Hello, I've searched the forums, google sites, and of course ActiveMQ's
website for an answer but I am unable to find one.
I will start off by giving some basic information about my setup.
First, my activemq broker is running out of a JBoss AM-Q system with
versions:
server version: Apache activemq 5.9.0.redhat-611416 running on java 1.7
My client is Windows 7 java project running out of Eclipse Luna using java
jdk 1.7.
My api I'm using is the org.apache.qpid.amqp_1_0.jms and some of the
javax.jms libraries.
My objective is fairly simple, take the examples given in the activemq
release running out of an eclipse project and add 2 way authentication
functionality.
Actions Taken:
I will start off by saying I fully read the How do I use SSL page on
apache's website. Getting 1 way authentication worked and I can send and
receive messages just fine. Two way authentication is proving most
difficult.
On the broker, I have a keystore and truststore already provided. Also, I
have been provided with a certificate for that machine that matches the md5
found in the keystore.jks. So I know that the certificate matches the
keystore.
On the client machine I created a keystore first. I ran the command in
Cygwin, "$JAVA_HOME/bin/keytool" -genkey -alias client -keyalg RSA -keystore
client.ks. This created the ks file, to which I exported from that
client.ks file, a certificate.
I took the broker's certificate and imported it into a truststore on the
client machine. Like above, I used my Java keytool, with options -import
-alias eap6 -keystore client.ts -file <provided broker cert>. On the broker
machine, I did the same thing. I went into the truststore and imported the
client_cert, using the alias client.
Development:
As stated I started off with the examples provided by ActiveMQ in the
examples directory for establishing a connection between client and broker
using the amqp protocol.
So my send message looks like this:
I set host, port, and clientid and pass those to a constructor that uses the
code below. I then attempt to create a connection . One way ssl works
without the authentication so leaving the user and password blank I assume
is fine?
try{
ConnectionFactoryImpl factory = new ConnectionFactoryImpl(uri,
port, "", "", client, true);
connection=factory.createConnection("","");
connection.start();
session = connection.createSession(false,
Session.AUTO_ACKNOWLEDGE);
} catch (Exception e){
LOGGER.log(Level.SEVERE, "Exception caught:", e);
}
I then have a send method. Destination looks like this: private Destination
destination=new QueueImpl("queue://amqp-ssl-q");
try{
MessageProducer producer=session.createProducer(destination);
LOGGER.info( " [x] Creating message" );
TextMessage msg = session.createTextMessage("Hello World!");
producer.send(msg);
LOGGER.info( " [x] Sent Message");
} catch (JMSException e){
LOGGER.log(Level.SEVERE, "[X] Send Failed:", e);
}
Configuration:
I know the server and client need ways of getting the keystore and client.
On the broker, I use the activemq.xml to set this:
<sslContext>
<sslContext
keyStore="/security/ssl/keystore/keystore.jks"
keyStorePassword="%{keystore.password}"
trustStore="/security/ssl/truststore/truststore.jks"
trustStorePassword="%{truststore.password}"
/>
</sslContext>
I setup the transport connector as such:
<transportConnector name="amqp+ssl"
uri="amqp+ssl://0.0.0.0:5671?transport.needClientAuth=true"/>
In eclipse I went into the Run Configurations and under arguments -> vm
arguments, I set the path to my truststore and keystore like so:
-Djavax.net.ssl.keyStore=C:/<path>/<to>/<keystore>/client.ks
-Djavax.net.ssl.keyStorePassword="<password>"
-Djavax.net.ssl.trustStore=C:/<path>/<to>/<truststore>/client.ts
-Djavax.net.ssl.trustStorePassword="<password>"
-Djavax.net.debug=ssl
The following parameters I added because the debugger in eclipse had null
for these values. Before I used them I was just using the ones above. It
didn't seem to add a difference. But I was desperate so I added these to
the vm arguments. I should also note that I also tried adding just the path
to the property but not including the file, like the keystore below. So I
tried running the send with parameters below missing the file at the end and
then with the file.
-Djavax.net.ssl.trustStorePath=C:/<path>/<to>/<trustStore>/client.ts
-Djavax.net.ssl.keyStorePath=C:/<path>/<to>/<keystore>
Error:
When I run this, it complains about a bad certificate.
main, WRITE: TLSv1 Handshake, length = 48
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, bad_certificate
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received
fatal alert: bad_certificate
javax.jms.JMSException: javax.net.ssl.SSLHandshakeException: Received fatal
alert: bad_certificate
at
org.apache.qpid.amqp_1_0.jms.impl.ConnectionImpl.connect(ConnectionImpl.java:193)
at
org.apache.qpid.amqp_1_0.jms.impl.ConnectionImpl.start(ConnectionImpl.java:365)
Caused by: org.apache.qpid.amqp_1_0.client.ConnectionException:
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
at
org.apache.qpid.amqp_1_0.client.TCPTransportProvider.connect(TCPTransportProvider.java:203)
at
org.apache.qpid.amqp_1_0.client.Connection.<init>(Connection.java:278)
at
org.apache.qpid.amqp_1_0.client.Connection.<init>(Connection.java:167)
at
org.apache.qpid.amqp_1_0.jms.impl.ConnectionImpl.connect(ConnectionImpl.java:173)
... 3 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert:
bad_certificate
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1979)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1086)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
at
org.apache.qpid.amqp_1_0.client.TCPTransportProvider.connect(TCPTransportProvider.java:106)
... 6 more
Questions:
Does this seem like I am doing something incorrectly? I really don't
understand where I have made a mistake. The instructions are fairly
straightforward in setting up the keystore and truststore in the How do I
use SSL page. Also, I don't think I'm doing anything radical here with the
client side code, as I am basing it off the provided activemq release
examples. One way also works fine, so it is pulling the broker's
certificate just fine when I set the NeedClientAuth=false.
If anyone has ideas, I would be happy to try them. Also, if more
information is needed I will do what I can to provide it.
--
View this message in context:
http://activemq.2283324.n4.nabble.com/ActiveMQ-2-Way-Authentication-tp4694960.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
