Found the issue! Actually for the connector, "certFile" should correspond to the client authentication certificate. I had a belief it should be the broker's SSL certificate and that "certDb" should have contained the client authentication certificate.
As for the proton logs, I put the logger in TRACE mode and got all the errors I was hoping to see. Sorry for wasting your time. Regards, Adel > From: [email protected] > To: [email protected] > Subject: RE: [qpid-dispatch 0.6.0] Client certificate authentication with > Java Broker 6.0.0 > Date: Wed, 13 Jul 2016 13:54:30 +0200 > > It seems the error is coming from Proton side and is related to my > certificate configuration. However, I would expect to have some proton logs > in my log file but this is not the case. Did I miss something in the > configuration? > > Qpid-dispatch 0.6.0 (src/server.c) > if (config->ssl_certificate_file) { > if (pn_ssl_domain_set_credentials(domain, > config->ssl_certificate_file, > config->ssl_private_key_file, > config->ssl_password)) { > qd_log(ct->server->log_source, QD_LOG_ERROR, > "SSL local configuration failed for %s:%s", > ct->config->host, ct->config->port); > } > } > > Proton 0.12.2 (proton-c/src/ssl/openssl.c) > Before returning, for every error, there is a log line ("ssl_log_error") but > I cannot find any of them in the dispatch.10396.log file > > int pn_ssl_domain_set_credentials( pn_ssl_domain_t *domain, > const char *certificate_file, > const char *private_key_file, > const char *password) > { > if (!domain || !domain->ctx) return -1; > > if (SSL_CTX_use_certificate_chain_file(domain->ctx, certificate_file) != 1) > { > ssl_log_error("SSL_CTX_use_certificate_chain_file( %s ) failed", > certificate_file); > return -3; > } > > if (password) { > domain->keyfile_pw = pn_strdup(password); // @todo: obfuscate me!!! > SSL_CTX_set_default_passwd_cb(domain->ctx, keyfile_pw_cb); > SSL_CTX_set_default_passwd_cb_userdata(domain->ctx, domain->keyfile_pw); > } > > if (SSL_CTX_use_PrivateKey_file(domain->ctx, private_key_file, > SSL_FILETYPE_PEM) != 1) { > ssl_log_error("SSL_CTX_use_PrivateKey_file( %s ) failed", > private_key_file); > return -4; > } > ... > > Regards, > Adel > > > From: [email protected] > > To: [email protected] > > Subject: RE: [qpid-dispatch 0.6.0] Client certificate authentication with > > Java Broker 6.0.0 > > Date: Wed, 13 Jul 2016 12:38:57 +0200 > > > > Actually, I have an error message in the log file of the dispatcher which > > comes up every 5 seconds (If I am not mistaken, every x seconds the > > dispatcher will re-try to connect to the broker?) > > > > bash$ tail -f dispatch.10396.log > > Wed Jul 13 12:35:51 2016 SERVER (error) SSL local configuration failed for > > localhost:10101 > > Wed Jul 13 12:35:56 2016 SERVER (error) SSL local configuration failed for > > localhost:10101 > > Wed Jul 13 12:36:01 2016 SERVER (error) SSL local configuration failed for > > localhost:10101 > > Wed Jul 13 12:36:06 2016 SERVER (error) SSL local configuration failed for > > localhost:10101 > > > > Regards, > > Adel > > > > > From: [email protected] > > > To: [email protected] > > > Subject: [qpid-dispatch 0.6.0] Client certificate authentication with > > > Java Broker 6.0.0 > > > Date: Wed, 13 Jul 2016 11:44:05 +0200 > > > > > > Hello, > > > > > > On a previous > > > post(http://qpid.2158936.n2.nabble.com/Qpid-Dispatch-SSL-SASL-configuration-on-a-listener-tp7646048.html), > > > I had asked about how to setup the qpid-dispatch to work with SSL and > > > SASL authentication and I was able thanks to your help to get clients > > > (Consumer/producer) to connect to the dispatcher using the correct > > > certificates. > > > > > > At that time, I was connected to the open AMQP port of the Java Broker > > > which had no security. I then, tried to connect to a port which only > > > required SSL and this is also working. > > > > > > What is not working however is connecting the dispatcher to a port which > > > has SSL and requires client certificates on the Java Broker. When I run > > > the qdmanage command to create the connector, no connections shows up on > > > the virtual host tab in the Java Broker Web management console. > > > > > > The qdmanage commands are not showing any errors and there are no errors > > > on the Java Broker's side. Is there a way to debug further what is > > > happening with qdmanage? > > > > > > As a reminder, my certificates are generated by a self-signed CA composed > > > of a root authority and an intermediate one. > > > > > > Dispatcher config > > > router { > > > id: router.10396 > > > mode: interior > > > worker-threads: 4 > > > } > > > > > > ssl-profile { > > > name: ssl-full-profile > > > certFile: cert_lx.pem > > > keyFile: key_lx.pem > > > certDb: ca-chain.cert.pem > > > } > > > > > > listener { > > > host: 0.0.0.0 > > > port: 10396 > > > role: normal > > > saslMechanisms: EXTERNAL > > > sslProfile: ssl-full-profile > > > requireSsl: yes > > > authenticatePeer: yes > > > } > > > > > > listener { > > > host: 0.0.0.0 > > > port: 10395 > > > role: normal > > > saslMechanisms: ANONYMOUS > > > sslProfile: ssl-full-profile > > > requireSsl: yes > > > authenticatePeer: no > > > } > > > > > > log { > > > module: DEFAULT > > > enable: warn+ > > > output: dispatch.10396.log > > > } > > > > > > Java Broker > > > AMP port is 10101 configured with the proper "KeyStore" of the broker, a > > > "NonJavaTrustStore" containing the ca-chain.cert.pem (Combination of the > > > root and intermediate certificates) and "Want SSL Client Certificate". > > > > > > qdmanage commands > > > qdmanage -b amqps://localhost:10395 --ssl-key=key_lx.pem > > > --ssl-certificate=cert_lx.pem create --type=address prefix=perfQueue > > > waypoint=true name=perf.queue.addr > > > > > > qdmanage -b amqps://localhost:10395 --ssl-key=key_lx.pem > > > --ssl-certificate=cert_lx.pem create --type=connector > > > role=route-container addr=localhost port=10101 > > > name=localhost.broker.10101.connector certFile=cert_lx.pem > > > certDb=ca-chain.cert.pem > > > > > > Regards, > > > Adel > > > > > >
