Hi Keith,
Thanks a lot for your response.
I restart my configuration from scratch to be sure and did it like that
1. create an AutoGeneratedSelfSigned keystore
2. create 2 new port AMQPS (port 5671) and HTTPS (port 8089, because my HTTP
port is 8090 and I would like to keep the same thing as AMQP port)
After restart my broker httpManagement access via HTTPS url works fine (except
normal warning when access from chrome due to autosigned).
But now the HTTP access give me an HTTP 417!
However, HTTP port is always defined... I don't understand why!?
And when I try to use REST api via HTTPS, I got an Exception :
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
at
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
at
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
at
org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at
com.mashape.unirest.http.HttpClientHelper.request(HttpClientHelper.java:138)
... 27 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 48 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 54 more
I just would like to know if it is normal or not (due to autosigned for
example) or if I must add some configuration to my httpclient?
Thank a lot by advance,
Best regards,
Cyril
Cyril MICOUD
Software Development Engineer
σLink Team
Office: +33 (0)4 76 33 59 88
email: [email protected]
Skype: cyril.micoud_vitech
Vi TECHNOLOGY
Rue de Rochepleine - 38120 SAINT EGREVE - France
Further information at www.vitechnology.com
You are hereby formally notified that all information contained in tis
communication and any attachments shall be deemed strictly confidential and
privileged unless explicitly stated otherwise. Please note that your use of
confidential information may be governed, and restricted, by a non-disclosure
agreement. The information contained in this communication and any attachments
is disclosed for the sole use of the intended recipient(s). If you are not the
intended recipient, you are hereby formally notified that any unauthorized
review, use, disclosure or distribution of this message is prohibited. Please
notify the sender immediately by replying to this message and destroy all
copies of this message and any attachments. Mycronic is neither liable for the
proper and complete transmission of the information contained in this
communication, nor for any delay in its receipt. Please note that email
correspondence generally includes processing of personal data. For information
on Mycronic’s processing of your personal data, please see our Privacy Policy:
http://www.mycronic.com/fr/about-us/privacy-policy/
-----Message d'origine-----
De : Keith W <[email protected]>
Envoyé : jeudi 28 mars 2019 10:19
À : [email protected]
Objet : Re: [Broker-J] How to configure HTTPS
Cyril
What exactly are you seeing? Are you seeing error messages when you try and
connect a browser?
To set up TLS for the Broker, you create a keystore containing your key
material, then assign this to the port(s) you desire. You need to cause
the Broker to restart after changing an existing port. This can be done
through the console or you can bounce the whole process. You don’t need a
trust store on the Broker unless you want to use client certs. The
Broker reports the ports it listens to and the transports assign as it comes
up. Check the qpid.log.
The broker’s documentation covers the concepts (see the sections on ports and
key stores), but unfortunately does provide a step by step recipe.
Hope this helps
Keith.
On Wed, 27 Mar 2019 at 17:27, Cyril Micoud <[email protected]> wrote:
> Hi all,
>
>
>
> I would like to enable HTTPS on my broker, but I don’t know how!?
>
> I have add new dedicated port, authentication provider, key store and
> trust store but without any success!
>
>
>
> One of you can help me or give me the best way to configure my
> Broker-J 7.1.1?
>
>
>
> Thank you by advance,
>
> Best regards,
>
>
>
> Cyril
>
>
>
>
>
> *Cyril MICOUD*
>
> Software Development Engineer
>
> σLink Team
>
>
>
>
>
> Office: +33 (0)4 76 33 59 88
>
> email: [email protected]
>
> Skype: cyril.micoud_vitech
>
>
>
> [image: cid:[email protected]]
>
>
>
> *Vi TECHNOLOGY*
>
> Rue de Rochepleine - 38120 SAINT EGREVE - France
>
> Further information at www.vitechnology.com
>
>
>
> You are hereby formally notified that all information contained in tis
> communication and any attachments shall be deemed strictly
> confidential and privileged unless explicitly stated otherwise. Please
> note that your use of confidential information may be governed, and
> restricted, by a non-disclosure agreement. The information contained
> in this communication and any attachments is disclosed for the sole
> use of the intended recipient(s). If you are not the intended
> recipient, you are hereby formally notified that any unauthorized
> review, use, disclosure or distribution of this message is prohibited.
> Please notify the sender immediately by replying to this message and
> destroy all copies of this message and any attachments. Mycronic is
> neither liable for the proper and complete transmission of the
> information contained in this communication, nor for any delay in its
> receipt. Please note that email correspondence generally includes
> processing of personal data. For information on Mycronic’s processing of your
> personal data, please see our Privacy Policy:
> http://www.mycronic.com/fr/about-us/privacy-policy/
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
