If you want something else than anonymous connection, you still need to do SASL authentication inside of the SSL connection. The SASL EXTERNAL mechanism would take the identity of the connected user from the SSL layer. But do be able to use it, you would need to enable the SSL Client Authentication again - because only with the client authentication the broker will have the identity.
With your current SSL setup, you should be able to use for example username / password based mechanisms (PLAIN, DIGEST-MD5 etc.). The client should enable them if you specify the username and password in the connection URL (see the JMS client documentation). You of course need to have them also enabled on the broker. J. On Thu, Jun 2, 2016 at 4:52 PM, Adel Boutros <[email protected]> wrote: > > > > Hello Jakub,Indeed that was the issue. I turned off "Client > Certificate".Now I have an exception about SASL. Can I use SSL without > SASL? Is it because I am using an "External" authentication > provider?Exception in thread "main" javax.jms.JMSSecurityException: Could > not find a suitable SASL mechanism for the remote peer using the available > credentials. at > org.apache.qpid.jms.provider.amqp.AmqpSaslAuthenticator.handleSaslInit(AmqpSaslAuthenticator.java:120) > at > org.apache.qpid.jms.provider.amqp.AmqpSaslAuthenticator.authenticate(AmqpSaslAuthenticator.java:87) > at > org.apache.qpid.jms.provider.amqp.AmqpProvider.processSaslAuthentication(AmqpProvider.java:827) > at > org.apache.qpid.jms.provider.amqp.AmqpProvider.processUpdates(AmqpProvider.java:814) > at > org.apache.qpid.jms.provider.amqp.AmqpProvider.access$1900(AmqpProvider.java:92) > at > org.apache.qpid.jms.provider.amqp.AmqpProvider$17.run(AmqpProvider.java:701) > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744)Regards,Adel > > Date: Thu, 2 Jun 2016 16:36:28 +0200 > > Subject: Re: [Qpid Java Broker-6.0.0] Using SSL with JMS clients for > AMQP > > From: [email protected] > > To: [email protected] > > > > The bad_certificate error means that the broker doesn't like the client > SSL > > certificate. > > > > What kind of SSL authentication do you want? It looks like you configured > > the port on the broker in a way that it requires SSL client > authentication > > (using the fields Need SSL Client Certificate: Yes and Want SSL Client > > Certificate: Yes). But in the client you seem to define only the > truststore > > which contains the broker public key. Maybe you can try to switch the > > client authentication off in the broker. > > > > Running the client with system property javax.net.debug set to "ssl" > would > > produce a nice detailed SSL log which can help further. > > > > Regards > > Jakub > > > > On Thu, Jun 2, 2016 at 4:10 PM, Adel Boutros <[email protected]> > wrote: > > > > > Hello, > > > > > > I have generated a certificate for my machine using openssl 1.0.2 > (openssl > > > req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -nodes). > > > > > > I have created a new Authentication Provider of type "External". > > > > > > I have created a new KeyStore of type "Non Java Key Store" and > uploaded the > > > private key and certificate generated by the previous step. > > > > > > I have created a new TrustStore of type "Non Java Key Store" and > uploaded > > > the certificate generated by the first step. > > > > > > I have created an AMQP port with the following configuration > > > Name: AMQPS > > > Port Type: AMQP > > > Port Number: 10400 > > > Protocols: AMQP_1_0 > > > Authentication Provider: sslWithTlsProvider > > > Binding address: * > > > Transports: SSL > > > Key Store: SslCertificateStore > > > Need SSL Client Certificate: Yes > > > Want SSL Client Certificate: Yes > > > Trust Stores: SSLTrustStore > > > Number of connection threads: 8 > > > > > > I restarted the broker after all of this configuration. > > > > > > Now, I want to have a JMS consumer connect to this broker using SSL. I > > > couldn't find any documentation about it beside the doc page > > > (https://qpid.apache.org/releases/qpid-jms-0.8.0/docs/index.html) > which > > > doesn't provide an example or detailed information. > > > > > > I created a trustStore for the JMS client and added the certificate to > it > > > (keytool -import -file cert.pem --keystore > D:\qpid-broker\myTrustStore) but > > > it isn't working > > > > > > Can you please help me setup a working example? > > > > > > PS: I am using Non Java stores becasue I will have Proton-c clients > later > > > on. > > > > > > public static void main(String[] args) throws JMSException { > > > System.setProperty("javax.net.ssl.trustStore", > > > "D:\\qpid-broker\\myTrustStore"); > > > System.setProperty("javax.net.ssl.trustStorePassword", "password"); > > > ConnectionFactory connectionFactory = new > > > JmsConnectionFactory("amqps://aboutros:10400"); > > > Connection connection = connectionFactory.createConnection(); > > > } > > > > > > Error: javax.net.ssl.SSLException: Received fatal alert: > bad_certificate > > > > > > Regards, > > > Adel > > > > > > > > > > > > -- > > > View this message in context: > > > > http://qpid.2158936.n2.nabble.com/Qpid-Java-Broker-6-0-0-Using-SSL-with-JMS-clients-for-AMQP-tp7644953.html > > > Sent from the Apache Qpid users mailing list archive at Nabble.com. > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: [email protected] > > > > > > > > >
