So Just to confirm I understood you correctly, I have to use either full anonymous connections or SSL + SASL connections. Correct?
Regards, Adel > Date: Thu, 2 Jun 2016 18:16:28 +0200 > Subject: Re: [Qpid Java Broker-6.0.0] Using SSL with JMS clients for AMQP > From: [email protected] > To: [email protected] > > The SASL basically covers everything. You can either connect without SASL > as anonymous connection or with SASL. SASL has several different mechanisms > which do different kind of authentication ... username/password, external > with certificates and more. I think the Python and C++ bindings for > Proton-c now in 0.12 support both username / password based authentication > as well as certificate based authentication. I'm not sure for the other > parts of Proton-c. > > Jakub > > On Thu, Jun 2, 2016 at 5:15 PM, Adel Boutros <[email protected]> wrote: > > > If I remember correctly, proton-c clients do not support Plain mechanism. > > So I cannot use a simple username and password and I am forced to use SASL > > then. > > Correct? > > Regards,Adel > > > > > Date: Thu, 2 Jun 2016 17:11:58 +0200 > > > Subject: Re: [Qpid Java Broker-6.0.0] Using SSL with JMS clients for > > AMQP > > > From: [email protected] > > > To: [email protected] > > > > > > If you want something else than anonymous connection, you still need to > > do > > > SASL authentication inside of the SSL connection. The SASL EXTERNAL > > > mechanism would take the identity of the connected user from the SSL > > layer. > > > But do be able to use it, you would need to enable the SSL Client > > > Authentication again - because only with the client authentication the > > > broker will have the identity. > > > > > > With your current SSL setup, you should be able to use for example > > username > > > / password based mechanisms (PLAIN, DIGEST-MD5 etc.). The client should > > > enable them if you specify the username and password in the connection > > URL > > > (see the JMS client documentation). You of course need to have them also > > > enabled on the broker. > > > > > > J. > > > > > > On Thu, Jun 2, 2016 at 4:52 PM, Adel Boutros <[email protected]> > > wrote: > > > > > > > > > > > > > > > > > > > Hello Jakub,Indeed that was the issue. I turned off "Client > > > > Certificate".Now I have an exception about SASL. Can I use SSL without > > > > SASL? Is it because I am using an "External" authentication > > > > provider?Exception in thread "main" javax.jms.JMSSecurityException: > > Could > > > > not find a suitable SASL mechanism for the remote peer using the > > available > > > > credentials. at > > > > > > org.apache.qpid.jms.provider.amqp.AmqpSaslAuthenticator.handleSaslInit(AmqpSaslAuthenticator.java:120) > > > > at > > > > > > org.apache.qpid.jms.provider.amqp.AmqpSaslAuthenticator.authenticate(AmqpSaslAuthenticator.java:87) > > > > at > > > > > > org.apache.qpid.jms.provider.amqp.AmqpProvider.processSaslAuthentication(AmqpProvider.java:827) > > > > at > > > > > > org.apache.qpid.jms.provider.amqp.AmqpProvider.processUpdates(AmqpProvider.java:814) > > > > at > > > > > > org.apache.qpid.jms.provider.amqp.AmqpProvider.access$1900(AmqpProvider.java:92) > > > > at > > > > > > org.apache.qpid.jms.provider.amqp.AmqpProvider$17.run(AmqpProvider.java:701) > > > > at > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > > > > at java.util.concurrent.FutureTask.run(FutureTask.java:262) at > > > > > > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178) > > > > at > > > > > > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292) > > > > at > > > > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > > > at > > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > > > at java.lang.Thread.run(Thread.java:744)Regards,Adel > > > > > Date: Thu, 2 Jun 2016 16:36:28 +0200 > > > > > Subject: Re: [Qpid Java Broker-6.0.0] Using SSL with JMS clients for > > > > AMQP > > > > > From: [email protected] > > > > > To: [email protected] > > > > > > > > > > The bad_certificate error means that the broker doesn't like the > > client > > > > SSL > > > > > certificate. > > > > > > > > > > What kind of SSL authentication do you want? It looks like you > > configured > > > > > the port on the broker in a way that it requires SSL client > > > > authentication > > > > > (using the fields Need SSL Client Certificate: Yes and Want SSL > > Client > > > > > Certificate: Yes). But in the client you seem to define only the > > > > truststore > > > > > which contains the broker public key. Maybe you can try to switch the > > > > > client authentication off in the broker. > > > > > > > > > > Running the client with system property javax.net.debug set to "ssl" > > > > would > > > > > produce a nice detailed SSL log which can help further. > > > > > > > > > > Regards > > > > > Jakub > > > > > > > > > > On Thu, Jun 2, 2016 at 4:10 PM, Adel Boutros <[email protected]> > > > > wrote: > > > > > > > > > > > Hello, > > > > > > > > > > > > I have generated a certificate for my machine using openssl 1.0.2 > > > > (openssl > > > > > > req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -nodes). > > > > > > > > > > > > I have created a new Authentication Provider of type "External". > > > > > > > > > > > > I have created a new KeyStore of type "Non Java Key Store" and > > > > uploaded the > > > > > > private key and certificate generated by the previous step. > > > > > > > > > > > > I have created a new TrustStore of type "Non Java Key Store" and > > > > uploaded > > > > > > the certificate generated by the first step. > > > > > > > > > > > > I have created an AMQP port with the following configuration > > > > > > Name: AMQPS > > > > > > Port Type: AMQP > > > > > > Port Number: 10400 > > > > > > Protocols: AMQP_1_0 > > > > > > Authentication Provider: sslWithTlsProvider > > > > > > Binding address: * > > > > > > Transports: SSL > > > > > > Key Store: SslCertificateStore > > > > > > Need SSL Client Certificate: Yes > > > > > > Want SSL Client Certificate: Yes > > > > > > Trust Stores: SSLTrustStore > > > > > > Number of connection threads: 8 > > > > > > > > > > > > I restarted the broker after all of this configuration. > > > > > > > > > > > > Now, I want to have a JMS consumer connect to this broker using > > SSL. I > > > > > > couldn't find any documentation about it beside the doc page > > > > > > (https://qpid.apache.org/releases/qpid-jms-0.8.0/docs/index.html) > > > > which > > > > > > doesn't provide an example or detailed information. > > > > > > > > > > > > I created a trustStore for the JMS client and added the > > certificate to > > > > it > > > > > > (keytool -import -file cert.pem --keystore > > > > D:\qpid-broker\myTrustStore) but > > > > > > it isn't working > > > > > > > > > > > > Can you please help me setup a working example? > > > > > > > > > > > > PS: I am using Non Java stores becasue I will have Proton-c clients > > > > later > > > > > > on. > > > > > > > > > > > > public static void main(String[] args) throws JMSException { > > > > > > System.setProperty("javax.net.ssl.trustStore", > > > > > > "D:\\qpid-broker\\myTrustStore"); > > > > > > System.setProperty("javax.net.ssl.trustStorePassword", > > "password"); > > > > > > ConnectionFactory connectionFactory = new > > > > > > JmsConnectionFactory("amqps://aboutros:10400"); > > > > > > Connection connection = connectionFactory.createConnection(); > > > > > > } > > > > > > > > > > > > Error: javax.net.ssl.SSLException: Received fatal alert: > > > > bad_certificate > > > > > > > > > > > > Regards, > > > > > > Adel > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > View this message in context: > > > > > > > > > > > > http://qpid.2158936.n2.nabble.com/Qpid-Java-Broker-6-0-0-Using-SSL-with-JMS-clients-for-AMQP-tp7644953.html > > > > > > Sent from the Apache Qpid users mailing list archive at Nabble.com. > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > To unsubscribe, e-mail: [email protected] > > > > > > For additional commands, e-mail: [email protected] > > > > > > > > > > > > > > > > > > > > > > > > > > > >
