Disabling the keystore-code in the source and setting the values at runtime
fixes the problem, so don't think the problem is in the broker-configuration:
<sslContext>
<sslContext
keyStore="file:${activemq.conf}/broker.ks"
keyStorePassword="xxxxxxxxx"
trustStore="file:${activemq.conf}/client.ts"
trustStorePassword="xxxxxxxxx"/>
</sslContext>
Snippet of Producer.java:
import javax.jms.Connection;
import javax.jms.Destination;
import javax.jms.MessageProducer;
import javax.jms.Session;
import javax.jms.TextMessage;
import org.apache.activemq.ActiveMQSslConnectionFactory;
public class Producer {
private static String user = "guest";
private static String password = "password";
private static String url = "ssl://127.0.0.1:61616";
private static String subject = "GUEST.FOO";
public static void main(String[] args) throws Exception {
ActiveMQSslConnectionFactory connectionFactory = new
ActiveMQSslConnectionFactory(url);
connectionFactory.setTrustStore("/opt/activemq/conf/client.ts");
connectionFactory.setTrustStorePassword("xxxxxxxx");
And after removing setTrustStore() and setTrustStorePassword(), it works by
setting trustStore system properties:
java -Djavax.net.ssl.trustStore=/opt/activemq/conf/client.ts
-Djavax.net.ssl.trustStorePassword=xxxxxx Producer
For failover URIs, it's a known problem, not fixed in ActiveMQ 5.7:
https://issues.apache.org/jira/browse/AMQ-3785
But my problem is with a simple SSL URI in the broker-configuration:
<transportConnector name="openwire" uri="ssl://0.0.0.0:61616"/>
-----Original Message-----
From: Claudio Corsi [mailto:[email protected]]
Sent: Tuesday, December 11, 2012 6:04 PM
To: [email protected]
Subject: Re: SSL: could not load resource
I do not doubt that you are using ssl but are you setting up the configuration
using the sslContext element within the configuration file?
This allow you to set the key and trust store files and their required
passwords.
for instance,
<amq:broker useJmx="false" persistent="false"> <amq:sslContext> <amq:sslContext
keyStore="server.keystore" keyStorePassword="password"
trustStore="client.keystore" trustStorePassword="password"/> </amq:sslContext>
<amq:transportConnectors> <amq:transportConnector uri="ssl://localhost:61616"
/> </amq:transportConnectors> </amq:broker>
You can also use the technique where you scramble the password and then pass
the key using an environment variable.
I do not know how this is done off the top my head but can look for a reference.
>________________________________
> From: Geurt Schimmel <[email protected]>
>To: "[email protected]" <[email protected]>; 'Claudio
>Corsi' <[email protected]>
>Sent: Tuesday, December 11, 2012 11:23 AM
>Subject: RE: SSL: could not load resource
>
>All brokers run SSL as the only communication-protocol and intercommunicate
>over SSL.
>
>-----Original Message-----
>From: Claudio Corsi [mailto:[email protected]]
>Sent: Tuesday, December 11, 2012 5:17 PM
>To: [email protected]
>Subject: Re: SSL: could not load resource
>
>Did you try to use the sslContext element to set your store information
>withint he broker configuration file?
>
>Here is a link http://activemq.apache.org/how-do-i-use-ssl.html.
>
>
>
>>________________________________
>> From: Geurt Schimmel <[email protected]>
>>To: "[email protected]" <[email protected]>
>>Sent: Tuesday, December 11, 2012 9:54 AM
>>Subject: RE: SSL: could not load resource
>>
>>Created key- and truststores for a number of brokers, so not using the
>>packaged .ks and .ts files.
>>
>>Tried different truststores in different locations, tried a path to a
>>truststore that didn't exist, just to see what happens. In all cases, the
>>same error. Apparently, the point where the keystore is accessed is not
>>reached. Setting the same variables/values in JAVA_OPTS works:
>>
>>java -Djavax.net.ssl.trustStore=/opt/activemq/conf/client.ts
>>-Djavax.net.ssl.trustStorePassword=xxxxxxxx Producer
>>
>>-----Original Message-----
>>From: Christian Posta [mailto:[email protected]]
>>Sent: Tuesday, December 11, 2012 3:41 PM
>>To: [email protected]
>>Subject: Re: SSL: could not load resource
>>
>>Is the client truststore in that location? /opt/activemq/conf/client.ts I
>>think there was some issues with packaging activemq 5.7 and some of the
>>client keystores might have been missing.
>>
>>You'll have to copy from the 5.6.0 version
>>
>>
>>
>>
>>On Tue, Dec 11, 2012 at 7:05 AM, Geurt Schimmel <
>>[email protected]> wrote:
>>
>>> Hi,
>>>
>>> My broker is running SSL only, with a 'simple' transportConnector:
>>> <transportConnector name="openwire" uri="ssl://0.0.0.0:61616"/>
>>>
>>> When trying to run a java-client:
>>>
>>> Exception in thread "main" javax.jms.JMSException: Could not create
>>>Transport. Reason: java.io.IOException: Could not load resource:
>>> /opt/activemq/conf/client.ts
>>> at
>>>
>>>org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSuppo
>>>r
>>>t.java:35)
>>> at
>>>
>>>org.apache.activemq.ActiveMQSslConnectionFactory.createTransport(Acti
>>>v
>>>eMQSslConnectionFactory.java:115)
>>> at
>>>
>>>org.apache.activemq.ActiveMQConnectionFactory.createActiveMQConnectio
>>>n
>>>(ActiveMQConnectionFactory.java:277)
>>> at
>>>
>>>org.apache.activemq.ActiveMQConnectionFactory.createConnection(Active
>>>M
>>>QConnectionFactory.java:202)
>>> at Producer.main(Producer.java:32) Caused by:
>>> java.io.IOException: Could not load resource:
>>> /opt/activemq/conf/client.ts
>>> at
>>>
>>>org.apache.activemq.ActiveMQSslConnectionFactory.getUrlOrResourceAsSt
>>>r
>>>eam(ActiveMQSslConnectionFactory.java:188)
>>> at
>>>
>>>org.apache.activemq.ActiveMQSslConnectionFactory.createTrustManager(A
>>>c
>>>tiveMQSslConnectionFactory.java:126)
>>> at
>>>
>>>org.apache.activemq.ActiveMQSslConnectionFactory.createTransport(Acti
>>>v
>>>eMQSslConnectionFactory.java:108)
>>> ... 3 more
>>>
>>> Removed the java-code that deals with the truststore and moved the
>>> functionality to JAVA_OPTS, but this is not what I want/expected.
>>> Using activemq-all-5.7-SNAPSHOT.jar.
>>>
>>> Thought this problem only occurs when using an SSL failover URI ?
>>>
>>> Thanks,
>>> Geurt
>>>
>>
>>
>>
>>--
>>*Christian Posta*
>>http://www.christianposta.com/blog
>>twitter: @christianposta
>>
>>
>>
>
>
>
