The Java Secure Socket Extension (JSSE) is a set of Java packages that implements SSL and Transport Layer Security, which enables data encryption, server authentication, message integrity, and client authentication. JSSE is a client-side feature, which can be used with EAServer when it has been configured for SSL communication. For more information on SSL, see Chapter 11, “Managing Keys and Certificates.”.
JSSE does not contain any actual cryptographic logic.
You must obtain an API package that performs the cryptographic functions,
such as Bouncy Castle or Cryptix, which are available free over
the Internet.
Setting up your JSSE environment
Download and install the JSSE according to the documentation on the Java Web page. The basic steps are:
Copy the JSSE JAR files to the jre/lib/ext directory in your JDK installation.
Edit the jre/lib/security/java.security file in your JDK installation, and add this line:
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
Download and install the Java Plug-in HTML Converter, either version 1.3.1 or 1.4.
If you install version 1.3.1:
Download and install JSSE 1.0.2 in the JDK 1.3.1 jre/lib/ext subdirectory of the JDK installation.
Set up jre/lib/security/java.security according to the JSSE 1.0.2 directions.
The JSSE Samples Web page includes samples that create clients using JSSE. Verify that the samples compile and run with your JDK. You must be able to use the Java samples to request the secure VeriSign Web page at https://www.verisign.com.
Using the Java keytool, import the eas.crt file; for example:
keytool -import -file eas.crt -keystore DJC_HOME/_JDK13/jre/lib/security/ [cacerts | jssecacerts] -trustcacerts
To simplify things, use the default certificate store cacerts; the password is “changeit”.
To run a JSSE client application; for example, ClientApp:
Create a ClientApp.bat file with these lines:
set CLASSPATH=%DJC_HOME%\lib\eas-client-14.jar;%CLASSPATH% java -Djava.protocol.handler.pkgs= com.sun.net.ssl.internal.www.protocol ClientApp
If using JDK 1.5 rather than 1.4, change the reference to eas-client-14.jar to refer to eas-client-15.jar.
Run ClientApp.bat.
If you do not have a Web proxy, remove the Web proxy settings from your client, and enter the server information; for example:
iiops://localhost:9001, or iiops://<host_name>:9001
The following steps apply only to HTML applets.
Remove these client ORB properties from your HTML applet client, if appropriate:
com.sybase.CORBA.WebProxyHost=localhost
com.sybase.CORBA.WebProxyPort=80
com.sybase.CORBA.LogFile=.\iiop.log
To access your Web page from a Web browser, enter:
http://<host_name>:8080/jssehtml/yourAppClient.html
Where yourAppClient.html is your HTML applet client.
In the applet, enter iiops://<host_name>:9001 as
the connection parameter, and click Connect.
Sybase recommends using a Web browser that supports
the Java Plug-in 1.3.1 or higher and the Java Plug-in Converter
1.3.1 or higher
Direct IIOP connections using JSSE are not supported.
Tunnelling IIOP through HTTPS (JSSE socket) using
HTTP GET requests
IIOP is contained within the HTTP packets.
Set the client URL to iiops://<host_name>:9001.
Set the following client ORB properties. To enable the EAServer message service to access the ORB properties, set the properties using the JMS property names; otherwise, use the CORBA property names.
JMS property |
CORBA property |
Vale |
|---|---|---|
org.omg.CORBA.ORBClass |
org.omg.CORBA.ORBClass |
com.sybase.CORBA.ORB |
com.sybase.jms.https |
com.sybase.CORBA.https |
true |
com.sybase.jms.useJSSE |
com.sybase.CORBA.useJSSE |
true |
com.sybase.jms.forceSSL |
com.sybase.CORBA.forceSSL |
true |
Tunnelling IIOP through HTTPS (JSSE socket) using
HTTP POST requests
IIOP is contained within the HTTP packets.
Set the client URL to iiops://<host_name>:9001
Set the following client ORB properties. To enable the EAServer message service to access the ORB properties, set the properties using the JMS property names; otherwise, use the CORBA property names.
JMS property |
CORBA property |
Vale |
|---|---|---|
org.omg.CORBA.ORBClass |
org.omg.CORBA.ORBClass |
com.sybase.CORBA.ORB |
com.sybase.jms.https |
com.sybase.CORBA.https |
true |
com.sybase.jms.useJSSE |
com.sybase.CORBA.useJSSE |
true |
com.sybase.jms.forceSSL |
com.sybase.CORBA.forceSSL |
true |
com.sybase.jms.HttpUsePost |
com.sybase.CORBA.HttpUsePost |
true |
Tunnelling IIOP through an HTTPS connect (JSSE
socket) using HTTP GET requests
IIOP is contained within the HTTP packets.
Set the client URL to iiops://<host_name>:9001.
Set the following client ORB properties. To enable the EAServer message service to access the ORB properties, set the properties using the JMS property names; otherwise, use the CORBA property names.
JMS property |
CORBA property |
Vale |
|---|---|---|
org.omg.CORBA.ORBClass |
org.omg.CORBA.ORBClass |
com.sybase.CORBA.ORB |
com.sybase.jms.https |
com.sybase.CORBA.https |
true |
com.sybase.jms.WebProxyHost |
com.sybase.CORBA.WebProxyHost |
<web_proxy_host_name> |
com.sybase.jms.WebProxyPort |
com.sybase.CORBA.WebProxyPort |
<web_proxy_port> |
com.sybase.jms.useJSSE |
com.sybase.CORBA.useJSSE |
true |
com.sybase.jms.forceSSL |
com.sybase.CORBA.forceSSL |
true |
Tunnelling IIOP through an HTTPS connect (JSSE
socket) using HTTP POST requests
IIOP is contained within the HTTP packets.
Set the client URL to iiops://<host_name>:9001.
Set the following client ORB properties. To enable the EAServer message service to access the ORB properties, set the properties using the JMS property names; otherwise, use the CORBA property names.
JMS property |
CORBA property |
Vale |
|---|---|---|
org.omg.CORBA.ORBClass |
org.omg.CORBA.ORBClass |
com.sybase.CORBA.ORB |
com.sybase.jms.https |
com.sybase.CORBA.https |
true |
com.sybase.jms.HttpUsePost |
com.sybase.CORBA.HttpUsePost |
true |
com.sybase.jms.WebProxyHost |
com.sybase.CORBA.WebProxyHost |
<web_proxy_host_name> |
com.sybase.jms.WebProxyPort |
com.sybase.CORBA.WebProxyPort |
<web_proxy_port> |
com.sybase.jms.useJSSE |
com.sybase.CORBA.useJSSE |
true |
com.sybase.jms.forceSSL |
com.sybase.CORBA.forceSSL |
true |
The first time you connect may take a while because
JSSE goes through an SSL authentication process.
To improve performance when using an unsigned JAR, you can edit Java’s default security policy file using the instructions in Sun’s security documentation. To enable EAServer’s ORB to work in an unsigned environment:
You must grant the ORB permission to read the proxy host settings, using one of these methods:
permission java.util.PropertyPermission “*”, “read”
or
permission java.util.PropertyPermission “javaplugin.proxy.config.*”, “read”
The ORB may require socket connect permissions to connect to a proxy server.
If you are using the sample test certificate generated by EAServer, the EAServer certificate authority must be installed. You can do this in either the cacerts or the jssecacerts keystore using this syntax:
keytool -import -file <file_name> -keystore [cacerts | jssecacerts]
The password for the cacerts keystore is “changeit”.
With a signed applet, you do not need to set permissions
at the plug-in level. A signed JAR file describes the type of permissions
it requires.
You can find a sample JDK security file in the JDK installation, in file jre/lib/security/java.security.
