• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Securing RMI

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
As part of the security policy of our product we need to secure the RMI communication. Based on some research that we did, we found that RMI communication can be secured in following ways:
1) Security RMI using ssh tunnel

2) Secure RMI by using RMI over SSL using Custom Socket factories or by using Java Secure Socket Extension (JSSE) API which provides an implementation of SSL sockets.

I would like to understand, which of the above two approaches is a better approach?

I came across one of the links http://www.javaranch.com/journal/2003/10/rmi-ssh_p1.html which says that securing RMI using SSL does not protect the communication between the client program and the RMI registry. Is this true for Custom Socket factories as well as JSSE??

Also can someone explain why RMI over SSL does not protect communication between client program and the RMI registry??
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I came across one of the links http://www.javaranch.com/journal/2003/10/rmi-ssh_p1.html which says that securing RMI using SSL does not protect the communication between the client program and the RMI registry. Is this true for Custom Socket factories as well as JSSE?


Yes. Those protect the traffic between the RMI client and the server, but not between the RMI client and the RMI registry. The traffic between client and server is generally what you want to protect, so I don't see this as a big drawback. There's a tradeoff between what securing the client/registry communication gets you, and the overhead of establishing an SSH (or VPN) connection between sites.

In addition to SSL, you should also use client authentication, either using client certificates or passwords.
 
Rancher
Posts: 4803
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There is a much easier way to accomplish what I guess are your real requirement:

Stop using RMI and use normal HTTPS. Send messages rather than Objects.
 
KaustubhR Kane
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Our framework is already implemented using RMI. If we have to stop using RMI and start using HTTPS, then we will have to make it web service based but it is not feasible to go in for such a big change in the existing strategy.

Currently what we want to know out of SSH tunneling and RMI over SSL using JSSE, which of these is a better approach? Can you please provide inputs on this?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
"Better" in what sense? Easier or faster to implement? Easier or faster to set up? More secure in some way? Some other criterion?
 
KaustubhR Kane
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Better in following sense:
1) Which one is more secure?
2) Which one will result in less code churn? For example in case of ssh tunneling, I see that changes are needed at system level and very less changes at application level.

Based on the above, we can decide on which approach to go ahead with.
 
KaustubhR Kane
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am trying the ssh tunnel approach.

After I establish an ssh tunnel between client and rmi registry and client and RMI server, then how do I ensure that my Client uses the correct port on which I have set the ssh tunnel.

The port on which RMI registry listens on the remote host is fixed in our case. Also I know how to fix the RMI server port using the UnicastRemoteObject constructor which accepts port as an argument "UnicastRemoteObject(int port)".

But the question I have is how to fix the client port so that Client uses the correct port for communicating with RMI registry and RMI server.

P.S. In my case, my client program, RMI registry and RMI server are all running on the same host.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic