You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@tomee.apache.org by bu...@apache.org on 2012/07/07 18:31:03 UTC
svn commit: r824948 - in /websites/staging/openejb/trunk: cgi-bin/ content/
content/ejb-over-ssl.html
Author: buildbot
Date: Sat Jul 7 16:31:02 2012
New Revision: 824948
Log:
Staging update by buildbot for openejb
Modified:
websites/staging/openejb/trunk/cgi-bin/ (props changed)
websites/staging/openejb/trunk/content/ (props changed)
websites/staging/openejb/trunk/content/ejb-over-ssl.html
Propchange: websites/staging/openejb/trunk/cgi-bin/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Sat Jul 7 16:31:02 2012
@@ -1 +1 @@
-1358310
+1358598
Propchange: websites/staging/openejb/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Sat Jul 7 16:31:02 2012
@@ -1 +1 @@
-1358310
+1358598
Modified: websites/staging/openejb/trunk/content/ejb-over-ssl.html
==============================================================================
--- websites/staging/openejb/trunk/content/ejb-over-ssl.html (original)
+++ websites/staging/openejb/trunk/content/ejb-over-ssl.html Sat Jul 7 16:31:02 2012
@@ -207,7 +207,34 @@ InitialContext ctx = new InitialContext(
MyBean myBean = (MyBean) ctx.lookup("MyBeanRemote");
</code></pre>
-<h2>Changing the Chipher Suite</h2>
+<h2>Changing the Cipher Suite</h2>
+
+<p><a href="https://issues.apache.org/jira/browse/OPENEJB-1856">This is a pending feature</a>
+By default, the ejbds protocol connects with SSL_DH_anon_WITH_RC4_128_MD5. That means your connection is encrypted and the integrity of the transmission is verified. However, this only protects your from eavesdroppers, it offers absolutely zero protection from Man in the Middle attacks. This sort of attack could be pulled off without your knowledge and the attacker has the ability to intercept, monitor, and even modify your messages. If the attacker could control a router on your connection path, this attack could be trivially pulled off with nothing more but the OpenEJB server and client.</p>
+
+<p>To secure your connections against this sort of attack, your client can cryptographically prove it's talking to the correct server before sending any data. To do this, simply select one or more secure cipher suites that your J2SE provider supports from <a href="http://docs.oracle.com/cd/E19728-01/820-2550/cipher_suites.html">this listing</a>.</p>
+
+<p>You must now instruct the client and server to use that suite.</p>
+
+<p>On the server:</p>
+
+<pre><code>server = org.apache.openejb.server.ejbd.EjbServer
+bind = 127.0.0.1
+port = 4203
+disabled = false
+threads = 200
+backlog = 200
+secure = true
+enabledCipherSuites = TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
+discovery = ejb:ejbds://{bind}:{port}
+</code></pre>
+
+<p>On the client, you must supply a property:</p>
+
+<pre><code>-Dopenejb.client.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
+</code></pre>
+
+<p>The final piece is to make sure your server has available a private certificate that the the client can trust. This can be certificate from an authority or a self signed certificate. The javax.net.ssl.trustStore and javax.net.ssl.keyStore JVM properties <a href="http://fusesource.com/docs/broker/5.3/security/SSL-SysProps.html">are used to set this up.</a></p>