So your certs are properly working now? It looked like the original transport config was wrong, it should be "transport.needClientAuth=true" on the URL but I'm guessing you figured that out if it is working.
For the clients that it's failing username/password for when using dual mode, is a cert still set by the client? Looking at the code it will only process username and password if the client does not present a certificate. Chris On Tue, Jun 9, 2026 at 2:11 PM Jason Jackson <[email protected]> wrote: > > Another update > > I now have the following configured and working > > activemq.xml > <jaasDualAuthenticationPlugin configuration="queueUserModules" > sslConfiguration="queueCertModules"/> > > The certificate base authentication works but the username and password > authentication fails. > > Any configuration setting suggestions for the jaasDualAuthentication plugin > > > Jason > > > ________________________________ > From: Jason Jackson <[email protected]> > Sent: Tuesday, June 9, 2026 1:16 PM > To: [email protected] <[email protected]> > Subject: Re: ActiveMQ Classic 6.2.6 mTLS Failure and Assistance > > After continued troubleshooting and testing, I have been able to get mTLS to > work. > > Here is how I was able to get mTLS to work correctly > > activemq.xml > <jaasAuthenticationPlugin configuration="queueModules"/> --> > <jaasCertificateAuthenticationPlugin configuration="queueModules"/> > > The issue I have now is I have some accounts that provide a username and > password and also need the ability for Certificate base authentication. > > I have tried the following > > <jaasDualAuthenticationPlugin configuration="queueModules"/> > > This causes all authentication methods to fail; meaning username and password > as well as certificate authentication all fail. > > Are there any suggestions on how to enable username and password along with > certification authentication at the same time? > > > Jason > > > ________________________________ > From: Jason Jackson <[email protected]> > Sent: Tuesday, June 9, 2026 9:40 AM > To: [email protected] <[email protected]> > Subject: ActiveMQ Classic 6.2.6 mTLS Failure and Assistance > > I am using ActiveMQ in a Linux environment with OpenJDK 17.x. > > I have a JAVA Client that is connecting to the ActiveMQ broker but fails to > authenticate/authorize using mTLS using SSL Certificates. The client is able > to reach the broker, perform all of the necessary handshakes, attempts the > connection and fails on the authentication portion. I see all of the > communication and failures within the broker log files and see the connection > attempt. > > I have enabled debug logging on the client and broker, the client provides > the following information: > > Caused by: java.lang.SecurityException: User name [null] or password is > invalid. > > Looking through the broker log files I see the client connection and see that > userName = null and password = ****. From the documentation I found this is > expected if JAAS is configured for certificate authentication. > > The client logs the additional information after the above: > > Caused by: javax.security.auth.login.LoginException: Client certificates not > found. Cannot authenticate > > My client and broker certificates have the following: > > > 1. > Client/server certificates > 2. > X.509 certificates > 3. > Signed by the same intermediate > 4. > Signed by the same root > > I am using the same P12 for the keystore and truststore, I am not sure if > these must be separated for mTLS to function correctly. > > My broker transport is configured the following way > > activemq.xml > <transportConnectors> > <transportConnector name="nio+ssl_6161" > uri="nio+ssl://host_name:6161?verifyHostName=false&needClientAuth=true"/> > </transportConnectors> > > login.conf > certModule (Tried this the first time) > { > org.apache.activemq.jaas.TextFileCertificateLoginModule required > org.apache.activemq.jaas.textfiledn.user=users.properties > org.apache.activemq.jaas.textfiledn.group=groups.properties > } > > certModule (Tried this the second time) > { > org.apache.activemq.jaas.CertificateLoginModule required > org.apache.activemq.jaas.textfiledn.user=users.properties > org.apache.activemq.jaas.textfiledn.group=groups.properties > } > > users.properties > partner=CN=PARTNER, OU=My Sub Org, O=My Org, L=City, ST=State, C=Country > > groups.propertiesd > partnerg=CN=PARTNER, OU=My Sub Org, O=My Org, L=City, ST=State, C=Country > Admin=admin,partner,partnerg > > > The JAVA ActiveMQ client has the following set and connects using the > following options: > > String brokerConnection = "nio+ssl://host_name:6161"?verifyHostName=false; > ActiveMQSslConnectionFactory connectionFactory = new > ActiveMQSslConnectionFactory(brokerConnection); > connectionFactory.setKeyStore("myKeyStore.p12"); > connectionFactory.setKeyStorePassword("myPassword"); > connectionFactory.setKeyStoreType("PKCS12"); > connectionFactory.setTrustStore("myKeyStore.p12"); > connectionFactory.setTrustStorePassword("myPassword"); > connectionFactory.setTrustStoreType("PKCS12"); > Connection connection = connectionFactory.createConnection(); > connection.start(); > session = connection.CreateSession(false, Session.Auto_ACKNOWLEDGE); > > What am I missing on the client or broker side that would allow mTLS to be > successful? > > > > Jason --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information, visit: https://activemq.apache.org/contact
