activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jesse Sightler (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AMQ-5100) PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ
Date Thu, 13 Mar 2014 19:15:43 GMT
Jesse Sightler created AMQ-5100:
-----------------------------------

             Summary: PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ
                 Key: AMQ-5100
                 URL: https://issues.apache.org/jira/browse/AMQ-5100
             Project: ActiveMQ
          Issue Type: Bug
          Components: Broker
            Reporter: Jesse Sightler


I have attempted to configure PKCS11/NSS support in ActiveMQ, however, I am receiving the
following exception:

Caused by: java.io.FileNotFoundException: class path resource [NONE] cannot be opened because
it does not exist
        at org.springframework.core.io.ClassPathResource.getInputStream(ClassPathResource.java:157)
        at org.apache.activemq.spring.SpringSslContext.createKeyManagerKeyStore(SpringSslContext.java:119)
        at org.apache.activemq.spring.SpringSslContext.createKeyManagers(SpringSslContext.java:88)
        at org.apache.activemq.spring.SpringSslContext.afterPropertiesSet(SpringSslContext.java:65)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:622)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1581)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1522)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452)
        ... 40 more

My configured sslContext for the broker looks like this:

        <sslContext>
                <sslContext
                        keyStore="NONE" keyStoreType="PKCS11" keyStorePassword="password"
                        trustStore="/etc/activemqssl/truststore.jks" trustStorePassword="password"
                />
        </sslContext>

AFAIK, setting keyStore to "NONE" is the generally accepted way to do with with PKCS11. The
code should generate a warning at most for this, but instead I receive the above exception
and a failure to load the keystore.

The activemq code looks like this (in org.apache.activemq.spring.SpringSslContext):
    private KeyStore createKeyManagerKeyStore() throws Exception {
        if( keyStore ==null ) {
            return null;
        }

        KeyStore ks = KeyStore.getInstance(keyStoreType);
        InputStream is=Utils.resourceFromString(keyStore).getInputStream();
        try {
            ks.load(is, keyStorePassword==null? null : keyStorePassword.toCharArray());
        } finally {
            is.close();
        }
        return ks;
    }

It looks like this should just be setting "is" to null, generating a warning, and then calling
ks.load with the null inputstream (the nss library will load the nss files based upon the
nss.cfg file).




--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message