activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From RVlad <vladislavs.rutkovs...@dati.lv>
Subject Cannot get SSL client-to-broker connection
Date Tue, 28 Nov 2006 16:12:04 GMT

Hi guru,
Excuse, i'm new in ActiveMQ...

Have built certificates/keystores as described in 
http://www.activemq.org/site/how-do-i-use-ssl.html how-do-i-use-ssl .

The broker have next configuration:

-------------------------------------------------
<beans xmlns="http://activemq.org/config/1.0">

  <bean
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
  
  <broker useJmx="true" persistent="true" brokerName="VladBroker">
  
    <transportConnectors>
       <transportConnector name="SSL" uri="ssl://localhost:61613"/>
       <transportConnector name="TCP" uri="tcp://localhost:61616"/>
    </transportConnectors>
    
  </broker>
</beans>
-------------------------------------------------

and starts normally:

---------console----------------------------------------
ACTIVEMQ_HOME: c:\ActiveMQ\bin\..
Loading message broker from: xbean:activemq.xml
INFO  BrokerService                  - ActiveMQ 4.0.2 JMS Message Broker
(VladBroker) is starting
INFO  BrokerService                  - For help or more information please
see:http://incubator.apache.org/activemq/
INFO  ManagementContext              - JMX consoles can connect to
service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi
INFO  JDBCPersistenceAdapter         - Database driver recognized:
[apache_derby_embedded_jdbc_driver]
INFO  JournalPersistenceAdapter      - Journal Recovery Started from: Active
Journal: using 5 x 20.0 Megs at: C:\ActiveMQ\activemq-data\journal
INFO  JournalPersistenceAdapter      - Journal Recovered: 0 message(s) in
transactions recovered.
INFO  TransportServerThreadSupport   - Listening for connections at:
ssl://slavar:61613
INFO  TransportConnector             - Connector SSL Started
INFO  TransportServerThreadSupport   - Listening for connections at:
tcp://slavar:61616
INFO  TransportConnector             - Connector TCP Started
INFO  BrokerService                  - ActiveMQ JMS Message Broker
(VladBroker,ID:slavar-1604-1164726172265-1:0) started
-------------------------------------------------

The client's program fragment is next:

-------------------------------------------------
public class ReceiverClient {

	public static void main(String[] args) {

		final String MESSAGE_BROKER_URL = "ssl://slavar:61613";
		
		final String CLIENT_ID = "vladReceive";
		final String TOPIC = "testtopic2";
		
		// attempt to put system properties
		// needed for SSL connection
		// as described in http://www.activemq.org/site/how-do-i-use-ssl.html
		System.setProperty("javax.net.ssl.keyStore", "C:\\ActiveMQ\\client.ks");
		System.setProperty("javax.net.ssl.keyStorePassword", "password");
		System.setProperty("javax.net.ssl.trustStore", "C:\\ActiveMQ\\client.ts");

		// enabling debug output
		System.setProperty("javax.net.debug", "ssl,handshake,data,trustmanager");

		// starting communications
		JMSManager jm = new  JMSManager(MESSAGE_BROKER_URL, CLIENT_ID);
		new Thread(new Receiver(jm, TOPIC)).start();
		
	}
}
-------------------------------------------------

After starting of client program i got the next console:

-------------console-------------------------
setting up default SSLSocketFactory
use default SunJSSE impl class:
com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
keyStore is : C:\ActiveMQ\client.ks
keyStore type is : jks
keyStore provider is : 
init keystore
init keymanager of type SunX509
***
found key for : client
chain [0] = [
[
  Version: V1
  Subject: CN=Client, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
C=Unknown
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

  Key:  Sun RSA public key, 1024 bits
  modulus:
119125831157180012241622638937390092189160437001853263361203684931436347286138557738177018166153998344463370986916053114448493751892417595464787155221273101941051608309892520802382018408256577151580997906961252558439314550554537620071874869391764812672132384452834035314691770120458734555207178162494413487159
  public exponent: 65537
  Validity: [From: Tue Nov 28 17:02:13 EET 2006,
               To: Mon Feb 26 17:02:13 EET 2007]
  Issuer: CN=Client, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
  SerialNumber: [    456c4f75]

]
  Algorithm: [MD5withRSA]
  Signature:
0000: 3A 90 C6 F1 B8 90 53 77   95 A1 45 CB 18 10 D8 38  :.....Sw..E....8
0010: 3D F1 95 94 E7 A6 4E F7   DC 9C E9 A9 BD 61 BA 4F  =.....N......a.O
0020: 76 D8 5B B4 99 43 49 2F   6B A8 F3 69 B3 87 90 F8  v.[..CI/k..i....
0030: 38 1D 5B 0D E1 B5 44 4B   4A 44 88 60 04 83 04 B2  8.[...DKJD.`....
0040: B0 BB A8 0A 82 C7 1D 51   7A 6E 62 31 E0 8C 7B 74  .......Qznb1...t
0050: AB 69 B5 48 64 90 AD 30   63 10 FE B0 3C EE C5 2F  .i.Hd..0c...<../
0060: 6A 51 D2 A1 A0 56 B4 CD   59 FF E7 22 78 A8 B7 EA  jQ...V..Y.."x...
0070: CF EE EE 14 16 03 F7 7D   EF D6 43 4E B4 F4 13 F8  ..........CN....

]
***
trustStore is: C:\ActiveMQ\client.ts
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:
  Subject: CN=Broker, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
C=Unknown

Exception in thread "main" java.lang.ExceptionInInitializerError
	at corp.sap.pal.le.amqtest.jms.client.JMSManager.init(JMSManager.java:64)
	at corp.sap.pal.le.amqtest.jms.client.JMSManager.<init>(JMSManager.java:33)
	at
corp.sap.pal.le.amqtest.jms.client.ReceiverClient.main(ReceiverClient.java:37)
Caused by: javax.jms.JMSException: Could not connect to broker URL:
ssl://slavar:61613. Reason: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
	at
org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:33)
	at
org.apache.activemq.ActiveMQConnectionFactory.createActiveMQConnection(ActiveMQConnectionFactory.java:253)
	at
org.apache.activemq.ActiveMQConnectionFactory.createActiveMQConnection(ActiveMQConnectionFactory.java:212)
	at
org.apache.activemq.ActiveMQConnectionFactory.createConnection(ActiveMQConnectionFactory.java:159)
	at corp.sap.pal.le.amqtest.jms.client.JMSManager.init(JMSManager.java:55)
	... 2 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
Source)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown
Source)
	at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)
	at
org.apache.activemq.transport.tcp.TcpBufferedInputStream.fill(TcpBufferedInputStream.java:49)
	at
org.apache.activemq.transport.tcp.TcpBufferedInputStream.read(TcpBufferedInputStream.java:56)
	at java.io.DataInputStream.readInt(Unknown Source)
	at
org.apache.activemq.openwire.OpenWireFormat.unmarshal(OpenWireFormat.java:275)
	at
org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:136)
	at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
	at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
	at sun.security.validator.Validator.validate(Unknown Source)
	at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
	at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown
Source)
	... 14 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
Source)
	at java.security.cert.CertPathBuilder.build(Unknown Source)
	... 19 more
2006.28.11 17:03:14 org.apache.activemq.ActiveMQConnection onAsyncException
WARNING: Async exception with no exception listener:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
Source)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown
Source)
	at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)
	at
org.apache.activemq.transport.tcp.TcpBufferedInputStream.fill(TcpBufferedInputStream.java:49)
	at
org.apache.activemq.transport.tcp.TcpBufferedInputStream.read(TcpBufferedInputStream.java:56)
	at java.io.DataInputStream.readInt(Unknown Source)
	at
org.apache.activemq.openwire.OpenWireFormat.unmarshal(OpenWireFormat.java:275)
	at
org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:136)
	at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
	at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
	at sun.security.validator.Validator.validate(Unknown Source)
	at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
	at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown
Source)
	... 14 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
Source)
	at java.security.cert.CertPathBuilder.build(Unknown Source)
	... 19 more

  Issuer:  CN=Broker, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
C=Unknown
  Algorithm: RSA; Serial number: 0x456c4f41
  Valid from Tue Nov 28 17:01:21 EET 2006 until Mon Feb 26 17:01:21 EET 2007

init context
trigger seeding of SecureRandom
done seeding SecureRandom
instantiated an instance of class
com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
main, setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1164725938 bytes = { 104, 30, 199, 2, 187, 204, 113,
255, 60, 143, 243, 121, 36, 222, 8, 25, 236, 63, 217, 191, 87, 45, 125, 196,
9, 218, 218, 6 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods:  { 0 }
***
[write] MD5 and SHA1 hashes:  len = 73
0000: 01 00 00 45 03 01 45 6C   4F B2 68 1E C7 02 BB CC  ...E..ElO.h.....
0010: 71 FF 3C 8F F3 79 24 DE   08 19 EC 3F D9 BF 57 2D  q.<..y$....?..W-
0020: 7D C4 09 DA DA 06 00 00   1E 00 04 00 05 00 2F 00  ............../.
0030: 33 00 32 00 0A 00 16 00   13 00 09 00 15 00 12 00  3.2.............
0040: 03 00 08 00 14 00 11 01   00                       .........
ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, WRITE: TLSv1 Handshake,
length = 73
[write] MD5 and SHA1 hashes:  len = 98
0000: 01 03 01 00 39 00 00 00   20 00 00 04 01 00 80 00  ....9... .......
0010: 00 05 00 00 2F 00 00 33   00 00 32 00 00 0A 07 00  ..../..3..2.....
0020: C0 00 00 16 00 00 13 00   00 09 06 00 40 00 00 15  ............@...
0030: 00 00 12 00 00 03 02 00   80 00 00 08 00 00 14 00  ................
0040: 00 11 45 6C 4F B2 68 1E   C7 02 BB CC 71 FF 3C 8F  ..ElO.h.....q.<.
0050: F3 79 24 DE 08 19 EC 3F   D9 BF 57 2D 7D C4 09 DA  .y$....?..W-....
0060: DA 06                                              ..
ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, WRITE: SSLv2 client
hello message, length = 98
ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, READ: TLSv1 Handshake,
length = 676
*** ServerHello, TLSv1
RandomCookie:  GMT: 1164725938 bytes = { 248, 74, 66, 253, 93, 220, 60, 202,
202, 112, 29, 64, 177, 73, 33, 56, 64, 236, 105, 28, 166, 42, 153, 58, 158,
136, 142, 3 }
Session ID:  {69, 108, 79, 178, 39, 232, 39, 146, 139, 217, 183, 46, 34,
162, 86, 158, 115, 6, 202, 100, 101, 39, 38, 68, 143, 237, 247, 245, 189,
242, 138, 240}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
[read] MD5 and SHA1 hashes:  len = 74
0000: 02 00 00 46 03 01 45 6C   4F B2 F8 4A 42 FD 5D DC  ...F..ElO..JB.].
0010: 3C CA CA 70 1D 40 B1 49   21 38 40 EC 69 1C A6 2A  <..p.@.I!8@.i..*
0020: 99 3A 9E 88 8E 03 20 45   6C 4F B2 27 E8 27 92 8B  .:.... ElO.'.'..
0030: D9 B7 2E 22 A2 56 9E 73   06 CA 64 65 27 26 44 8F  ...".V.s..de'&D.
0040: ED F7 F5 BD F2 8A F0 00   04 00                    ..........
*** Certificate chain
chain [0] = [
[
  Version: V1
  Subject: CN=Client, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
C=Unknown
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

  Key:  Sun RSA public key, 1024 bits
  modulus:
119125831157180012241622638937390092189160437001853263361203684931436347286138557738177018166153998344463370986916053114448493751892417595464787155221273101941051608309892520802382018408256577151580997906961252558439314550554537620071874869391764812672132384452834035314691770120458734555207178162494413487159
  public exponent: 65537
  Validity: [From: Tue Nov 28 17:02:13 EET 2006,
               To: Mon Feb 26 17:02:13 EET 2007]
  Issuer: CN=Client, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
  SerialNumber: [    456c4f75]

]
  Algorithm: [MD5withRSA]
  Signature:
0000: 3A 90 C6 F1 B8 90 53 77   95 A1 45 CB 18 10 D8 38  :.....Sw..E....8
0010: 3D F1 95 94 E7 A6 4E F7   DC 9C E9 A9 BD 61 BA 4F  =.....N......a.O
0020: 76 D8 5B B4 99 43 49 2F   6B A8 F3 69 B3 87 90 F8  v.[..CI/k..i....
0030: 38 1D 5B 0D E1 B5 44 4B   4A 44 88 60 04 83 04 B2  8.[...DKJD.`....
0040: B0 BB A8 0A 82 C7 1D 51   7A 6E 62 31 E0 8C 7B 74  .......Qznb1...t
0050: AB 69 B5 48 64 90 AD 30   63 10 FE B0 3C EE C5 2F  .i.Hd..0c...<../
0060: 6A 51 D2 A1 A0 56 B4 CD   59 FF E7 22 78 A8 B7 EA  jQ...V..Y.."x...
0070: CF EE EE 14 16 03 F7 7D   EF D6 43 4E B4 F4 13 F8  ..........CN....

]
***
ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, SEND TLSv1 ALERT: 
fatal, description = certificate_unknown
ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, WRITE: TLSv1 Alert,
length = 2
ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, called closeSocket()
ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, handling exception:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, called close()
ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, called
closeInternal(true)
main, handling exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
------------------------------------------------

Seems that program can see keyStore and trustStore...
What i do improperly?

PS
And what to do to establish SSL connection between two brokers? 


Thanks in adwance.
And excuse my poor english.

Vlad
-- 
View this message in context: http://www.nabble.com/Cannot-get-SSL-client-to-broker-connection-tf2719214.html#a7581989
Sent from the ActiveMQ - User mailing list archive at Nabble.com.


Mime
View raw message