The JMS server supports IIOP/SSL communication, which enables SSL connections to be created between the clients and server. The SSL support fully leverages the IIOP/SSL support in the ORB will comprehensive support for cipher suites. Please refer to the administrator's guide for a more detailed overview of SSL support.
In this example, we create a JMS client, which supports a single cipher suite, namelySSL_DHE_RSA_WITH_DES_CBC_SHA. In order for the SSL handshake between the JMS client and server to be successful, the server must support this, but the server can also optionally support other ciphers. The client will then exchange a single text message and print some information about the SSL connection. In order for the JMS server to use SSL it must be configured via themsgsvc.propertiesfile. You can either edit your current configuration file or use the one included here. This configuration uses a file store, so you may need to run dbinit first, e.g.dbinit -props msgsvc.ssl.properties -createThen you can start the server with:jmqserv -props msgsvc.ssl.propertiesTheSSLclient is listed below:package ssl; import java.io.InputStream; import java.io.ByteArrayInputStream; import java.security.cert.Certificate; import java.security.cert.CertificateFactory; import javax.naming.InitialContext; import javax.jms.Queue; import javax.jms.Session; import javax.jms.Message; import javax.jms.TextMessage; import javax.jms.QueueSender; import javax.jms.QueueSession; import javax.jms.QueueReceiver; import javax.jms.QueueConnection; import com.sssw.jms.api.JMQConnection; import com.sssw.jms.api.JMQConnectionFactory; import com.sssw.jms.api.JMQQueueConnectionFactory; import com.sssw.jbroker.api.security.CipherSuite; /** This class initializes a connection for SSL communication and sends/receives a simple text message. */ public class SSL { public static void main(String args[]) throws Exception { | // create a connection factory which uses IIOP/SSL | JMQQueueConnectionFactory connFactory = | new JMQQueueConnectionFactory(JMQConnectionFactory.IIOP_SSL_PROTOCOL); | | // set a list of cipher suites which the client should use | CipherSuite[] suites = { CipherSuite.SSL_DHE_RSA_WITH_DES_CBC_SHA }; | connFactory.setCipherSuites(suites); | | // look up the queue from JNDI | InitialContext ctx = new InitialContext(); | Queue queue = (Queue) ctx.lookup("queue/queue0"); | | // create a queue connection | QueueConnection queueConn = connFactory.createQueueConnection(); | | // create a queue session with auto acknowledge | int ackMode = Session.AUTO_ACKNOWLEDGE; | QueueSession session = queueConn.createQueueSession(false, ackMode); | | // create a queue sender | QueueSender sender = session.createSender(queue); | | // create a queue receiver | QueueReceiver receiver = session.createReceiver(queue); | | // start the connection | queueConn.start(); | | // send a simple text message with the string 'ssl' | sender.send(session.createTextMessage("ssl")); | | // receive the text message | TextMessage m = (TextMessage) receiver.receive(); | if (!m.getText().equals("ssl")) | throw new Exception("wrong message: " + m); | | // print some information about the IIOP/SSL connection | JMQConnection conn = (JMQConnection) queueConn; | | // print the negotiated cipher suite | // will be SSL_DHE_RSA_WITH_DES_CBC_SHA since client only support this | System.out.println("Negotiated Cipher: " + conn.getNegotiatedCipherSuite()); | | // print the certificate chain available from the server | byte[][] certs = conn.getCertificateChain(); | CertificateFactory factory = CertificateFactory.getInstance("X.509"); | System.out.print("Peer Certificate Chain: "); | if (certs != null) { | | for (int i = 0; i < certs.length; i++) { | | | InputStream is = new ByteArrayInputStream(certs[i]); | | | Certificate cert = factory.generateCertificate(is); | | | System.out.println(cert); | | } | } else System.out.println("<null>"); | | // close the queue connection | queueConn.close(); } }As can be seen, the client first initializes a JMQConnectionFactory to use the
IIOP_SSL_PROTOCOLprotocol. Then we set a list of cipher suites on the connection factory; in this case we just set a single suiteSSL_DHE_RSA_WITH_DES_CBC_SHA. In this case the server doesn't require client certificates, so we are not setting any.If the JMS server's
msgsvc.ssl.client.certificateproperty was set to true, the client would have to set a client certificate using the addCACertificate and setCertificateChain methods.After sending a receiving a simple text message, the client uses the getNegotiatedCipherSuite method to print the cipher suite that client and server agreed to use. Since the client only supports SSL_DHE_RSA_WITH_DES_CBC_SHA in this example, this will be printed. Finally, the client prints the server's certificates using the getCertificateChain method.
| Copyright © 2000-2003, Novell, Inc. All rights reserved. |