activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Casey <jamesc....@gmail.com>
Subject Re: Broker to Broker authentication using JAAS fails
Date Mon, 24 May 2010 20:12:26 GMT
Jim, Good to hear it's working.  The closeAsync=false won't be
necessary to get the SSL bit working, but helps with socket use if
you've got lots of clients connecting for a short time.

James.

On 21 May 2010 21:13, Jim Lloyd <jlloyd@silvertailsystems.com> wrote:
> James,
>
> I seem to have made a break through. I found that the broker1 & broker2
> configuration that you referenced are located
> in activemq-parent-5.3.2/activemq-core/src/test/resources/org/apache/activemq/security,
> and after I modified my code to be as close as possible to that
> configuration, the Unable to authenticate transport without SSL
> certificate error
> has gone away.
>
> I'm suspecting it has to do with this line:
>
>            <transportConnector name="ssl" uri="ssl://
> 0.0.0.0:51000?transport.closeAsync=false&amp;wantClientAuth=true&amp;needClientAuth=true
> "/>
>
> I had not been using transport.closeAsync=false&amp;wantClientAuth=true,
> only needClientAuth=true.
>
> Anyway, I am past a major hurdle here and hopefully the remaining pieces
> will be easy. :)
>
> Thanks again,
> Jim
>
> On Fri, May 21, 2010 at 10:05 AM, Jim Lloyd <jlloyd@silvertailsystems.com>wrote:
>
>> James,
>>
>> Are you sure this should is fixed in 5.3.1? (You said fix in > 5.3.1, not
>> >= 5.3.1). As it turns out I was using 5.3.0 for the client side (i.e. a
>> 'spoke') for much of this week, but last night I started working on smaller
>> test configuration running on one machine, and my script to start the two
>> brokers explicitly runs 5.3.1:
>>
>> /usr/stlocal/apache-activemq-5.3.1/bin/activemq \
>>
>>  -Djava.security.auth.login.config=/home/jim/amqexperiment/login.config \
>>         xbean:/home/jim/amqexperiment/hub.xml \
>>         &> /home/jim/amqexperiment/hub.log &
>>
>> /usr/stlocal/apache-activemq-5.3.1/bin/activemq \
>>
>>  -Djava.security.auth.login.config=/home/jim/amqexperiment/login.config \
>>         xbean:/home/jim/amqexperiment/spoke.xml \
>>         &> /home/jim/amqexperiment/spoke.log &
>>
>> I had been using the JaasCertificateAuthenticationPlugin only on the hub
>> broker, but I just enabled it on the stub broker too and restarted and I
>> still get the same error. Below is the log output from the hub broker. Do
>> you have any other ideas of what I should try? Can you share with me your
>> entire config files for the two brokers activemq.network.broker1 &
>> activemq.network.broker2?
>>
>> [jim@flash amqexperiment]$ less hub.log
>> Java Runtime: Sun Microsystems Inc. 1.6.0_18 /nas/local/jdk1.6.0_18/jre
>>   Heap sizes: current=493696k  free=488542k  max=493696k
>>     JVM args: -Xmx512M -Dorg.apache.activemq.UseDedicatedTaskRunner=true
>> -Djava.util.logging.config.file=logging.prop
>> erties -Dcom.sun.management.jmxremote
>> -Dactivemq.classpath=/usr/stlocal/apache-activemq-5.3.1/conf;
>> -Dactivemq.home=/
>> usr/stlocal/apache-activemq-5.3.1
>> -Dactivemq.base=/usr/stlocal/apache-activemq-5.3.1
>> ACTIVEMQ_HOME: /usr/stlocal/apache-activemq-5.3.1
>> ACTIVEMQ_BASE: /usr/stlocal/apache-activemq-5.3.1
>> Loading message broker from: xbean:/home/jim/amqexperiment/hub.xml
>>  INFO | Using Persistence Adapter: MemoryPersistenceAdapter
>>  INFO | ActiveMQ 5.3.1 JMS Message Broker (hub) is starting
>>  INFO | For help or more information please see:
>> http://activemq.apache.org/
>>  INFO | Listening for connections at: tcp://
>> flash.silvertailsystems.com:51001
>>  INFO | Connector openwire Started
>>  INFO | Listening for connections at: ssl://
>> flash.silvertailsystems.com:51000?transport.needClientAuth=true
>>  INFO | Connector ssl Started
>>  INFO | ActiveMQ JMS Message Broker (hub,
>> ID:flash.silvertailsystems.com-50094-1274456418477-0:0) started
>>  INFO | Logging to org.slf4j.impl.JCLLoggerAdapter(org.mortbay.log) via
>> org.mortbay.log.Slf4jLog
>>  INFO | jetty-6.1.9
>>  WARN | Failed to add Connection
>> java.lang.SecurityException: Unable to authenticate transport without SSL
>> certificate.
>>         at
>> org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticati
>> onBroker.java:75)
>>         at
>> org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89)
>>         at
>> org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:676)
>>         at
>> org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.
>> java:83)
>>         at
>> org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134)
>>         at
>> org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:300)
>>         at
>> org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:178)
>>         at
>> org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
>>         at
>> org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113)
>>         at
>> org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:216)
>>         at
>> org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
>>         at
>> org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:91)
>>         at
>> org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:204)
>>         at
>> org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:186)
>>         at java.lang.Thread.run(Thread.java:619)
>>  WARN | Async error occurred: java.lang.SecurityException: Unable to
>> authenticate transport without SSL certificate.
>>
>> On Thu, May 20, 2010 at 11:54 PM, James Casey <jamesc.000@gmail.com>wrote:
>>
>>> Jim,
>>>
>>> what version of ActiveMQ are you using ?  This happened in 5.3
>>> (<https://issues.apache.org/activemq/browse/AMQ-2474>) but should be
>>> fixed in > 5.3.1.
>>>
>>> We have this working in production no problem.  I see we express the
>>> URL in the NC differently:
>>>
>>>  <networkConnector
>>> uri="static://(ssl://${activemq.network.broker2}:62001)"
>>>         name="network-${activemq.network.broker2}"/>
>>>
>>> but that doesn't seem to be the problem.  We also use simplex
>>> connections, with the JaasCertificateAuthenticationPlugin enabled on
>>> both brokers.
>>>
>>> James.
>>>
>>>
>>> On 21 May 2010 06:24, Jim Lloyd <jlloyd@silvertailsystems.com> wrote:
>>> > I'm not able to establish a network connection between two brokers via
>>> an
>>> > SSL transport when I turn on JAAS certificate authentication. I want to
>>> do
>>> > this with a hub & spoke architecture, where one broker is the hub, and
>>> > passively accepts network connections from spokes that use duplex
>>> > connections. I have this working without JAAS certificate
>>> authentication,
>>> > where the relevant configuration looks like this:
>>> >
>>> >
>>> > Broker "hub"
>>> >    <broker brokerName="hub" ... >
>>> >       <sslContext>
>>> >            <sslContext
>>> >                keyStore="file:hub.ks"
>>> >                keyStorePassword="hubpassword"
>>> >                trustStore="file:hub.ts"
>>> >                trustStorePassword="hubpassword"
>>> >            />
>>> >        </sslContext>
>>> >        <transportConnectors>
>>> >            <transportConnector name="openwire"
>>> uri="tcp://localhost:51001"
>>> > />
>>> >            <transportConnector name="ssl" uri="ssl://
>>> > 0.0.0.0:51000?transport.needClientAuth=true" />
>>> >        </transportConnectors>
>>> >    </broker>
>>> >
>>> > Broker "spoke"
>>> >    <broker brokerName="spoke" ...>
>>> >        <sslContext>
>>> >            <sslContext
>>> >                keyStore="file:spoke.ks"
>>> >                keyStorePassword="spokepassword"
>>> >                trustStore="file:spoke.ts"
>>> >                trustStorePassword="spokepassword"
>>> >            />
>>> >        </sslContext>
>>> >        <networkConnectors>
>>> >            <networkConnector
>>> >                name="tohub"
>>> >                uri="static:(ssl://127.0.0.1:51000)"
>>> >                duplex="true"
>>> >            />
>>> >        </networkConnectors>
>>> >        <transportConnectors>
>>> >            <transportConnector name="openwire"
>>> uri="tcp://localhost:51002"
>>> > />
>>> >        </transportConnectors>
>>> >    </broker>
>>> >
>>> > I now want to enable JAAS authentication, so I add this plugins section
>>> to
>>> > the hub broker (right before the closing </broker> tag):
>>> >        <plugins>
>>> >          <jaasCertificateAuthenticationPlugin configuration="CertLogin"
>>> />
>>> >        </plugins>
>>> >
>>> > When I do this, I start to get errors like this:
>>> >
>>> > 2010-05-20 20:32:29,350  WARN | Failed to add Connection
>>> > java.lang.SecurityException: Unable to authenticate transport without
>>> SSL
>>> > certificate.
>>> >        at
>>> >
>>> org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:75)
>>> >        at
>>> >
>>> org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89)
>>> >        at
>>> >
>>> org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:666)
>>> >        at
>>> >
>>> org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:83)
>>> >        at
>>> >
>>> org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134)
>>> >        at
>>> >
>>> org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:297)
>>> >        at
>>> >
>>> org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:175)
>>> >        at
>>> >
>>> org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
>>> >        at
>>> >
>>> org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113)
>>> >        at
>>> >
>>> org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:210)
>>> >        at
>>> >
>>> org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
>>> >        at
>>> >
>>> org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:104)
>>> >        at
>>> >
>>> org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:203)
>>> >        at
>>> >
>>> org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:185)
>>> >        at java.lang.Thread.run(Thread.java:619)
>>> >
>>> > I suspected that this might have to do with the duplex connection, but I
>>> get
>>> > the same error when the networkConnection uses duplex="false".
>>> >
>>> > Can anyone tell me what I might be doing wrong? FYI I have turned on ssl
>>> > debug and seen the SSL handshakes in the log.
>>> >
>>> > Thanks,
>>> > Jim Lloyd
>>> >
>>>
>>
>>
>

Mime
View raw message