Chapter 13. ORB Configuration
13.1. About Common Object Request Broker Architecture (CORBA)
Common Object Request Broker Architecture (CORBA) is a standard that enables applications and services to work together even when they are written in multiple, otherwise-incompatible, languages or hosted on separate platforms. CORBA requests are brokered by a server-side component called an Object Request Broker (ORB). JBoss EAP provides an ORB instance, by means of the Open JDK ORB component.
The ORB is used internally for JTS transactions, and is also available for use by your own applications.
The Object Transaction Service (OTS) is a cross-platform service that forms part of CORBA. The OTS specification is maintained by the Object Management Group. JTS is a specification for building a transaction manager, and JTS was designed based on the OTS specification.
For information about CORBA and its components, see Common Object Request Broker Architecture.
13.2. Configuring the ORB for JTS
In a default installation of JBoss EAP, the Object Request Broker (ORB) support for transactions is disabled. You can configure ORB settings in the iiop-openjdk
subsystem using the management CLI or the management console.
The iiop-openjdk
subsystem is available when using the full or full-ha profile in a managed domain, or the standalone-full.xml
or standalone-full-ha.xml
configuration file for a standalone server.
For a listing of the available configuration options for the iiop-openjdk
subsystem, see IIOP Subsystem Attributes.
Configure the ORB Using the Management CLI
You can configure each aspect of the ORB using the management CLI. This is the minimum configuration for the ORB to be used with JTS.
You can configure the following management CLI commands for a managed domain using the full
profile. If necessary, change the profile to suit the one you need to configure. If you are using a standalone server, omit the /profile=full
portion of the commands.
Enable the Security Interceptors
Enable the security
attribute by setting the value to identity
.
/profile=full/subsystem=iiop-openjdk:write-attribute(name=security,value=identity)
Enable Transactions in the IIOP Subsystem
To enable the ORB for JTS, set the value of transactions
attribute to full
, rather than the default spec
.
/profile=full/subsystem=iiop-openjdk:write-attribute(name=transactions, value=full)
Enable JTS in the Transactions Subsystem
/profile=full/subsystem=transactions:write-attribute(name=jts,value=true)
For JTS activation, the server must be restarted as reload is not enough.
Configure the ORB Using the Management Console
- Select the Configuration tab from the top of the management console. In a managed domain, you must select the appropriate profile to modify.
-
Select Subsystems
IIOP (OpenJDK) and click View. - Click Edit and modify the attributes as needed.
- Click Save to save the changes.
13.3. Configure IIOP to Use SSL/TLS with the Elytron Subsystem
You can configure the iiop-openjdk
subsystem to use SSL/TLS to secure communication between clients and servers. The elytron
subsystem, as well as the legacy security
subsystem, provide the necessary components for configuring SSL/TLS for the iiop-openjdk
subsystem as well as other subsystems within JBoss EAP. Use the following steps to configure the iiop-openjdk
subsystem to use the elytron
subsystem for SSL/TLS.
Use the following management CLI command to display the current legacy SSL/TLS configuration in the
iiop-openjdk
subsystem./subsystem=iiop-openjdk:read-attribute(name=security-domain) { "outcome" => "success", "result" => "iiopSSLSecurityDomain" }
The
iiop-openjdk
subsystem must use either the legacysecurity
subsystem or theelytron
subsystem for SSL/TLS. You cannot use both at the same time. The above command shows theiiop-openjdk
subsystem is using a legacy security domain for handling SSL/TLS. Before you can configure theiiop-openjdk
subsystem to use theelytron
subsystem for SSL/TLS, you need to remove this reference:/subsystem=iiop-openjdk:undefine-attribute(name=security-realm)
If the
security-domain
attribute in theiiop-openjdk
is not defined, you can proceed to the next step.Create a
server-ssl-context
.To use SSL/TLS with the
iiop-openjdk
subsystem, you need to define aserver-ssl-context
. JBoss EAP uses the configuration provided by theserver-ssl-context
when making an SSL/TLS connection as a server. You can find more details on creating aserver-ssl-context
in Enable One-way SSL/TLS for Applications using the Elytron Subsystem in How to Configure Server Security guide.Create a
client-ssl-context
.To use SSL/TLS with the
iiop-openjdk
subsystem, you need to define aclient-ssl-context
. JBoss EAP uses the configuration provided by theclient-ssl-context
when making an SSL/TLS connection as a client. You can find more details on creating aclient-ssl-context
in Using a client-ssl-context in the How to Configure Server Security guide.Configure the
iiop-openjdk
subsystem to use theclient-ssl-context
andserver-ssl-context
.Example: Setting
client-ssl-context
andserver-ssl-context
batch /subsystem=iiop-openjdk:write-attribute(name=client-ssl-context,value=iiopClientSSC) /subsystem=iiop-openjdk:write-attribute(name=server-ssl-context,value=iiopServerSSC) run-batch reload
Configure the connection to and from the
iiop-openjdk
subsystem.You can indicate whether or not SSL/TLS connections are required when connecting to and from the
iiop-openjdk
subsystem by adjusting the following attributes:-
To enable support for SSL in the
iiop-openjdk
subsystem, setsupport-ssl
totrue
. Defaults tofalse
. -
To require SSL/TLS connections from the
iiop-openjdk
subsystem, setclient-requires-ssl
totrue
. Defaults tofalse
. -
To require SSL/TLS connections to the
iiop-openjdk
subsystem, setserver-requires-ssl
totrue
. Defaults tofalse
. Note that setting this totrue
will block attempts to connect to the non-SSL IIOP socket. -
To adjust the
socket-binding
, setssl-socket-binding
to the desired binding. Defaults toiiop-ssl
.
Example: Setting SSL/TLS Connections to and from IIOP as Required
/subsystem=iiop-openjdk:write-attribute(name=support-ssl,value=true) /subsystem=iiop-openjdk:write-attribute(name=client-requires-ssl,value=true) /subsystem=iiop-openjdk:write-attribute(name=server-requires-ssl,value=true) /subsystem=iiop-openjdk:write-attribute(name=ssl-socket-binding,value=iiop-ssl) reload
-
To enable support for SSL in the