activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Lloyd <jll...@silvertailsystems.com>
Subject Re: Broker to Broker authentication using JAAS fails
Date Fri, 21 May 2010 19:13:47 GMT
James,

I seem to have made a break through. I found that the broker1 & broker2
configuration that you referenced are located
in activemq-parent-5.3.2/activemq-core/src/test/resources/org/apache/activemq/security,
and after I modified my code to be as close as possible to that
configuration, the Unable to authenticate transport without SSL
certificate error
has gone away.

I'm suspecting it has to do with this line:

            <transportConnector name="ssl" uri="ssl://
0.0.0.0:51000?transport.closeAsync=false&amp;wantClientAuth=true&amp;needClientAuth=true
"/>

I had not been using transport.closeAsync=false&amp;wantClientAuth=true,
only needClientAuth=true.

Anyway, I am past a major hurdle here and hopefully the remaining pieces
will be easy. :)

Thanks again,
Jim

On Fri, May 21, 2010 at 10:05 AM, Jim Lloyd <jlloyd@silvertailsystems.com>wrote:

> James,
>
> Are you sure this should is fixed in 5.3.1? (You said fix in > 5.3.1, not
> >= 5.3.1). As it turns out I was using 5.3.0 for the client side (i.e. a
> 'spoke') for much of this week, but last night I started working on smaller
> test configuration running on one machine, and my script to start the two
> brokers explicitly runs 5.3.1:
>
> /usr/stlocal/apache-activemq-5.3.1/bin/activemq \
>
>  -Djava.security.auth.login.config=/home/jim/amqexperiment/login.config \
>         xbean:/home/jim/amqexperiment/hub.xml \
>         &> /home/jim/amqexperiment/hub.log &
>
> /usr/stlocal/apache-activemq-5.3.1/bin/activemq \
>
>  -Djava.security.auth.login.config=/home/jim/amqexperiment/login.config \
>         xbean:/home/jim/amqexperiment/spoke.xml \
>         &> /home/jim/amqexperiment/spoke.log &
>
> I had been using the JaasCertificateAuthenticationPlugin only on the hub
> broker, but I just enabled it on the stub broker too and restarted and I
> still get the same error. Below is the log output from the hub broker. Do
> you have any other ideas of what I should try? Can you share with me your
> entire config files for the two brokers activemq.network.broker1 &
> activemq.network.broker2?
>
> [jim@flash amqexperiment]$ less hub.log
> Java Runtime: Sun Microsystems Inc. 1.6.0_18 /nas/local/jdk1.6.0_18/jre
>   Heap sizes: current=493696k  free=488542k  max=493696k
>     JVM args: -Xmx512M -Dorg.apache.activemq.UseDedicatedTaskRunner=true
> -Djava.util.logging.config.file=logging.prop
> erties -Dcom.sun.management.jmxremote
> -Dactivemq.classpath=/usr/stlocal/apache-activemq-5.3.1/conf;
> -Dactivemq.home=/
> usr/stlocal/apache-activemq-5.3.1
> -Dactivemq.base=/usr/stlocal/apache-activemq-5.3.1
> ACTIVEMQ_HOME: /usr/stlocal/apache-activemq-5.3.1
> ACTIVEMQ_BASE: /usr/stlocal/apache-activemq-5.3.1
> Loading message broker from: xbean:/home/jim/amqexperiment/hub.xml
>  INFO | Using Persistence Adapter: MemoryPersistenceAdapter
>  INFO | ActiveMQ 5.3.1 JMS Message Broker (hub) is starting
>  INFO | For help or more information please see:
> http://activemq.apache.org/
>  INFO | Listening for connections at: tcp://
> flash.silvertailsystems.com:51001
>  INFO | Connector openwire Started
>  INFO | Listening for connections at: ssl://
> flash.silvertailsystems.com:51000?transport.needClientAuth=true
>  INFO | Connector ssl Started
>  INFO | ActiveMQ JMS Message Broker (hub,
> ID:flash.silvertailsystems.com-50094-1274456418477-0:0) started
>  INFO | Logging to org.slf4j.impl.JCLLoggerAdapter(org.mortbay.log) via
> org.mortbay.log.Slf4jLog
>  INFO | jetty-6.1.9
>  WARN | Failed to add Connection
> java.lang.SecurityException: Unable to authenticate transport without SSL
> certificate.
>         at
> org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticati
> onBroker.java:75)
>         at
> org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89)
>         at
> org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:676)
>         at
> org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.
> java:83)
>         at
> org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134)
>         at
> org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:300)
>         at
> org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:178)
>         at
> org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
>         at
> org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113)
>         at
> org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:216)
>         at
> org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
>         at
> org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:91)
>         at
> org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:204)
>         at
> org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:186)
>         at java.lang.Thread.run(Thread.java:619)
>  WARN | Async error occurred: java.lang.SecurityException: Unable to
> authenticate transport without SSL certificate.
>
> On Thu, May 20, 2010 at 11:54 PM, James Casey <jamesc.000@gmail.com>wrote:
>
>> Jim,
>>
>> what version of ActiveMQ are you using ?  This happened in 5.3
>> (<https://issues.apache.org/activemq/browse/AMQ-2474>) but should be
>> fixed in > 5.3.1.
>>
>> We have this working in production no problem.  I see we express the
>> URL in the NC differently:
>>
>>  <networkConnector
>> uri="static://(ssl://${activemq.network.broker2}:62001)"
>>         name="network-${activemq.network.broker2}"/>
>>
>> but that doesn't seem to be the problem.  We also use simplex
>> connections, with the JaasCertificateAuthenticationPlugin enabled on
>> both brokers.
>>
>> James.
>>
>>
>> On 21 May 2010 06:24, Jim Lloyd <jlloyd@silvertailsystems.com> wrote:
>> > I'm not able to establish a network connection between two brokers via
>> an
>> > SSL transport when I turn on JAAS certificate authentication. I want to
>> do
>> > this with a hub & spoke architecture, where one broker is the hub, and
>> > passively accepts network connections from spokes that use duplex
>> > connections. I have this working without JAAS certificate
>> authentication,
>> > where the relevant configuration looks like this:
>> >
>> >
>> > Broker "hub"
>> >    <broker brokerName="hub" ... >
>> >       <sslContext>
>> >            <sslContext
>> >                keyStore="file:hub.ks"
>> >                keyStorePassword="hubpassword"
>> >                trustStore="file:hub.ts"
>> >                trustStorePassword="hubpassword"
>> >            />
>> >        </sslContext>
>> >        <transportConnectors>
>> >            <transportConnector name="openwire"
>> uri="tcp://localhost:51001"
>> > />
>> >            <transportConnector name="ssl" uri="ssl://
>> > 0.0.0.0:51000?transport.needClientAuth=true" />
>> >        </transportConnectors>
>> >    </broker>
>> >
>> > Broker "spoke"
>> >    <broker brokerName="spoke" ...>
>> >        <sslContext>
>> >            <sslContext
>> >                keyStore="file:spoke.ks"
>> >                keyStorePassword="spokepassword"
>> >                trustStore="file:spoke.ts"
>> >                trustStorePassword="spokepassword"
>> >            />
>> >        </sslContext>
>> >        <networkConnectors>
>> >            <networkConnector
>> >                name="tohub"
>> >                uri="static:(ssl://127.0.0.1:51000)"
>> >                duplex="true"
>> >            />
>> >        </networkConnectors>
>> >        <transportConnectors>
>> >            <transportConnector name="openwire"
>> uri="tcp://localhost:51002"
>> > />
>> >        </transportConnectors>
>> >    </broker>
>> >
>> > I now want to enable JAAS authentication, so I add this plugins section
>> to
>> > the hub broker (right before the closing </broker> tag):
>> >        <plugins>
>> >          <jaasCertificateAuthenticationPlugin configuration="CertLogin"
>> />
>> >        </plugins>
>> >
>> > When I do this, I start to get errors like this:
>> >
>> > 2010-05-20 20:32:29,350  WARN | Failed to add Connection
>> > java.lang.SecurityException: Unable to authenticate transport without
>> SSL
>> > certificate.
>> >        at
>> >
>> org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:75)
>> >        at
>> >
>> org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89)
>> >        at
>> >
>> org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:666)
>> >        at
>> >
>> org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:83)
>> >        at
>> >
>> org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134)
>> >        at
>> >
>> org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:297)
>> >        at
>> >
>> org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:175)
>> >        at
>> >
>> org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
>> >        at
>> >
>> org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113)
>> >        at
>> >
>> org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:210)
>> >        at
>> >
>> org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
>> >        at
>> >
>> org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:104)
>> >        at
>> >
>> org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:203)
>> >        at
>> >
>> org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:185)
>> >        at java.lang.Thread.run(Thread.java:619)
>> >
>> > I suspected that this might have to do with the duplex connection, but I
>> get
>> > the same error when the networkConnection uses duplex="false".
>> >
>> > Can anyone tell me what I might be doing wrong? FYI I have turned on ssl
>> > debug and seen the SSL handshakes in the log.
>> >
>> > Thanks,
>> > Jim Lloyd
>> >
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message