How to configure a symmetric cluster with SSL acceptors/connectors

Tue, 13 Jun 2017 05:04:01 -0700 

Hello,
I am using AMQ7, with Java version "1.8.0_111". 

I want to configure a symmetric cluster of static connectors, and I want to
enable SSL connection between them. The connection is done between /server1/
and /server2/
I have successfully set this configuration with TCP connectors: the bridges
are correctly set and I can see the different nodes in the Management
Console. The problem comes when trying to enable SSL inside the
connectors/acceptors. I receive this error:

AMQ222186: unable to authorize cluster control.

The acceptors/connectors & cluster definition on */server1/*:
…
      <acceptors>
                <acceptor
name="ssl-pulheim1m">tcp://0.0.0.0:10611?sslEnabled=true;keyStorePath=../etc/pulheim1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd;needClientAuth=true</acceptor>
 
      </acceptors>
      <connectors>
                <connector
name="ssl-pulheim1m">tcp://0.0.0.0:10611?sslEnabled=true;keyStorePath=../etc/pulheim1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd</connector>
                <connector
name="ssl-roki1m">tcp://server2:10711?sslEnabled=true;keyStorePath=../etc/roki1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd</connector>
 
      </connectors>

      <ha-policy>
         <shared-store>
                <master>
                        <failover-on-shutdown>true</failover-on-shutdown>
                        
                </master>
         </shared-store>
      </ha-policy>
      
        <cluster-user>username</cluster-user>
        <cluster-password>pwd</cluster-password> 
        <cluster-connections>
         <cluster-connection name="pulheim-roki">
                <connector-ref>ssl-pulheim1m</connector-ref>
                <retry-interval>500</retry-interval>
                <use-duplicate-detection>true</use-duplicate-detection>
                <message-load-balancing>STRICT</message-load-balancing>
                <max-hops>1</max-hops>
                <static-connectors>
                    <connector-ref>ssl-roki1m</connector-ref>  
                </static-connectors>
         </cluster-connection> 
        </cluster-connections>

        <security-settings>
         <security-setting match="#">
            <permission type="createNonDurableQueue" roles="amq, admin"/>
            <permission type="deleteNonDurableQueue" roles="amq, admin"/>
            <permission type="createDurableQueue" roles="amq, admin"/>
            <permission type="deleteDurableQueue" roles="amq, admin"/>
            <permission type="createAddress" roles="amq, admin"/>
            <permission type="deleteAddress" roles="amq, admin"/>
            <permission type="consume" roles="amq, admin"/>
            <permission type="browse" roles="amq, admin"/>
            <permission type="send" roles="amq, admin"/>
            
            <permission type="manage" roles="amq, admin"/>
            <permission roles="consumers, admin" type="consume"/>
            <permission roles="producers, admin" type="manage"/>
         </security-setting>
        </security-settings>
…

The acceptors/connectors & cluster definition on */server2/*:

…      
        <acceptors>
                <acceptor
name="ssl-roki1m">tcp://0.0.0.0:10711?sslEnabled=true;keyStorePath=../etc/roki1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd;needClientAuth=true</acceptor>
 
        </acceptors>
        <connectors>
                <connector
name="ssl-pulheim1m">tcp://server1:10611?sslEnabled=true;keyStorePath=../etc/roki1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd</connector>
              <connector
name="ssl-roki1m">tcp://0.0.0.0:10711?sslEnabled=true;keyStorePath=../etc/roki1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd</connector>
      </connectors>
        <ha-policy>
        <shared-store>
                <master>
                        <failover-on-shutdown>true</failover-on-shutdown>
                        
                </master>
        </shared-store>
         </ha-policy>

      <cluster-user>username</cluster-user>
      <cluster-password>pwd</cluster-password> 
      <cluster-connections>
         <cluster-connection name="pulheim-roki">
                <connector-ref>ssl-roki1m</connector-ref>
                <retry-interval>500</retry-interval>
                <use-duplicate-detection>true</use-duplicate-detection>
                <message-load-balancing>STRICT</message-load-balancing>
                <max-hops>1</max-hops>
                <static-connectors>
                    <connector-ref>ssl-pulheim1m</connector-ref>
                </static-connectors>
         </cluster-connection>
      </cluster-connections>

      <security-settings>
         <security-setting match="#">
            <permission type="createNonDurableQueue" roles="amq, admin"/>
            <permission type="deleteNonDurableQueue" roles="amq, admin"/>
            <permission type="createDurableQueue" roles="amq, admin"/>
            <permission type="deleteDurableQueue" roles="amq, admin"/>
            <permission type="createAddress" roles="amq, admin"/>
            <permission type="deleteAddress" roles="amq, admin"/>
            <permission type="consume" roles="amq, admin"/>
            <permission type="browse" roles="amq, admin"/>
            <permission type="send" roles="amq, admin"/>
            
            <permission type="manage" roles="amq, admin"/>
            <permission roles="consumers, admin" type="consume"/>
            <permission roles="producers, admin" type="manage"/>
         </security-setting>
      </security-settings>
…

I use self-signed certificates inside the trust-/keystores. The
trust-/keystores are local directories on each server, and they have both
Server A’s and Server B’s certificates included. The SSL Handshake doesn’t
cast any error. 

*/login.conf/*:

activemq {
   org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule
sufficient
       debug=false
       reload=true
       org.apache.activemq.jaas.properties.user="artemis-users.properties"
       org.apache.activemq.jaas.properties.role="artemis-roles.properties";

   org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule
sufficient
       debug=false
       org.apache.activemq.jaas.guest.user="admin011"
       org.apache.activemq.jaas.guest.role="amq";
};

activemq-cert {
  
org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule
optional
       debug=true
       org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
       org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
};

*/cert-users.properties/* - I use the DN from the certificates:

producer=EMAILADDRESS=x...@xxx.xxx,CN=SecZone_2,OU=XXX,O=XXX,ST=XXX,C=XX

*/cert-roles.properties/*

Producers=producer

*/bootstrap.xml/*

<broker xmlns="http://activemq.org/schema";>

   <jaas-security domain="activemq" certificate-domain="activemq-cert"/>

   <server configuration="${artemis.URI.instance}/etc/broker.xml"/>

   
   <web bind="https://zs03ne:8164"; path="web"
keyStorePath="/opt/amq/jboss-amq-7.0.0.redhat-1/roki1/etc/keystore_zs03ne_https.jks"
keyStorePassword="admin011" clientAuth="false"
trustStorePath="/opt/amq/jboss-amq-7.0.0.redhat-1/roki1/etc/truststore_https.jks"
trustStorePassword="admin011">
       <app url="redhat-branding" war="redhat-branding.war"/>
       <app url="jolokia" war="jolokia.war"/>
       <app url="hawtio" war="hawtio-no-slf4j.war"/>
       <app url="artemis-plugin" war="artemis-plugin.war"/>
       <app url="dispatch-hawtio-console"
war="dispatch-hawtio-console.war"/>
   </web>
</broker>

Looking forward to receiving a further guidance,
Ignacio







--
View this message in context: 
http://activemq.2283324.n4.nabble.com/How-to-configure-a-symmetric-cluster-with-SSL-acceptors-connectors-tp4727351.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Reply via email to