I am using ActiveMQ in a Linux environment with OpenJDK 17.x.
I have a JAVA Client that is connecting to the ActiveMQ broker but fails to
authenticate/authorize using mTLS using SSL Certificates. The client is able
to reach the broker, perform all of the necessary handshakes, attempts the
connection and fails on the authentication portion. I see all of the
communication and failures within the broker log files and see the connection
attempt.
I have enabled debug logging on the client and broker, the client provides the
following information:
Caused by: java.lang.SecurityException: User name [null] or password is
invalid.
Looking through the broker log files I see the client connection and see that
userName = null and password = ****. From the documentation I found this is
expected if JAAS is configured for certificate authentication.
The client logs the additional information after the above:
Caused by: javax.security.auth.login.LoginException: Client certificates
not found. Cannot authenticate
My client and broker certificates have the following:
1.
Client/server certificates
2.
X.509 certificates
3.
Signed by the same intermediate
4.
Signed by the same root
I am using the same P12 for the keystore and truststore, I am not sure if these
must be separated for mTLS to function correctly.
My broker transport is configured the following way
activemq.xml
<transportConnectors>
<transportConnector name="nio+ssl_6161"
uri="nio+ssl://host_name:6161?verifyHostName=false&needClientAuth=true"/>
</transportConnectors>
login.conf
certModule (Tried this the first time)
{
org.apache.activemq.jaas.TextFileCertificateLoginModule required
org.apache.activemq.jaas.textfiledn.user=users.properties
org.apache.activemq.jaas.textfiledn.group=groups.properties
}
certModule (Tried this the second time)
{
org.apache.activemq.jaas.CertificateLoginModule required
org.apache.activemq.jaas.textfiledn.user=users.properties
org.apache.activemq.jaas.textfiledn.group=groups.properties
}
users.properties
partner=CN=PARTNER, OU=My Sub Org, O=My Org, L=City, ST=State, C=Country
groups.propertiesd
partnerg=CN=PARTNER, OU=My Sub Org, O=My Org, L=City, ST=State, C=Country
Admin=admin,partner,partnerg
The JAVA ActiveMQ client has the following set and connects using the following
options:
String brokerConnection = "nio+ssl://host_name:6161"?verifyHostName=false;
ActiveMQSslConnectionFactory connectionFactory = new
ActiveMQSslConnectionFactory(brokerConnection);
connectionFactory.setKeyStore("myKeyStore.p12");
connectionFactory.setKeyStorePassword("myPassword");
connectionFactory.setKeyStoreType("PKCS12");
connectionFactory.setTrustStore("myKeyStore.p12");
connectionFactory.setTrustStorePassword("myPassword");
connectionFactory.setTrustStoreType("PKCS12");
Connection connection = connectionFactory.createConnection();
connection.start();
session = connection.CreateSession(false, Session.Auto_ACKNOWLEDGE);
What am I missing on the client or broker side that would allow mTLS to be
successful?
Jason
