IIOP over Secure Sockets Layer

Note: This section assumes that the reader has the basic understanding of the public key technology and the SSL protocol.

The ORB provides comprehensive support for IIOP over SSL:

individual POA instances can be protected with different SecurityPolicies
the SecurityPolicy specifies a list of cipher suites to use as well as the Realm against which to authenticate the client
client authentication using SSL can be mandated by specifying Realm.PUBLIC_KEY_REALM as the authentication realm

IIOP/SSL API

The following APIs from the com.sssw.jbroker.api.security package are relevant for IIOP/SSL:

API Description

CipherSuite lists the various cipher suites available with the ORB

QualityOfProtection describes the required level of protection for secure communication

SecurityCurrent describes the methods to get the negotiated Cipher Suite and the peer certificate chain

SecurityPolicy the POA policy used to specify the security policy for the objects implemented using that POA

CertificateManager the initial object used to setup data required by SSL - certificate chain, trusted CA, private key, and the default cipher suites

CertificateEventHandler user provided callback to handle certificat verification errors

Realm the distinguished realm Realm.PUBLIC_KEY_REALM is used to specify client authentication using public key technology.

Please see the examples below for how to use these APIs to get SSL protected communication.

The various CipherSuites

The ORB provides an extensive list of Cipher Suites defined in the SSL v3 specification.

Hello World using IIOP/SSL

In this example, the client and server communication is integrity protected using IIOP/SSL. It demonstrates how to create a SSL SecurityPolicy, and to initialize SSL with certificate chain, private key, trusted CAs, and Cipher Suites.

Client Authentication using SSL

Both username/password based as well as certificate based authentication schemes are supported. This example modifies the above Hello World example to require confidentiality as well as client authentication using public key technology.

The Certificate Tool (certtool)

The ORB's certtool can be used to generate public and private key pair, generate a Certificate Signing Request (CSR), to decode Base64 encoded certificates, and to print certificates.

API	Description
CipherSuite	lists the various cipher suites available with the ORB
QualityOfProtection	describes the required level of protection for secure communication
SecurityCurrent	describes the methods to get the negotiated Cipher Suite and the peer certificate chain
SecurityPolicy	the POA policy used to specify the security policy for the objects implemented using that POA
CertificateManager	the initial object used to setup data required by SSL - certificate chain, trusted CA, private key, and the default cipher suites
CertificateEventHandler	user provided callback to handle certificat verification errors
Realm	the distinguished realm Realm.PUBLIC_KEY_REALM is used to specify client authentication using public key technology.