On Mon, Apr 16, 2018 at 10:08 AM, mlange <mla...@anwb.nl> wrote:

>
> > That looks a bit as if artemis is trying to authenticate the connection
> > via a client certificate. From the config snippet you supplied it
> > doesn't look like it is using TLS, let alone supplying a client cert.
> > Are you able to get a protocol trace for the interaction between the
> > router and the broker? (A simple way to do this would be to start a
> > router with that connector in with env var PN_TRACE_FRM=1 and capture
> > the output)
>
> It shouldn't do that, trying to authenticate via client certificate (well,
> not yet at least)
> With the same config, but then connecting directly to the broker (a
> javax.jms.Connection(String user, String password); with the same
> credentials) allows me to connect just fine.
>
> The trace gives quite some output; I think the relevant parts are these:
> [0x7f595400bdb0]:  -> SASL
> [0x7f595400bdb0]:  <- SASL
> [0x7f595400bdb0]:0 <- @sasl-mechanisms(64)
> [sasl-server-mechanisms=@PN_SYMBOL[:PLAIN, :ANONYMOUS]]
> [0x7f595400bdb0]:0 -> @sasl-init(65) [mechanism=:ANONYMOUS,
> initial-response=b"anonym...@masterbroker.host.name"]
> [0x7f595400bdb0]:0 <- @sasl-outcome(68) [code=0]
>
> Here it seems as if qpid chooses to use ANONYMOUS to connect with the
> broker
> (which will not work, the broker is configured to require authentication)
> whereas the broker seems to offer PLAIN as well.
>
> a bit later I see the connection:
> [0x7f5954027d60]:4 <- @begin(17) [next-outgoing-id=0,
> incoming-window=2147483647, outgoing-window=2147483647]
> [0x7f5954027d60]:4 <- @attach(18)
> [name="qpid-jms:sender:ID:8b0bc583-315f-4f54-8f17-ecc40379c7
> 7f:1:1:1:testqueues.testqueue",
> handle=0, role=false, snd-settle-mode=2, rcv-settle-mode=0,
> source=@source(40) [address="ID:8b0bc583-315f-4f5
> 4-8f17-ecc40379c77f:1:1:1",
> durable=0, timeout=0, dynamic=false,
> outcomes=@PN_SYMBOL[:"amqp:accepted:list", :"amqp:rejected:list",
> :"amqp:released:list", :"amqp:modified:list"]], target=@target(41)
> [address="testqueues.testqueue", durable=0, timeout=0, dynamic=false,
> capabilities=@PN_SYMBOL[:queue]], initial-delivery-count=0,
> max-message-size=0]
> [0x7f5954027d60]:4 -> @begin(17) [remote-channel=4, next-outgoing-id=0,
> incoming-window=2147483647, outgoing-window=2147483647]
> [0x7f595400bdb0]:0 -> @begin(17) [next-outgoing-id=0,
> incoming-window=2147483647, outgoing-window=2147483647]
> [0x7f595400bdb0]:0 -> @attach(18)
> [name="qpid-jms:sender:ID:8b0bc583-315f-4f54-8f17-ecc40379c7
> 7f:1:1:1:testqueues.testqueue",
> handle=0, role=false, snd-settle-mode=2, rcv-settle-mode=0,
> source=@source(40) [address="ID:8b0bc583-315f-4f5
> 4-8f17-ecc40379c77f:1:1:1",
> durable=0, timeout=0, dynamic=false,
> outcomes=@PN_SYMBOL[:"amqp:accepted:list", :"amqp:rejected:list",
> :"amqp:released:list", :"amqp:modified:list"]], target=@target(41)
> [address="testqueues.testqueue", durable=0, timeout=0, dynamic=false,
> capabilities=@PN_SYMBOL[:queue]], initial-delivery-count=0,
> max-message-size=0]
> [0x7f595400bdb0]:0 <- @close(24) [error=@error(29)
> [condition=:"amqp:internal-error", description="Unrecoverable error:
> AMQ119031: Unable to validate user from /192.168.0.1:52202. Username:
> null;
> SSL certificate subject DN: unavailable"]]
> [0x7f595400bdb0]:  <- EOS
> [0x7f595400bdb0]:0 -> @close(24) []
> [0x7f595400bdb0]:  -> EOS
> [0x7f5954027d60]:4 -> @attach(18)
> [name="qpid-jms:sender:ID:8b0bc583-315f-4f54-8f17-ecc40379c7
> 7f:1:1:1:testqueues.testqueue",
> handle=0, role=true, snd-settle-mode=2, rcv-settle-mode=0,
> source=@source(40) [durable=0, timeout=0, dynamic=false],
> target=@target(41)
> [durable=0, timeout=0, dynamic=false], initial-delivery-count=0,
> max-message-size=0]
> [0x7f5954027d60]:4 -> @detach(22) [handle=0, closed=false, error=@error(29)
> [condition=:"qd:routed-link-lost", description="Connectivity to the peer
> container was lost"]]
> [0x7f5954027d60]:4 <- @detach(22) [handle=0, closed=true]
>
> Username is null, as well as client-certificates not provided (which is
> logical, since there are none yet);
>
> When I add saslMechanisms: PLAIN to the connection{} I see a new error in
> the SERVER log module (server.log):
>  proton:io:sasl_error SASL(-4): no mechanism available: No worthy mechs
> found (Authentication failed [mech=none])
>
Is it possible that you don't have the relevant cyrus-sasl-plain libraries
installed? Does the tests/system_tests_sasl_plain.py pass for you? If you
look at that test, you will notice that one router is trying to connect to
another router using PLAIN mech.

>
> which is weird, as it seems that PLAIN is offered by the broker. (or I am
> interpreting things completely wrong)
>
>
>
> --
> Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936
> .html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> For additional commands, e-mail: users-h...@qpid.apache.org
>
>

Reply via email to