provides the means for secure RMI
calls. In this context, secure means:
-
Full authentication of client and server
-
Encryption of data (parameters) for every RMI call
Additionally it provides methods which enable the caller (issuer of a remote
call) to find out the identity of the called sever object, as well as every
sever object to find out the identity of the current caller/client.
Package Specification
The package uses the de.tu_darmstadt.sp.ssl
package for the SSL functionality. It is a nice example how to extend
the de.tu_darmstadt.sp.ssl package.
In order to have "secure" RMI calls, we need socket factories which
produce secure sockets. This is achieved by extending the
SSLeayServerSocketFactory by
RMISSLServerSocketFactory and SSLeaySocketFactory by
RMISSLSocketFactory. We have to extend the default factories
of the de.tu_darmstadt.sp.ssl package since a different
policy for the created sockets is needed (full authentication for
client and server). Finally, instances of the two mentioned factories
are used in the RMISecureSocketFactory to create sockets and
server sockets.
Every created socket is recorded. This information is needed at
runtime by the RMI client or server to find out the peer's identity.
This is the reason to extend the SSLeaySocket class, which
does not perform any accounting of the connections it has participated
into. The new socket class is RMISSLSocket. Wee need also
to extend SSLeayServerSocket in order to produce
RMISSLSockets. The new server socket class is RMISSLServerSocket.
Overview of the de.tu_darmstadt.sp.rmi classes
- RMISSLSocket extends SSLeaySocket and
overrides the getInputStream and getOutputStream
methods in order to record every communication action. For such an
action, the connected socket is associated to the current thread in a
package intern map.
-
RMISSLServerSocket extends SSLeayServerSocket and
creates RMISSLSocket objects.
-
RMISSLServerSocketFactory creates RMISSLServerSocket
objects configured for client authentication. It uses the information recorded
by RMISSLSockets to give information about the identity
of the current caller.
-
RMISSLSocketFactory extends SSLeaySocketFactory
and creates RMISSLSocket objects. It uses the
information recorded by RMISSLSockets to give
information about the identity of the peer.
- RMISecureSocketFactory is the factory to be used instead
of the default. It contains a RMISSLSocketFactory and a
RMISSLServerSocketFactory to create sockets. It delegates
method calls about the peer identity to the mentioned factory
objects
Using the de.tu_darmstadt.sp.rmi package
The following code example shows the actions to include in the static
initialization or the main method of a RMI client/server:
// Specify the security information -- otherwise factory creation
// will fail
System.setProperty("iti.ssl.ca_file","/etc/CA/<thefile>");
System.setProperty("iti.ssl.cert_file","~/<thecert>");
System.setPropertu("iti.ssl.key_file","~/private/<thekey>");
// Set the new factory into the system
// (Specify a security manager..)
RMISocketFactory.setSocketFactory(new RMISecureSocketFactory());
System.setSecurityManager(new RMISecurityManager());
There is another posibility to create a secure connection, using
the new RMI features of Java 2. You should use this alternative if you
do not whish to have the secure sockets for all RMI calls. For a
detailed description on how to use custom sockets, read the RMI
documentation.
// Specify the security information -- otherwise factory creation
// will fail
System.setProperty("iti.ssl.ca_file","/etc/CA/<thefile>");
System.setProperty("iti.ssl.cert_file","~/<thecert>");
System.setPropertu("iti.ssl.key_file","~/private/<thekey>");
// create Unicast remote object..
clientFact = new RMISSLClientSocketFactory();
serverFact = new RMISSLServerSocketFactory();
rmiServerObject = new RMIServerWithCustomSockets(clientFact,serverFact);
Extending the de.tu_darmstadt.sp.rmi package
Extending the de.tu_darmstadt.sp.rmi package is
straightforward. The only class which is subject of subclassing is
RMISecureSocketFactory. This factory contains two other
factory objects from which it gets the sockets and sever sockets. The
two objects are declared as protected variables
(serverFactory and clientFactory). Subclasses of
RMISecureSocketFactory are encouraged to change in their
constructor the default initialization for this variables.
Utilities of the de.tu_darmstadt.sp.rmi package
The de.tu_darmstadt.sp.rmi package contains also the
srmiregistry programm, which is the secure
rmiregistry counterpart (uses SSL sockets). The
srmiregistry registers itslelf at the normal
rmiregistry after creation. Therefore, its usage is:
srmiregistry registry_name
Note that rmiregistry has to be started before
srmiregistry.
Inside Java applications, the reference to the newly started registy
service may be obtained using the following code:
my_secure_registry=Naming.lookup();
my_secure_registry.lookup(...)
Related Documentation