[jira] [Commented] (AMQ-5100) PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ
[
https://issues.apache.org/jira/browse/AMQ-5100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15271525#comment-15271525
]
Gary Tully commented on AMQ-5100:
-
for the record - I think "suppressMBean" would allow just the
transportConnector mbean to be dropped so that the rest of jmx could work. see:
http://activemq.apache.org/jmx.html
> PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ
> --
>
> Key: AMQ-5100
> URL: https://issues.apache.org/jira/browse/AMQ-5100
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
>Reporter: Jesse Sightler
>
> I have attempted to configure PKCS11/NSS support in ActiveMQ, however, I am
> receiving the following exception:
> Caused by: java.io.FileNotFoundException: class path resource [NONE] cannot
> be opened because it does not exist
> at
> org.springframework.core.io.ClassPathResource.getInputStream(ClassPathResource.java:157)
> at
> org.apache.activemq.spring.SpringSslContext.createKeyManagerKeyStore(SpringSslContext.java:119)
> at
> org.apache.activemq.spring.SpringSslContext.createKeyManagers(SpringSslContext.java:88)
> at
> org.apache.activemq.spring.SpringSslContext.afterPropertiesSet(SpringSslContext.java:65)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:622)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1581)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1522)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452)
> ... 40 more
> My configured sslContext for the broker looks like this:
>
> keyStore="NONE" keyStoreType="PKCS11"
> keyStorePassword="password"
> trustStore="/etc/activemqssl/truststore.jks"
> trustStorePassword="password"
> />
>
> AFAIK, setting keyStore to "NONE" is the generally accepted way to do with
> with PKCS11. The code should generate a warning at most for this, but instead
> I receive the above exception and a failure to load the keystore.
> The activemq code looks like this (in
> org.apache.activemq.spring.SpringSslContext):
> private KeyStore createKeyManagerKeyStore() throws Exception {
> if( keyStore ==null ) {
> return null;
> }
> KeyStore ks = KeyStore.getInstance(keyStoreType);
> InputStream is=Utils.resourceFromString(keyStore).getInputStream();
> try {
> ks.load(is, keyStorePassword==null? null :
> keyStorePassword.toCharArray());
> } finally {
> is.close();
> }
> return ks;
> }
> It looks like this should just be setting "is" to null, generating a warning,
> and then calling ks.load with the null inputstream (the nss library will load
> the nss files based upon the nss.cfg file).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (AMQ-5100) PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ
[
https://issues.apache.org/jira/browse/AMQ-5100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15116986#comment-15116986
]
Tristan Leask commented on AMQ-5100:
>From my perspective, yes, though it would be good to get a comment from the OP
>([~jsight]
> PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ
> --
>
> Key: AMQ-5100
> URL: https://issues.apache.org/jira/browse/AMQ-5100
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
>Reporter: Jesse Sightler
>
> I have attempted to configure PKCS11/NSS support in ActiveMQ, however, I am
> receiving the following exception:
> Caused by: java.io.FileNotFoundException: class path resource [NONE] cannot
> be opened because it does not exist
> at
> org.springframework.core.io.ClassPathResource.getInputStream(ClassPathResource.java:157)
> at
> org.apache.activemq.spring.SpringSslContext.createKeyManagerKeyStore(SpringSslContext.java:119)
> at
> org.apache.activemq.spring.SpringSslContext.createKeyManagers(SpringSslContext.java:88)
> at
> org.apache.activemq.spring.SpringSslContext.afterPropertiesSet(SpringSslContext.java:65)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:622)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1581)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1522)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452)
> ... 40 more
> My configured sslContext for the broker looks like this:
>
> keyStore="NONE" keyStoreType="PKCS11"
> keyStorePassword="password"
> trustStore="/etc/activemqssl/truststore.jks"
> trustStorePassword="password"
> />
>
> AFAIK, setting keyStore to "NONE" is the generally accepted way to do with
> with PKCS11. The code should generate a warning at most for this, but instead
> I receive the above exception and a failure to load the keystore.
> The activemq code looks like this (in
> org.apache.activemq.spring.SpringSslContext):
> private KeyStore createKeyManagerKeyStore() throws Exception {
> if( keyStore ==null ) {
> return null;
> }
> KeyStore ks = KeyStore.getInstance(keyStoreType);
> InputStream is=Utils.resourceFromString(keyStore).getInputStream();
> try {
> ks.load(is, keyStorePassword==null? null :
> keyStorePassword.toCharArray());
> } finally {
> is.close();
> }
> return ks;
> }
> It looks like this should just be setting "is" to null, generating a warning,
> and then calling ks.load with the null inputstream (the nss library will load
> the nss files based upon the nss.cfg file).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (AMQ-5100) PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ
[
https://issues.apache.org/jira/browse/AMQ-5100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15115177#comment-15115177
]
Tristan Leask commented on AMQ-5100:
Ok, I am trying to do this as well, and came across the same error. I got
passed this error by editing the SSLContext definition like so...
Even though you get past this error, you then come across a "Transport
Connector could not be registered in JMX" due to the random number generator
and FIPS Mode...
{code}
INFO | jvm 1| 2016/01/25 12:57:11 |
org.springframework.beans.factory.BeanCreationException: Error creating bean
with name 'org.apache.activemq.xbean.XBeanBrokerService#0' defined in class
path resource [activemq.xml]: Invocation of init method failed; nested
exception is java.io.IOException: Transport Connector could not be registered
in JMX: FIPS mode: SecureRandom must be from provider SunPKCS11-NSSfips
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1420)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:293)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:290)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:192)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:585)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:895)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:425)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.apache.xbean.spring.context.ResourceXmlApplicationContext.(ResourceXmlApplicationContext.java:64)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.apache.xbean.spring.context.ResourceXmlApplicationContext.(ResourceXmlApplicationContext.java:52)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.apache.activemq.xbean.XBeanBrokerFactory$1.(XBeanBrokerFactory.java:108)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.apache.activemq.xbean.XBeanBrokerFactory.createApplicationContext(XBeanBrokerFactory.java:108)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.apache.activemq.xbean.XBeanBrokerFactory.createBroker(XBeanBrokerFactory.java:72)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.apache.activemq.broker.BrokerFactory.createBroker(BrokerFactory.java:71)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.apache.activemq.broker.BrokerFactory.createBroker(BrokerFactory.java:54)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.apache.activemq.console.command.StartCommand.startBroker(StartCommand.java:115)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.apache.activemq.console.command.StartCommand.runTask(StartCommand.java:74)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.apache.activemq.console.command.AbstractCommand.execute(AbstractCommand.java:57)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.apache.activemq.console.command.ShellCommand.runTask(ShellCommand.java:148)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.apache.activemq.console.command.AbstractCommand.execute(AbstractCommand.java:57)
INFO | jvm 1| 2016/01/25 12:57:11 | at
org.apache.activemq.console.command.ShellCommand.main(ShellCommand.java:90)
INFO | jvm 1| 2016/01/25 12:57:11 | at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
INFO | jvm 1| 2016/01/25 12:57:11 | at
sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
INFO | jvm 1| 2016/01/25 12:57:11 | at
sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
INFO | jvm 1| 2016/01/25 12:57:11 | at
java.lang.reflect.Method.invoke(Unknown Source)
INFO | jvm 1| 2016/01/25 12:57:11 | at
[jira] [Commented] (AMQ-5100) PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ
[
https://issues.apache.org/jira/browse/AMQ-5100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15115562#comment-15115562
]
Tristan Leask commented on AMQ-5100:
Resolved
Managed to get past that previous error and now the ActiveMQ is starting under
Java running in FIPS Mode, and thus hopefully, ActiveMQ is running ok with
FIPS. Had to edit the SSLContext to the following...
{code}
{code}
Basically, the stores should be pointing to the NSS certificate DB, and the
Store Types and Secure Random Number Generator Algorithms should be set to
PKCS11.
Note, I have disabled JMX on my broker as I don't need it, not sure if this has
any affect.
> PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ
> --
>
> Key: AMQ-5100
> URL: https://issues.apache.org/jira/browse/AMQ-5100
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
>Reporter: Jesse Sightler
>
> I have attempted to configure PKCS11/NSS support in ActiveMQ, however, I am
> receiving the following exception:
> Caused by: java.io.FileNotFoundException: class path resource [NONE] cannot
> be opened because it does not exist
> at
> org.springframework.core.io.ClassPathResource.getInputStream(ClassPathResource.java:157)
> at
> org.apache.activemq.spring.SpringSslContext.createKeyManagerKeyStore(SpringSslContext.java:119)
> at
> org.apache.activemq.spring.SpringSslContext.createKeyManagers(SpringSslContext.java:88)
> at
> org.apache.activemq.spring.SpringSslContext.afterPropertiesSet(SpringSslContext.java:65)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:622)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1581)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1522)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452)
> ... 40 more
> My configured sslContext for the broker looks like this:
>
> keyStore="NONE" keyStoreType="PKCS11"
> keyStorePassword="password"
> trustStore="/etc/activemqssl/truststore.jks"
> trustStorePassword="password"
> />
>
> AFAIK, setting keyStore to "NONE" is the generally accepted way to do with
> with PKCS11. The code should generate a warning at most for this, but instead
> I receive the above exception and a failure to load the keystore.
> The activemq code looks like this (in
> org.apache.activemq.spring.SpringSslContext):
> private KeyStore createKeyManagerKeyStore() throws Exception {
> if( keyStore ==null ) {
> return null;
> }
> KeyStore ks = KeyStore.getInstance(keyStoreType);
> InputStream is=Utils.resourceFromString(keyStore).getInputStream();
> try {
> ks.load(is, keyStorePassword==null? null :
> keyStorePassword.toCharArray());
> } finally {
> is.close();
> }
> return ks;
> }
> It looks like this should just be setting "is" to null, generating a warning,
> and then calling ks.load with the null inputstream (the nss library will load
> the nss files based upon the nss.cfg file).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (AMQ-5100) PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ
[
https://issues.apache.org/jira/browse/AMQ-5100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15116284#comment-15116284
]
Arthur Naseef commented on AMQ-5100:
This seems like a reasonable scenario and fix. Anytime the SSL context needs
to be customized, this is how it must be done.
Can we close this ticket?
> PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ
> --
>
> Key: AMQ-5100
> URL: https://issues.apache.org/jira/browse/AMQ-5100
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
>Reporter: Jesse Sightler
>
> I have attempted to configure PKCS11/NSS support in ActiveMQ, however, I am
> receiving the following exception:
> Caused by: java.io.FileNotFoundException: class path resource [NONE] cannot
> be opened because it does not exist
> at
> org.springframework.core.io.ClassPathResource.getInputStream(ClassPathResource.java:157)
> at
> org.apache.activemq.spring.SpringSslContext.createKeyManagerKeyStore(SpringSslContext.java:119)
> at
> org.apache.activemq.spring.SpringSslContext.createKeyManagers(SpringSslContext.java:88)
> at
> org.apache.activemq.spring.SpringSslContext.afterPropertiesSet(SpringSslContext.java:65)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:622)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1581)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1522)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452)
> ... 40 more
> My configured sslContext for the broker looks like this:
>
> keyStore="NONE" keyStoreType="PKCS11"
> keyStorePassword="password"
> trustStore="/etc/activemqssl/truststore.jks"
> trustStorePassword="password"
> />
>
> AFAIK, setting keyStore to "NONE" is the generally accepted way to do with
> with PKCS11. The code should generate a warning at most for this, but instead
> I receive the above exception and a failure to load the keystore.
> The activemq code looks like this (in
> org.apache.activemq.spring.SpringSslContext):
> private KeyStore createKeyManagerKeyStore() throws Exception {
> if( keyStore ==null ) {
> return null;
> }
> KeyStore ks = KeyStore.getInstance(keyStoreType);
> InputStream is=Utils.resourceFromString(keyStore).getInputStream();
> try {
> ks.load(is, keyStorePassword==null? null :
> keyStorePassword.toCharArray());
> } finally {
> is.close();
> }
> return ks;
> }
> It looks like this should just be setting "is" to null, generating a warning,
> and then calling ks.load with the null inputstream (the nss library will load
> the nss files based upon the nss.cfg file).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
