B2Bi 6.1.1.2 release updatesSSL+RMI

Integration News

B2Bi 6.1.1.2 release updates SSL+RMI.
Security update and enhancing the RMI communication with SSL

What is RMI?

RMI (Remote Method Invocation) is an API that provides a mechanism to create distributed application in java.
It allows an object to invoke methods on an object running in another JVM.

 

Threats posed

  • Customer reported vulnerabilities due to plain sockets.
  • Remote code Execution.

How RMI is used inside SI?

  • RMI registry is accessed by JNDI (Java Naming and Directory Interface).
  • JNDI API takes care of STUB creation for Client side.
  • The Server Hosts object using RMI socketFactories and Registers the object inside JNDI tree.
  • Ops server performs jndi.lookupRmi() method to look for RMI object inside JNDI Tree.
  • If the Object is present in JNDI tree then the subsequent node shows available in OPS_NODE_INFO table.

SSL implementation on RMI

  • Controlled by a new Property in security.properties
  •  useSSLforRMI=true/false (Default is false)
  • For object Declaration Client and Server Sockets are used.
  • By Default SI had Plain text socket.
  • Based on the value of flag SSL sockets are used.
  • SSL sockets use protocol TLSv1.2.

OCP is not covered yet, will be covered in future release.

Flag Based Control

  • If “useSSLforRMI=false” the ops server can communicate to RMI object servers on plain text socket.
  • If “useSSLforRMI=true” the ops server will use SSL client socket and will be able to communicate
    to RMI object servers having SSL server sockets.
  • Secure communication between Ops server and other JVM (ASI, Liberty, Adapter Container).cLISTNODESTATUS

Sample ops command:

  • ./opscmd.sh –nnode1 –cISUP
  • ./opscmd.sh –nnode1 – cCHECKJNDI
  • ./opscmd.sh –nnode1 – cLISTNODESTATUS

SSL Certificate Configuration

  • Certificate (rmissl) gets created at install time as part of post install service routine.
  • Once default cert is created, next upgrade will skip recreating it.
  • Algorithm and key length used: RSA with 2048.
  • Certificate stored in Database.
  • Certificate adheres to NIST specifications.

Support for Custom Certificates 

  • The exiting certificate UI in dashboard can be used to create/update new certs with required specifications.

Methods to verify if SSL is enabled for RMI

  • We can use open_SSLClient against the RMI port to validate the config. Configured certificate and TLS protocol value will be displayed with the below command. echo “” | openssl s_client -connect :. 
  • LOGs – system.log, ops.log, noapp.log. Additional loggings added for triaging SSLRMI related flows in DEBUG mode. 
  • Network trace can be captured against the specified Ports for RMI communication.

Click on the button below to download this newsletter in Pdf format.

Click here to download