[jacorb-developer] Configuring Jacorb to use SSL when possible
Kruegler, Daniel
Daniel.Kruegler at bruker.com
Mon Sep 13 12:18:25 CEST 2021
Hello,
We are using CORBA (without SSL) since nearly two decades and plan to migrate to use CORBA SSL.
The problem is: We need to do this migration in a defensive way because we cannot *require* both client and server to support SSL.
During our attempts to realize this we were successful to configure our server to accept both incoming SSL and non-SSL requests from clients using the following *server* configuration:
jacorb.security.support_ssl=on
OASSLPort=684
jacorb.ssl.socket_factory=org.jacorb.security.ssl.sun_jsse.SSLSocketFactory
jacorb.ssl.server_socket_factory=org.jacorb.security.ssl.sun_jsse.SSLServerSocketFactory
jacorb.security.ssl.client.supported_options=20
jacorb.security.ssl.client.required_options=0
jacorb.security.ssl.server.supported_options=20
jacorb.security.ssl.server.required_options=0
jacorb.security.ssl.corbaloc_ssliop.supported_options=1
jacorb.security.ssl.corbaloc_ssliop.required_options=0
jacorb.security.keystore=some-valid-path
jacorb.security.keystore_password=some-valid-passwd
jacorb.security.jsse.trustees_from_ks=on
jacorb.security.ssl.always_open_unsecured_address=true
But this is the configuration of a new server that potentially can understand SSL. We also need to support the case that a *new* client that potentially can form a CORBA-SSL connection, but where the server is still an old one where SSL is not enabled. Of course, such a connection could not expect to be an actual SSL connection, but that is OK: It would be fine if we get the previous insecure connection in this case.
The question is: How should I configure my *new* client so that it can realize an SSL connection with new servers but a still successful (non-secure) connection with old servers without two connection attempts? Is this somehow possible?
I tried the following *client* configuration:
properties.put("jacorb.security.support_ssl", "on");
properties.put("OASSLPort", "684");
properties.put("jacorb.security.ssl.client.supported_options", "20");
properties.put("jacorb.security.ssl.corbaloc_ssliop.supported_options", "20");
properties.put("jacorb.security.ssl.corbaloc_ssliop.required_options", "1");
properties.put("jacorb.ssl.socket_factory", "org.jacorb.security.ssl.sun_jsse.SSLSocketFactory");
properties.put("jacorb.ssl.server_socket_factory", "org.jacorb.security.ssl.sun_jsse.SSLServerSocketFactory");
properties.put("jacorb.security.keystore", mykeyStore);
properties.put("jacorb.security.keystore_password", mykeyStorePasswd);
properties.put("jacorb.security.jsse.trustees_from_ks", "on");
properties.put("jacorb.security.ssl.always_open_unsecured_address", "true");
and used the
"corbaloc:ssliop:1.2@<servername>:684/NameService"
when connecting to the NameService, where <servername> denotes the actual server address. But this approach doesn't seem to work unless I *also* activated SSL on the server as shown above.
I would appreciate if someone could shed some light on how (or whether) it is possible to configure the client configuration such that it works *also* with a server that has no SSL activated (in this case effectively falling back to a non-SSL connection).
If that is not possible, what is the recommended workaround?
Thanks for your help,
* Daniel Krügler
- confidential -
More information about the jacorb-developer
mailing list