<web_proxy_host_name> |
com.sybase.jms.WebProxyPort |
com.sybase.CORBA.WebProxyPort |
<web_proxy_port> |
com.sybase.jms.useJSSE |
com.sybase.CORBA.useJSSE |
true |
com.sybase.jms.forceSSL |
com.sybase.CORBA.forceSSL |
true |
Tunnelling IIOP through an HTTPS connect (JSSE
socket) using HTTP POST requests
IIOP is contained within the HTTP packets.
Set the client URL to iiops://<host_name>:9001.
Set the following client ORB properties. To enable the EAServer message service to access the ORB properties, set the properties using the JMS property names; otherwise, use the CORBA property names.
JMS property |
CORBA property |
Vale |
|---|---|---|
org.omg.CORBA.ORBClass |
org.omg.CORBA.ORBClass |
com.sybase.CORBA.ORB |
com.sybase.jms.https |
com.sybase.CORBA.https |
true |
com.sybase.jms.HttpUsePost |
com.sybase.CORBA.HttpUsePost |
true |
com.sybase.jms.WebProxyHost |
com.sybase.CORBA.WebProxyHost |
<web_proxy_host_name> |
com.sybase.jms.WebProxyPort |
com.sybase.CORBA.WebProxyPort |
<web_proxy_port> |
com.sybase.jms.useJSSE |
com.sybase.CORBA.useJSSE |
true |
com.sybase.jms.forceSSL |
com.sybase.CORBA.forceSSL |
true |
The first time you connect may take a while because
JSSE goes through an SSL authentication process.
When using an unsigned JAR, your code runs with the default EAServer Manager | Certificates folder, which is fairly restrictive. To improve performance, you can edit Java’s default security policy file using the instructions in Sun’s security documentation. To enable EAServer’s ORB to work in an unsigned environment:
You must grant the ORB permission to read the proxy host settings, using one of these methods:
permission java.util.PropertyPermission “*”, “read”
or
permission java.util.PropertyPermission “javaplugin.proxy.config.*”, “read”
The ORB may require socket connect permissions to connect to a proxy server.
If you are using the sample test certificate generated by EAServer, the EAServer certificate authority must be installed. You can do this in either the cacerts or the jssecacerts keystore using this syntax:
keytool -import -file <file_name> -keystore [cacerts | jssecacerts]
The password for the cacerts keystore is “changeit”.
With a signed applet, you do not need to set permissions
at the plug-in level. A signed JAR file describes the type of permissions
it requires.
You can find a sample JDK security file in the JDK installation, in file jre/lib/security/java.security.
| Copyright © 2005. Sybase Inc. All rights reserved. |
|
|
