[jira] [Commented] (ARTEMIS-3258) downstream federation with ssl does not use the given truststore

Tue, 20 Apr 2021 06:39:06 -0700 


    [ 
https://issues.apache.org/jira/browse/ARTEMIS-3258?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17325803#comment-17325803
 ] 

Erwin Dondorp commented on ARTEMIS-3258:
----------------------------------------

[~gtully] thanks for the suggestion, but I'm building a star-network in which 
the number of remote brokers is unknown. therefore all federation configuration 
must be in the remote broker. this implies that I need both upstream and 
downstream federation. the example in the description uses only brokers A and 
B, but B is a fixed cluster, and A is a set of individual brokers that do not 
need to communicate between each other.

> downstream federation with ssl does not use the given truststore
> ----------------------------------------------------------------
>
>                 Key: ARTEMIS-3258
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3258
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>          Components: Broker, Federation
>    Affects Versions: 2.17.0
>            Reporter: Erwin Dondorp
>            Priority: Critical
>
> When using a downsteam federation, 2 connections are made:
> * The first one uses the <static-connectors>/<connector-ref>. This one 
> succeeds. The value is 
> {{tcp://B:61617?sslEnabled=true;trustStorePath=filename-on-A;trustStorePassword=xyz}}.
> * The second one must be made by the remote broker and uses the 
> <upstream-connector-ref>. This one fails when using SSL. The url value is 
> {{tcp://A:61617?sslEnabled=true;trustStorePath=filename-on-B;trustStorePassword=xyz}}.
>  This one fails, as can be seen in the logs of B. it shows error "AMQ214016: 
> Failed to create netty connection: javax.net.ssl.SSLHandshakeException: PKIX 
> path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target".
> we cannot use the default trust-stores, so we provide references to our own. 
> these truststores and the other ssl configuration items properly work for 
> cluster-connections, client-connections and upstream-federation-connections. 
> we use self-signed certificates for development and test environments.
> my theory is that the {{trustStorePath}} parameter is somehow ignored and the 
> default truststore is then used (or none). this then causes validation of the 
> certificate to fail as shown by the error message.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to