activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jesse Sightler (JIRA)" <>
Subject [jira] [Created] (AMQ-5100) PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ
Date Thu, 13 Mar 2014 19:15:43 GMT
Jesse Sightler created AMQ-5100:

             Summary: PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ
                 Key: AMQ-5100
             Project: ActiveMQ
          Issue Type: Bug
          Components: Broker
            Reporter: Jesse Sightler

I have attempted to configure PKCS11/NSS support in ActiveMQ, however, I am receiving the
following exception:

Caused by: class path resource [NONE] cannot be opened because
it does not exist
        at org.apache.activemq.spring.SpringSslContext.createKeyManagerKeyStore(
        at org.apache.activemq.spring.SpringSslContext.createKeyManagers(
        at org.apache.activemq.spring.SpringSslContext.afterPropertiesSet(
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(
        at java.lang.reflect.Method.invoke(
        ... 40 more

My configured sslContext for the broker looks like this:

                        keyStore="NONE" keyStoreType="PKCS11" keyStorePassword="password"
                        trustStore="/etc/activemqssl/truststore.jks" trustStorePassword="password"

AFAIK, setting keyStore to "NONE" is the generally accepted way to do with with PKCS11. The
code should generate a warning at most for this, but instead I receive the above exception
and a failure to load the keystore.

The activemq code looks like this (in org.apache.activemq.spring.SpringSslContext):
    private KeyStore createKeyManagerKeyStore() throws Exception {
        if( keyStore ==null ) {
            return null;

        KeyStore ks = KeyStore.getInstance(keyStoreType);
        InputStream is=Utils.resourceFromString(keyStore).getInputStream();
        try {
            ks.load(is, keyStorePassword==null? null : keyStorePassword.toCharArray());
        } finally {
        return ks;

It looks like this should just be setting "is" to null, generating a warning, and then calling
ks.load with the null inputstream (the nss library will load the nss files based upon the
nss.cfg file).

This message was sent by Atlassian JIRA

View raw message