[MOBY-dev] Secure (Java) Biomoby web services

Dmitry Repchevsky dmitry.repchevski at bsc.es
Fri Nov 28 22:40:39 UTC 2008 

Hello Andreas,

Last INB meeting (in Malaga) we discussed it too.
The good thing would be to use SSL without a certificate, unfortunately, 
I didn't find a way to configure JBoss in a such way... (?)

The idea is that user don't need to have a certificate to connect to a 
server, but at the same time use SSL encryption to protect its data.

Unfortunately, in your examples I didn't find any configuration of SSL 
on the server side...

In JBoss the configuration is done using
$JBOSS_HOME$\server\$PROFILE$\deploy\jboss-web.deployer\server.xml

*********************************************************
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"

               ciphers="SSL_DH_anon_WITH_RC4_128_MD5
                        TLS_DH_anon_WITH_AES_128_CBC_SHA
                        TLS_DH_anon_WITH_AES_256_CBC_SHA
                        SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
                        SSL_DH_anon_WITH_DES_CBC_SHA
                        TLS_ECDH_anon_WITH_RC4_128_SHA
                        TLS_ECDH_anon_WITH_AES_128_CBC_SHA
                        TLS_ECDH_anon_WITH_AES_256_CBC_SHA
                        TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
                        SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
                        SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
                        TLS_ECDH_anon_WITH_NULL_SHA"

               keystoreFile="${jboss.server.home.dir}/conf/jboss.key"
               keystorePass="PASSWORD_HERE"
               />
*********************************************************

Note the list of supported ciphers (the list is for JDK6, JDK5 has a 
smaller list) - they are anonymous.

The problem is that even SSL allows certificate-free communication 
(using any of those ciphers) JBoss (Tomcat) FAILS if I do not specify a 
keystore...
At the same time on a client side, a client receives a certificate from 
JBoss and fails to find it (obviously).

Another comment is that in your web.xml you don't protect the service 
using SSL, to do so you must specify

***************************************************
<user-data-constraint>
     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
***************************************************

I would be happy someone would find a way of using SLL WITHOUT a 
certificates, because you can not expect a user of, say, an applet to 
know how to import them using a keytool.

Kind regards,

Dmitry

More information about the MOBY-dev mailing list