activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adrian Co <...@exist.com>
Subject Re: Cannot get SSL client-to-broker connection
Date Tue, 28 Nov 2006 16:18:14 GMT
Did you do the export ACTIVEMQ_OPTS thingy?

I wonder if the version you're using does not support this yet.. Try 
manually adding the properties inside the activemq startup script (e.g. 
activemq.bat)

RVlad wrote:
> Hi guru,
> Excuse, i'm new in ActiveMQ...
>
> Have built certificates/keystores as described in 
> http://www.activemq.org/site/how-do-i-use-ssl.html how-do-i-use-ssl .
>
> The broker have next configuration:
>
> -------------------------------------------------
> <beans xmlns="http://activemq.org/config/1.0">
>
>   <bean
> class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
>   
>   <broker useJmx="true" persistent="true" brokerName="VladBroker">
>   
>     <transportConnectors>
>        <transportConnector name="SSL" uri="ssl://localhost:61613"/>
>        <transportConnector name="TCP" uri="tcp://localhost:61616"/>
>     </transportConnectors>
>     
>   </broker>
> </beans>
> -------------------------------------------------
>
> and starts normally:
>
> ---------console----------------------------------------
> ACTIVEMQ_HOME: c:\ActiveMQ\bin\..
> Loading message broker from: xbean:activemq.xml
> INFO  BrokerService                  - ActiveMQ 4.0.2 JMS Message Broker
> (VladBroker) is starting
> INFO  BrokerService                  - For help or more information please
> see:http://incubator.apache.org/activemq/
> INFO  ManagementContext              - JMX consoles can connect to
> service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi
> INFO  JDBCPersistenceAdapter         - Database driver recognized:
> [apache_derby_embedded_jdbc_driver]
> INFO  JournalPersistenceAdapter      - Journal Recovery Started from: Active
> Journal: using 5 x 20.0 Megs at: C:\ActiveMQ\activemq-data\journal
> INFO  JournalPersistenceAdapter      - Journal Recovered: 0 message(s) in
> transactions recovered.
> INFO  TransportServerThreadSupport   - Listening for connections at:
> ssl://slavar:61613
> INFO  TransportConnector             - Connector SSL Started
> INFO  TransportServerThreadSupport   - Listening for connections at:
> tcp://slavar:61616
> INFO  TransportConnector             - Connector TCP Started
> INFO  BrokerService                  - ActiveMQ JMS Message Broker
> (VladBroker,ID:slavar-1604-1164726172265-1:0) started
> -------------------------------------------------
>
> The client's program fragment is next:
>
> -------------------------------------------------
> public class ReceiverClient {
>
> 	public static void main(String[] args) {
>
> 		final String MESSAGE_BROKER_URL = "ssl://slavar:61613";
> 		
> 		final String CLIENT_ID = "vladReceive";
> 		final String TOPIC = "testtopic2";
> 		
> 		// attempt to put system properties
> 		// needed for SSL connection
> 		// as described in http://www.activemq.org/site/how-do-i-use-ssl.html
> 		System.setProperty("javax.net.ssl.keyStore", "C:\\ActiveMQ\\client.ks");
> 		System.setProperty("javax.net.ssl.keyStorePassword", "password");
> 		System.setProperty("javax.net.ssl.trustStore", "C:\\ActiveMQ\\client.ts");
>
> 		// enabling debug output
> 		System.setProperty("javax.net.debug", "ssl,handshake,data,trustmanager");
>
> 		// starting communications
> 		JMSManager jm = new  JMSManager(MESSAGE_BROKER_URL, CLIENT_ID);
> 		new Thread(new Receiver(jm, TOPIC)).start();
> 		
> 	}
> }
> -------------------------------------------------
>
> After starting of client program i got the next console:
>
> -------------console-------------------------
> setting up default SSLSocketFactory
> use default SunJSSE impl class:
> com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
> class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
> keyStore is : C:\ActiveMQ\client.ks
> keyStore type is : jks
> keyStore provider is : 
> init keystore
> init keymanager of type SunX509
> ***
> found key for : client
> chain [0] = [
> [
>   Version: V1
>   Subject: CN=Client, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
> C=Unknown
>   Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
>
>   Key:  Sun RSA public key, 1024 bits
>   modulus:
> 119125831157180012241622638937390092189160437001853263361203684931436347286138557738177018166153998344463370986916053114448493751892417595464787155221273101941051608309892520802382018408256577151580997906961252558439314550554537620071874869391764812672132384452834035314691770120458734555207178162494413487159
>   public exponent: 65537
>   Validity: [From: Tue Nov 28 17:02:13 EET 2006,
>                To: Mon Feb 26 17:02:13 EET 2007]
>   Issuer: CN=Client, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
>   SerialNumber: [    456c4f75]
>
> ]
>   Algorithm: [MD5withRSA]
>   Signature:
> 0000: 3A 90 C6 F1 B8 90 53 77   95 A1 45 CB 18 10 D8 38  :.....Sw..E....8
> 0010: 3D F1 95 94 E7 A6 4E F7   DC 9C E9 A9 BD 61 BA 4F  =.....N......a.O
> 0020: 76 D8 5B B4 99 43 49 2F   6B A8 F3 69 B3 87 90 F8  v.[..CI/k..i....
> 0030: 38 1D 5B 0D E1 B5 44 4B   4A 44 88 60 04 83 04 B2  8.[...DKJD.`....
> 0040: B0 BB A8 0A 82 C7 1D 51   7A 6E 62 31 E0 8C 7B 74  .......Qznb1...t
> 0050: AB 69 B5 48 64 90 AD 30   63 10 FE B0 3C EE C5 2F  .i.Hd..0c...<../
> 0060: 6A 51 D2 A1 A0 56 B4 CD   59 FF E7 22 78 A8 B7 EA  jQ...V..Y.."x...
> 0070: CF EE EE 14 16 03 F7 7D   EF D6 43 4E B4 F4 13 F8  ..........CN....
>
> ]
> ***
> trustStore is: C:\ActiveMQ\client.ts
> trustStore type is : jks
> trustStore provider is : 
> init truststore
> adding as trusted cert:
>   Subject: CN=Broker, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
> C=Unknown
>
> Exception in thread "main" java.lang.ExceptionInInitializerError
> 	at corp.sap.pal.le.amqtest.jms.client.JMSManager.init(JMSManager.java:64)
> 	at corp.sap.pal.le.amqtest.jms.client.JMSManager.<init>(JMSManager.java:33)
> 	at
> corp.sap.pal.le.amqtest.jms.client.ReceiverClient.main(ReceiverClient.java:37)
> Caused by: javax.jms.JMSException: Could not connect to broker URL:
> ssl://slavar:61613. Reason: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> 	at
> org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:33)
> 	at
> org.apache.activemq.ActiveMQConnectionFactory.createActiveMQConnection(ActiveMQConnectionFactory.java:253)
> 	at
> org.apache.activemq.ActiveMQConnectionFactory.createActiveMQConnection(ActiveMQConnectionFactory.java:212)
> 	at
> org.apache.activemq.ActiveMQConnectionFactory.createConnection(ActiveMQConnectionFactory.java:159)
> 	at corp.sap.pal.le.amqtest.jms.client.JMSManager.init(JMSManager.java:55)
> 	... 2 more
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> 	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
> 	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
> 	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> 	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> 	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
> Source)
> 	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
> Source)
> 	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> 	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
> 	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
> 	at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
> Source)
> 	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown
> Source)
> 	at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)
> 	at
> org.apache.activemq.transport.tcp.TcpBufferedInputStream.fill(TcpBufferedInputStream.java:49)
> 	at
> org.apache.activemq.transport.tcp.TcpBufferedInputStream.read(TcpBufferedInputStream.java:56)
> 	at java.io.DataInputStream.readInt(Unknown Source)
> 	at
> org.apache.activemq.openwire.OpenWireFormat.unmarshal(OpenWireFormat.java:275)
> 	at
> org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:136)
> 	at java.lang.Thread.run(Unknown Source)
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> 	at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> 	at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> 	at sun.security.validator.Validator.validate(Unknown Source)
> 	at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
> Source)
> 	at
> com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown
> Source)
> 	... 14 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> 	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
> Source)
> 	at java.security.cert.CertPathBuilder.build(Unknown Source)
> 	... 19 more
> 2006.28.11 17:03:14 org.apache.activemq.ActiveMQConnection onAsyncException
> WARNING: Async exception with no exception listener:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> 	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
> 	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
> 	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> 	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> 	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
> Source)
> 	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
> Source)
> 	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> 	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
> 	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
> 	at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
> Source)
> 	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown
> Source)
> 	at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)
> 	at
> org.apache.activemq.transport.tcp.TcpBufferedInputStream.fill(TcpBufferedInputStream.java:49)
> 	at
> org.apache.activemq.transport.tcp.TcpBufferedInputStream.read(TcpBufferedInputStream.java:56)
> 	at java.io.DataInputStream.readInt(Unknown Source)
> 	at
> org.apache.activemq.openwire.OpenWireFormat.unmarshal(OpenWireFormat.java:275)
> 	at
> org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:136)
> 	at java.lang.Thread.run(Unknown Source)
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> 	at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> 	at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> 	at sun.security.validator.Validator.validate(Unknown Source)
> 	at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
> Source)
> 	at
> com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown
> Source)
> 	... 14 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> 	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
> Source)
> 	at java.security.cert.CertPathBuilder.build(Unknown Source)
> 	... 19 more
>
>   Issuer:  CN=Broker, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
> C=Unknown
>   Algorithm: RSA; Serial number: 0x456c4f41
>   Valid from Tue Nov 28 17:01:21 EET 2006 until Mon Feb 26 17:01:21 EET 2007
>
> init context
> trigger seeding of SecureRandom
> done seeding SecureRandom
> instantiated an instance of class
> com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
> main, setSoTimeout(0) called
> %% No cached client session
> *** ClientHello, TLSv1
> RandomCookie:  GMT: 1164725938 bytes = { 104, 30, 199, 2, 187, 204, 113,
> 255, 60, 143, 243, 121, 36, 222, 8, 25, 236, 63, 217, 191, 87, 45, 125, 196,
> 9, 218, 218, 6 }
> Session ID:  {}
> Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
> SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
> SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
> SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
> Compression Methods:  { 0 }
> ***
> [write] MD5 and SHA1 hashes:  len = 73
> 0000: 01 00 00 45 03 01 45 6C   4F B2 68 1E C7 02 BB CC  ...E..ElO.h.....
> 0010: 71 FF 3C 8F F3 79 24 DE   08 19 EC 3F D9 BF 57 2D  q.<..y$....?..W-
> 0020: 7D C4 09 DA DA 06 00 00   1E 00 04 00 05 00 2F 00  ............../.
> 0030: 33 00 32 00 0A 00 16 00   13 00 09 00 15 00 12 00  3.2.............
> 0040: 03 00 08 00 14 00 11 01   00                       .........
> ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, WRITE: TLSv1 Handshake,
> length = 73
> [write] MD5 and SHA1 hashes:  len = 98
> 0000: 01 03 01 00 39 00 00 00   20 00 00 04 01 00 80 00  ....9... .......
> 0010: 00 05 00 00 2F 00 00 33   00 00 32 00 00 0A 07 00  ..../..3..2.....
> 0020: C0 00 00 16 00 00 13 00   00 09 06 00 40 00 00 15  ............@...
> 0030: 00 00 12 00 00 03 02 00   80 00 00 08 00 00 14 00  ................
> 0040: 00 11 45 6C 4F B2 68 1E   C7 02 BB CC 71 FF 3C 8F  ..ElO.h.....q.<.
> 0050: F3 79 24 DE 08 19 EC 3F   D9 BF 57 2D 7D C4 09 DA  .y$....?..W-....
> 0060: DA 06                                              ..
> ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, WRITE: SSLv2 client
> hello message, length = 98
> ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, READ: TLSv1 Handshake,
> length = 676
> *** ServerHello, TLSv1
> RandomCookie:  GMT: 1164725938 bytes = { 248, 74, 66, 253, 93, 220, 60, 202,
> 202, 112, 29, 64, 177, 73, 33, 56, 64, 236, 105, 28, 166, 42, 153, 58, 158,
> 136, 142, 3 }
> Session ID:  {69, 108, 79, 178, 39, 232, 39, 146, 139, 217, 183, 46, 34,
> 162, 86, 158, 115, 6, 202, 100, 101, 39, 38, 68, 143, 237, 247, 245, 189,
> 242, 138, 240}
> Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
> Compression Method: 0
> ***
> %% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]
> ** SSL_RSA_WITH_RC4_128_MD5
> [read] MD5 and SHA1 hashes:  len = 74
> 0000: 02 00 00 46 03 01 45 6C   4F B2 F8 4A 42 FD 5D DC  ...F..ElO..JB.].
> 0010: 3C CA CA 70 1D 40 B1 49   21 38 40 EC 69 1C A6 2A  <..p.@.I!8@.i..*
> 0020: 99 3A 9E 88 8E 03 20 45   6C 4F B2 27 E8 27 92 8B  .:.... ElO.'.'..
> 0030: D9 B7 2E 22 A2 56 9E 73   06 CA 64 65 27 26 44 8F  ...".V.s..de'&D.
> 0040: ED F7 F5 BD F2 8A F0 00   04 00                    ..........
> *** Certificate chain
> chain [0] = [
> [
>   Version: V1
>   Subject: CN=Client, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
> C=Unknown
>   Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
>
>   Key:  Sun RSA public key, 1024 bits
>   modulus:
> 119125831157180012241622638937390092189160437001853263361203684931436347286138557738177018166153998344463370986916053114448493751892417595464787155221273101941051608309892520802382018408256577151580997906961252558439314550554537620071874869391764812672132384452834035314691770120458734555207178162494413487159
>   public exponent: 65537
>   Validity: [From: Tue Nov 28 17:02:13 EET 2006,
>                To: Mon Feb 26 17:02:13 EET 2007]
>   Issuer: CN=Client, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
>   SerialNumber: [    456c4f75]
>
> ]
>   Algorithm: [MD5withRSA]
>   Signature:
> 0000: 3A 90 C6 F1 B8 90 53 77   95 A1 45 CB 18 10 D8 38  :.....Sw..E....8
> 0010: 3D F1 95 94 E7 A6 4E F7   DC 9C E9 A9 BD 61 BA 4F  =.....N......a.O
> 0020: 76 D8 5B B4 99 43 49 2F   6B A8 F3 69 B3 87 90 F8  v.[..CI/k..i....
> 0030: 38 1D 5B 0D E1 B5 44 4B   4A 44 88 60 04 83 04 B2  8.[...DKJD.`....
> 0040: B0 BB A8 0A 82 C7 1D 51   7A 6E 62 31 E0 8C 7B 74  .......Qznb1...t
> 0050: AB 69 B5 48 64 90 AD 30   63 10 FE B0 3C EE C5 2F  .i.Hd..0c...<../
> 0060: 6A 51 D2 A1 A0 56 B4 CD   59 FF E7 22 78 A8 B7 EA  jQ...V..Y.."x...
> 0070: CF EE EE 14 16 03 F7 7D   EF D6 43 4E B4 F4 13 F8  ..........CN....
>
> ]
> ***
> ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, SEND TLSv1 ALERT: 
> fatal, description = certificate_unknown
> ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, WRITE: TLSv1 Alert,
> length = 2
> ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, called closeSocket()
> ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, handling exception:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, called close()
> ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, called
> closeInternal(true)
> main, handling exception: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> ------------------------------------------------
>
> Seems that program can see keyStore and trustStore...
> What i do improperly?
>
> PS
> And what to do to establish SSL connection between two brokers? 
>
>
> Thanks in adwance.
> And excuse my poor english.
>
> Vlad
>   


Mime
View raw message