Add SSL support for the JSR-160 proxy

[rhuss]

It would be nice, if the the proxy could communicate via SSL with the JSR-160 backend.

For this to work, the environment for the connector must probably be extended (see here as entry point) and there must be a way to specify the path to the keystore holding the client's private key. It is probably the easiest to start by putting all these parameters in the request as well in order to let the proxy be as much agnostic as possible, not requiring any front up configuration.

If SSL is to be used, then someone must put the keystore to a place where it is filesystem-reachable from within the proxy.

This issue has low priority, but I'm accepting pull requests (with unit tests) for this feature.

[jxu-sv]

I just forked the project and created quick fix using -D with javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword, as our default JMX connector is RMI+TLS. Here is the change, jxu-sv@00ec088.

This change is not per request. I am investigating per request approach for TLS based RMI. For per request approach, we need to be able to create SSLContext with proper key store and pass word information, from SSLContext, we can get SSLFactorry and then replace the SSLFactory used by SslRMIClientSocketFactory and SslRMIServerSocketFactory. However, SslRMIClientSocketFactory and SslRMIServerSocketFactory does not allow injection of SSLFactory, except for extending the class (mentioned in source code). I find another article about this from Mark A Ziesemer, http://blogger.ziesemer.com/2010/02/jmx-avoid-java-system-properties-rmi.html.

Generic connector allows injection of SSLSocketFactory, but not part of JVM distribution.

Any thought on this, Rhuss?

[rhuss]

Couldn't you put all certificates you need to verify in a single keyStore (which would be the global one) and each connection can then verify the presented certificate accordingly automatically (identified by it X509 principal name) ?

This would make things much easier and more straight forward. Personally I won't dive into SSL internals of RMI, sorry.

But as stated, if you have a good pull request I will consider to apply it.

[jxu-sv]

That's the approach I am taking right now. I didn't add key store and password per request. Instead I am using -D to configure key store information. -D applies globally for all using default SSLSocketFactory. Then I put all server certs in single store. I think that is the simple and elegant, serving for most cases. I will send you pull for review.

I did play around with jmxmp stuff on per request base, and it seems to be very slow.