You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomee.apache.org by Rick McGuire <ri...@gmail.com> on 2006/07/20 17:40:44 UTC
Configuring the ORBs to use the KeystoreManager.
Concurrent with trying to enable Geronimo to use Yoko, I'm also working
on the changes for this JIRA
http://issues.apache.org/jira/browse/GERONIMO-2002
which configures the SSL support created for the ORB to use the Geronimo
KeystoreManager API. To handle this, I've create an SSLConfigGBean that
holds a reference to the KeystoreManager instance, the names of the
truststore and ketstores, etc. This GBean has methods for creating
SSLSocketFactory and SSLServerSocketFactory instances based on the
config information.
The challenge was then how to pass a reference to this GBean into the
socket factory instances used by the ORBs. The challenge here is the
same for both the Sun ORB and the Yoko ORB. The socket factories are
enabled by setting a property or argument to the name of the socket
factory class, and the ORB will use reflection to instantiate the
factory and plug it in. There's no way to pass in an already
constructed object through the ORB.init() call.
To pass in this instance, I'm able to set a string argument for the
factory, which I'm setting to the AbstractName for the GBean. The
factory then uses
Kernel kernel = KernelRegistry.getSingleKernel();
sslConfig = (SSLConfig)kernel.getGBean(new
AbstractName(new URI(configName)));
to retrieve the GBean. This works, and allows me access to the
SSLConfig object for getting the socket factories.
Unfortunately, for CorbaBean objects, I also need access to some of the
information stored in the TSSConfig that part of the CorbaBean instance
to sort out the requires and supports values for the created SSLSocket.
This information is needed to configure the socket once it is created
using the appropriate socket factory instance. I have to pass multiple
pieces of information from multiple sources through a very narrow pipe
(a single String).
There are a couple potential solutions I see:
1. Pass the requires/supports information as system properties. This
is the approach currently used in the Sun socket factory, but this
approach is not really thread safe, and also depends on the socket
factory initialization occurring on the same initialization thread.
2. Pass the supports/requires information somehow encoded with the
abstract name used to retrieve the factory. This will work, but
feels awkward to me.
3. Rather than using the AsbstactName of the SSLConfig GBean, pass in
the AbstractName of the CorbaBean (or CSSBean) that's being used.
The beans already are holding an instance of the SLLConfig GBean,
so all of the needed information can be requested directly from
the ORB configuration beans. I'll probably create an common
interface that both CorbaBean and CSSBean will implement so that
the socket factories don't need to deal with which sort of ORB is
getting created.
Does 3) sound like a reasonable approach? Are there other options I've
overlooked?
Rick
Re: Configuring the ORBs to use the KeystoreManager.
Posted by David Blevins <da...@visi.com>.
Seems like 3 would be the best of the presented options. Certainly
option 1 is a general no-no as it uses System properties. Fine to do
it, but usually makes life hard if you ever want to run two of the
same thing in a vm.
-David
On Jul 20, 2006, at 8:40 AM, Rick McGuire wrote:
> Concurrent with trying to enable Geronimo to use Yoko, I'm also
> working on the changes for this JIRA
>
> http://issues.apache.org/jira/browse/GERONIMO-2002
>
> which configures the SSL support created for the ORB to use the
> Geronimo KeystoreManager API. To handle this, I've create an
> SSLConfigGBean that holds a reference to the KeystoreManager
> instance, the names of the truststore and ketstores, etc. This
> GBean has methods for creating SSLSocketFactory and
> SSLServerSocketFactory instances based on the config information.
> The challenge was then how to pass a reference to this GBean into
> the socket factory instances used by the ORBs. The challenge here
> is the same for both the Sun ORB and the Yoko ORB. The socket
> factories are enabled by setting a property or argument to the name
> of the socket factory class, and the ORB will use reflection to
> instantiate the factory and plug it in. There's no way to pass in
> an already constructed object through the ORB.init() call.
>
> To pass in this instance, I'm able to set a string argument for the
> factory, which I'm setting to the AbstractName for the GBean. The
> factory then uses
>
> Kernel kernel = KernelRegistry.getSingleKernel();
> sslConfig = (SSLConfig)kernel.getGBean(new
> AbstractName(new URI(configName)));
>
> to retrieve the GBean. This works, and allows me access to the
> SSLConfig object for getting the socket factories.
> Unfortunately, for CorbaBean objects, I also need access to some of
> the information stored in the TSSConfig that part of the CorbaBean
> instance to sort out the requires and supports values for the
> created SSLSocket. This information is needed to configure the
> socket once it is created using the appropriate socket factory
> instance. I have to pass multiple pieces of information from
> multiple sources through a very narrow pipe (a single String).
>
> There are a couple potential solutions I see:
>
> 1. Pass the requires/supports information as system properties.
> This
> is the approach currently used in the Sun socket factory, but
> this
> approach is not really thread safe, and also depends on the
> socket
> factory initialization occurring on the same initialization
> thread.
> 2. Pass the supports/requires information somehow encoded with the
> abstract name used to retrieve the factory. This will work, but
> feels awkward to me.
> 3. Rather than using the AsbstactName of the SSLConfig GBean,
> pass in
> the AbstractName of the CorbaBean (or CSSBean) that's being
> used. The beans already are holding an instance of the
> SLLConfig GBean,
> so all of the needed information can be requested directly from
> the ORB configuration beans. I'll probably create an common
> interface that both CorbaBean and CSSBean will implement so that
> the socket factories don't need to deal with which sort of ORB is
> getting created.
>
> Does 3) sound like a reasonable approach? Are there other options
> I've overlooked?
>
> Rick
>
>