I changed the port configuration to have an anonymous Authentication Provider
but an SSL transport and it seems to be working.Do the below logs confirm that
the message was encrypted using SSL?SSL log when sender sends message:
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Application Data, length = 178
> Date: Thu, 2 Jun 2016 20:57:01 +0200
> Subject: Re: [Qpid Java Broker-6.0.0] Using SSL with JMS clients for AMQP
> From: [email protected]
> To: [email protected]
>
> Well, you should be of course able to also use SSL + anonymous ... without
> the client authentication the SSL layer would not help with identity, but
> will still encrypt the communication.
>
> Jakub
>
> On Thu, Jun 2, 2016 at 6:30 PM, Adel Boutros <[email protected]> wrote:
>
> > So Just
> > to confirm I understood you correctly, I have to use either full anonymous
> > connections or SSL + SASL connections. Correct?
> >
> >
> >
> > Regards,
> >
> > Adel
> > > Date: Thu, 2 Jun 2016 18:16:28 +0200
> > > Subject: Re: [Qpid Java Broker-6.0.0] Using SSL with JMS clients for
> > AMQP
> > > From: [email protected]
> > > To: [email protected]
> > >
> > > The SASL basically covers everything. You can either connect without SASL
> > > as anonymous connection or with SASL. SASL has several different
> > mechanisms
> > > which do different kind of authentication ... username/password, external
> > > with certificates and more. I think the Python and C++ bindings for
> > > Proton-c now in 0.12 support both username / password based
> > authentication
> > > as well as certificate based authentication. I'm not sure for the other
> > > parts of Proton-c.
> > >
> > > Jakub
> > >
> > > On Thu, Jun 2, 2016 at 5:15 PM, Adel Boutros <[email protected]>
> > wrote:
> > >
> > > > If I remember correctly, proton-c clients do not support Plain
> > mechanism.
> > > > So I cannot use a simple username and password and I am forced to use
> > SASL
> > > > then.
> > > > Correct?
> > > > Regards,Adel
> > > >
> > > > > Date: Thu, 2 Jun 2016 17:11:58 +0200
> > > > > Subject: Re: [Qpid Java Broker-6.0.0] Using SSL with JMS clients for
> > > > AMQP
> > > > > From: [email protected]
> > > > > To: [email protected]
> > > > >
> > > > > If you want something else than anonymous connection, you still need
> > to
> > > > do
> > > > > SASL authentication inside of the SSL connection. The SASL EXTERNAL
> > > > > mechanism would take the identity of the connected user from the SSL
> > > > layer.
> > > > > But do be able to use it, you would need to enable the SSL Client
> > > > > Authentication again - because only with the client authentication
> > the
> > > > > broker will have the identity.
> > > > >
> > > > > With your current SSL setup, you should be able to use for example
> > > > username
> > > > > / password based mechanisms (PLAIN, DIGEST-MD5 etc.). The client
> > should
> > > > > enable them if you specify the username and password in the
> > connection
> > > > URL
> > > > > (see the JMS client documentation). You of course need to have them
> > also
> > > > > enabled on the broker.
> > > > >
> > > > > J.
> > > > >
> > > > > On Thu, Jun 2, 2016 at 4:52 PM, Adel Boutros <[email protected]>
> > > > wrote:
> > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > Hello Jakub,Indeed that was the issue. I turned off "Client
> > > > > > Certificate".Now I have an exception about SASL. Can I use SSL
> > without
> > > > > > SASL? Is it because I am using an "External" authentication
> > > > > > provider?Exception in thread "main" javax.jms.JMSSecurityException:
> > > > Could
> > > > > > not find a suitable SASL mechanism for the remote peer using the
> > > > available
> > > > > > credentials. at
> > > > > >
> > > >
> > org.apache.qpid.jms.provider.amqp.AmqpSaslAuthenticator.handleSaslInit(AmqpSaslAuthenticator.java:120)
> > > > > > at
> > > > > >
> > > >
> > org.apache.qpid.jms.provider.amqp.AmqpSaslAuthenticator.authenticate(AmqpSaslAuthenticator.java:87)
> > > > > > at
> > > > > >
> > > >
> > org.apache.qpid.jms.provider.amqp.AmqpProvider.processSaslAuthentication(AmqpProvider.java:827)
> > > > > > at
> > > > > >
> > > >
> > org.apache.qpid.jms.provider.amqp.AmqpProvider.processUpdates(AmqpProvider.java:814)
> > > > > > at
> > > > > >
> > > >
> > org.apache.qpid.jms.provider.amqp.AmqpProvider.access$1900(AmqpProvider.java:92)
> > > > > > at
> > > > > >
> > > >
> > org.apache.qpid.jms.provider.amqp.AmqpProvider$17.run(AmqpProvider.java:701)
> > > > > > at
> > > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> > > > > > at java.util.concurrent.FutureTask.run(FutureTask.java:262)
> > at
> > > > > >
> > > >
> > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178)
> > > > > > at
> > > > > >
> > > >
> > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292)
> > > > > > at
> > > > > >
> > > >
> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > > > > > at
> > > > > >
> > > >
> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > > > > > at java.lang.Thread.run(Thread.java:744)Regards,Adel
> > > > > > > Date: Thu, 2 Jun 2016 16:36:28 +0200
> > > > > > > Subject: Re: [Qpid Java Broker-6.0.0] Using SSL with JMS clients
> > for
> > > > > > AMQP
> > > > > > > From: [email protected]
> > > > > > > To: [email protected]
> > > > > > >
> > > > > > > The bad_certificate error means that the broker doesn't like the
> > > > client
> > > > > > SSL
> > > > > > > certificate.
> > > > > > >
> > > > > > > What kind of SSL authentication do you want? It looks like you
> > > > configured
> > > > > > > the port on the broker in a way that it requires SSL client
> > > > > > authentication
> > > > > > > (using the fields Need SSL Client Certificate: Yes and Want SSL
> > > > Client
> > > > > > > Certificate: Yes). But in the client you seem to define only the
> > > > > > truststore
> > > > > > > which contains the broker public key. Maybe you can try to
> > switch the
> > > > > > > client authentication off in the broker.
> > > > > > >
> > > > > > > Running the client with system property javax.net.debug set to
> > "ssl"
> > > > > > would
> > > > > > > produce a nice detailed SSL log which can help further.
> > > > > > >
> > > > > > > Regards
> > > > > > > Jakub
> > > > > > >
> > > > > > > On Thu, Jun 2, 2016 at 4:10 PM, Adel Boutros <
> > [email protected]>
> > > > > > wrote:
> > > > > > >
> > > > > > > > Hello,
> > > > > > > >
> > > > > > > > I have generated a certificate for my machine using openssl
> > 1.0.2
> > > > > > (openssl
> > > > > > > > req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem
> > -nodes).
> > > > > > > >
> > > > > > > > I have created a new Authentication Provider of type
> > "External".
> > > > > > > >
> > > > > > > > I have created a new KeyStore of type "Non Java Key Store" and
> > > > > > uploaded the
> > > > > > > > private key and certificate generated by the previous step.
> > > > > > > >
> > > > > > > > I have created a new TrustStore of type "Non Java Key Store"
> > and
> > > > > > uploaded
> > > > > > > > the certificate generated by the first step.
> > > > > > > >
> > > > > > > > I have created an AMQP port with the following configuration
> > > > > > > > Name: AMQPS
> > > > > > > > Port Type: AMQP
> > > > > > > > Port Number: 10400
> > > > > > > > Protocols: AMQP_1_0
> > > > > > > > Authentication Provider: sslWithTlsProvider
> > > > > > > > Binding address: *
> > > > > > > > Transports: SSL
> > > > > > > > Key Store: SslCertificateStore
> > > > > > > > Need SSL Client Certificate: Yes
> > > > > > > > Want SSL Client Certificate: Yes
> > > > > > > > Trust Stores: SSLTrustStore
> > > > > > > > Number of connection threads: 8
> > > > > > > >
> > > > > > > > I restarted the broker after all of this configuration.
> > > > > > > >
> > > > > > > > Now, I want to have a JMS consumer connect to this broker using
> > > > SSL. I
> > > > > > > > couldn't find any documentation about it beside the doc page
> > > > > > > > (
> > https://qpid.apache.org/releases/qpid-jms-0.8.0/docs/index.html)
> > > > > > which
> > > > > > > > doesn't provide an example or detailed information.
> > > > > > > >
> > > > > > > > I created a trustStore for the JMS client and added the
> > > > certificate to
> > > > > > it
> > > > > > > > (keytool -import -file cert.pem --keystore
> > > > > > D:\qpid-broker\myTrustStore) but
> > > > > > > > it isn't working
> > > > > > > >
> > > > > > > > Can you please help me setup a working example?
> > > > > > > >
> > > > > > > > PS: I am using Non Java stores becasue I will have Proton-c
> > clients
> > > > > > later
> > > > > > > > on.
> > > > > > > >
> > > > > > > > public static void main(String[] args) throws JMSException {
> > > > > > > > System.setProperty("javax.net.ssl.trustStore",
> > > > > > > > "D:\\qpid-broker\\myTrustStore");
> > > > > > > > System.setProperty("javax.net.ssl.trustStorePassword",
> > > > "password");
> > > > > > > > ConnectionFactory connectionFactory = new
> > > > > > > > JmsConnectionFactory("amqps://aboutros:10400");
> > > > > > > > Connection connection =
> > connectionFactory.createConnection();
> > > > > > > > }
> > > > > > > >
> > > > > > > > Error: javax.net.ssl.SSLException: Received fatal alert:
> > > > > > bad_certificate
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > Adel
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > View this message in context:
> > > > > > > >
> > > > > >
> > > >
> > http://qpid.2158936.n2.nabble.com/Qpid-Java-Broker-6-0-0-Using-SSL-with-JMS-clients-for-AMQP-tp7644953.html
> > > > > > > > Sent from the Apache Qpid users mailing list archive at
> > Nabble.com.
> > > > > > > >
> > > > > > > >
> > > > ---------------------------------------------------------------------
> > > > > > > > To unsubscribe, e-mail: [email protected]
> > > > > > > > For additional commands, e-mail: [email protected]
> > > > > > > >
> > > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > >
> > > >
> >
> >
