Bug 1259902

Summary: [GSS] (6.4.z) EJB IOR contains wrong port (non-SSL port) information when SSL is required
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Derek Horton <dehort>
Component: IIOPAssignee: Bartek Spyrko-Smietanko <bspyrkos>
Status: CLOSED CURRENTRELEASE QA Contact: Jiří Bílek <jbilek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.2CC: bmaxwell, bspyrkos, dehort, jbilek, msochure, pjurak, sguilhen, tadamski
Target Milestone: CR1   
Target Release: EAP 6.4.14   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-23 08:23:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1401452    

Description Derek Horton 2015-09-03 18:27:40 UTC 
Description of problem:

- Configure JBoss to only allow IIOP connections over SSL
- It is possible to do this, but the configuration is confusing (possibly a bug)

Details of the setup/issue:

- When enabling SSL for jacorb, it normally listens on both the non-ssl port and the ssl port
- Setting server-requires="ServerAuth" causes the server to stop listening on non-ssl port
- However, the IOR tells client to connect to non-ssl port ...even though its not listening on it

        String lookup = "corbaname:iiop:" + host + ":" + port +"#" + ejbLookupPath;

        // lookup the IIOP EJB
        Object iiopObj = ctx.lookup(lookup);

        // the call to the EJB will fail due to the port being wrong non-ssl vs ssl

- The workaround is to use the following ior-setting to correct the port settings in the IOR

  /subsystem=jacorb/ior-settings=default/setting=transport-config:add(confidentiality=required)

- Shouldn't setting "server-requires=ServerAuth" change the port info in the IOR?
Comment 1 Derek Horton 2015-09-03 18:30:20 UTC 
JacORB's dior util can be used to print out the IOR
Comment 3 Tomek 2015-09-24 18:40:55 UTC 
"Shouldn't setting "server-requires=ServerAuth" change the port info in the IOR?"

Yes this is a bug and I will prepare the fix that works this way.
Comment 4 Tomek 2015-09-24 19:08:25 UTC 
"Shouldn't setting "server-requires=ServerAuth" change the port info in the IOR?"

Yes this is a bug and I will prepare the fix that works this way.
Comment 6 JBoss JIRA Server 2015-11-10 16:38:20 UTC 
Tomasz Adamski <tadamski> updated the status of jira WFLY-5274 to Closed
Comment 11 Jiří Bílek 2017-03-14 08:07:33 UTC 
I am not able to reproduce the issue. According to code revision fix is included.
Included test case does not test the issue.

Verified with EAP 6.4.14.CP.CR2
Comment 12 Petr Penicka 2017-03-23 08:23:04 UTC 
Released with EAP 6.4.14 on March 14 (ZIPs) and March 22 (RPMs).