> That looks a bit as if artemis is trying to authenticate the connection
> via a client certificate. From the config snippet you supplied it
> doesn't look like it is using TLS, let alone supplying a client cert.
> Are you able to get a protocol trace for the interaction between the
> router and the broker? (A simple way to do this would be to start a
> router with that connector in with env var PN_TRACE_FRM=1 and capture
> the output) 

It shouldn't do that, trying to authenticate via client certificate (well,
not yet at least)
With the same config, but then connecting directly to the broker (a
javax.jms.Connection(String user, String password); with the same
credentials) allows me to connect just fine.

The trace gives quite some output; I think the relevant parts are these:
[0x7f595400bdb0]:  -> SASL
[0x7f595400bdb0]:  <- SASL
[0x7f595400bdb0]:0 <- @sasl-mechanisms(64)
[sasl-server-mechanisms=@PN_SYMBOL[:PLAIN, :ANONYMOUS]]
[0x7f595400bdb0]:0 -> @sasl-init(65) [mechanism=:ANONYMOUS,
initial-response=b"anonym...@masterbroker.host.name"]
[0x7f595400bdb0]:0 <- @sasl-outcome(68) [code=0]

Here it seems as if qpid chooses to use ANONYMOUS to connect with the broker
(which will not work, the broker is configured to require authentication)
whereas the broker seems to offer PLAIN as well.

a bit later I see the connection:
[0x7f5954027d60]:4 <- @begin(17) [next-outgoing-id=0,
incoming-window=2147483647, outgoing-window=2147483647]
[0x7f5954027d60]:4 <- @attach(18)
[name="qpid-jms:sender:ID:8b0bc583-315f-4f54-8f17-ecc40379c77f:1:1:1:testqueues.testqueue",
handle=0, role=false, snd-settle-mode=2, rcv-settle-mode=0,
source=@source(40) [address="ID:8b0bc583-315f-4f54-8f17-ecc40379c77f:1:1:1",
durable=0, timeout=0, dynamic=false,
outcomes=@PN_SYMBOL[:"amqp:accepted:list", :"amqp:rejected:list",
:"amqp:released:list", :"amqp:modified:list"]], target=@target(41)
[address="testqueues.testqueue", durable=0, timeout=0, dynamic=false,
capabilities=@PN_SYMBOL[:queue]], initial-delivery-count=0,
max-message-size=0]
[0x7f5954027d60]:4 -> @begin(17) [remote-channel=4, next-outgoing-id=0,
incoming-window=2147483647, outgoing-window=2147483647]
[0x7f595400bdb0]:0 -> @begin(17) [next-outgoing-id=0,
incoming-window=2147483647, outgoing-window=2147483647]
[0x7f595400bdb0]:0 -> @attach(18)
[name="qpid-jms:sender:ID:8b0bc583-315f-4f54-8f17-ecc40379c77f:1:1:1:testqueues.testqueue",
handle=0, role=false, snd-settle-mode=2, rcv-settle-mode=0,
source=@source(40) [address="ID:8b0bc583-315f-4f54-8f17-ecc40379c77f:1:1:1",
durable=0, timeout=0, dynamic=false,
outcomes=@PN_SYMBOL[:"amqp:accepted:list", :"amqp:rejected:list",
:"amqp:released:list", :"amqp:modified:list"]], target=@target(41)
[address="testqueues.testqueue", durable=0, timeout=0, dynamic=false,
capabilities=@PN_SYMBOL[:queue]], initial-delivery-count=0,
max-message-size=0]
[0x7f595400bdb0]:0 <- @close(24) [error=@error(29)
[condition=:"amqp:internal-error", description="Unrecoverable error:
AMQ119031: Unable to validate user from /192.168.0.1:52202. Username: null;
SSL certificate subject DN: unavailable"]]
[0x7f595400bdb0]:  <- EOS
[0x7f595400bdb0]:0 -> @close(24) []
[0x7f595400bdb0]:  -> EOS
[0x7f5954027d60]:4 -> @attach(18)
[name="qpid-jms:sender:ID:8b0bc583-315f-4f54-8f17-ecc40379c77f:1:1:1:testqueues.testqueue",
handle=0, role=true, snd-settle-mode=2, rcv-settle-mode=0,
source=@source(40) [durable=0, timeout=0, dynamic=false], target=@target(41)
[durable=0, timeout=0, dynamic=false], initial-delivery-count=0,
max-message-size=0]
[0x7f5954027d60]:4 -> @detach(22) [handle=0, closed=false, error=@error(29)
[condition=:"qd:routed-link-lost", description="Connectivity to the peer
container was lost"]]
[0x7f5954027d60]:4 <- @detach(22) [handle=0, closed=true]

Username is null, as well as client-certificates not provided (which is
logical, since there are none yet);

When I add saslMechanisms: PLAIN to the connection{} I see a new error in
the SERVER log module (server.log):
 proton:io:sasl_error SASL(-4): no mechanism available: No worthy mechs
found (Authentication failed [mech=none])

which is weird, as it seems that PLAIN is offered by the broker. (or I am
interpreting things completely wrong)



--
Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
For additional commands, e-mail: users-h...@qpid.apache.org

Reply via email to