aspose file tools*
The moose likes Distributed Java and the fly likes Securing RMI Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Distributed Java
Bookmark "Securing RMI" Watch "Securing RMI" New topic
Author

Securing RMI

KaustubhR Kane
Greenhorn

Joined: Sep 23, 2013
Posts: 4
Hi,
As part of the security policy of our product we need to secure the RMI communication. Based on some research that we did, we found that RMI communication can be secured in following ways:
1) Security RMI using ssh tunnel

2) Secure RMI by using RMI over SSL using Custom Socket factories or by using Java Secure Socket Extension (JSSE) API which provides an implementation of SSL sockets.

I would like to understand, which of the above two approaches is a better approach?

I came across one of the links http://www.javaranch.com/journal/2003/10/rmi-ssh_p1.html which says that securing RMI using SSL does not protect the communication between the client program and the RMI registry. Is this true for Custom Socket factories as well as JSSE??

Also can someone explain why RMI over SSL does not protect communication between client program and the RMI registry??
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42289
    
  64
I came across one of the links http://www.javaranch.com/journal/2003/10/rmi-ssh_p1.html which says that securing RMI using SSL does not protect the communication between the client program and the RMI registry. Is this true for Custom Socket factories as well as JSSE?

Yes. Those protect the traffic between the RMI client and the server, but not between the RMI client and the RMI registry. The traffic between client and server is generally what you want to protect, so I don't see this as a big drawback. There's a tradeoff between what securing the client/registry communication gets you, and the overhead of establishing an SSH (or VPN) connection between sites.

In addition to SSL, you should also use client authentication, either using client certificates or passwords.


Ping & DNS - my free Android networking tools app
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

There is a much easier way to accomplish what I guess are your real requirement:

Stop using RMI and use normal HTTPS. Send messages rather than Objects.
KaustubhR Kane
Greenhorn

Joined: Sep 23, 2013
Posts: 4
Our framework is already implemented using RMI. If we have to stop using RMI and start using HTTPS, then we will have to make it web service based but it is not feasible to go in for such a big change in the existing strategy.

Currently what we want to know out of SSH tunneling and RMI over SSL using JSSE, which of these is a better approach? Can you please provide inputs on this?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42289
    
  64
"Better" in what sense? Easier or faster to implement? Easier or faster to set up? More secure in some way? Some other criterion?
KaustubhR Kane
Greenhorn

Joined: Sep 23, 2013
Posts: 4
Better in following sense:
1) Which one is more secure?
2) Which one will result in less code churn? For example in case of ssh tunneling, I see that changes are needed at system level and very less changes at application level.

Based on the above, we can decide on which approach to go ahead with.
KaustubhR Kane
Greenhorn

Joined: Sep 23, 2013
Posts: 4
I am trying the ssh tunnel approach.

After I establish an ssh tunnel between client and rmi registry and client and RMI server, then how do I ensure that my Client uses the correct port on which I have set the ssh tunnel.

The port on which RMI registry listens on the remote host is fixed in our case. Also I know how to fix the RMI server port using the UnicastRemoteObject constructor which accepts port as an argument "UnicastRemoteObject(int port)".

But the question I have is how to fix the client port so that Client uses the correct port for communicating with RMI registry and RMI server.

P.S. In my case, my client program, RMI registry and RMI server are all running on the same host.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Securing RMI