activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Lloyd <jll...@silvertailsystems.com>
Subject Broker to Broker authentication using JAAS fails
Date Fri, 21 May 2010 04:24:35 GMT
I'm not able to establish a network connection between two brokers via an
SSL transport when I turn on JAAS certificate authentication. I want to do
this with a hub & spoke architecture, where one broker is the hub, and
passively accepts network connections from spokes that use duplex
connections. I have this working without JAAS certificate authentication,
where the relevant configuration looks like this:


Broker "hub"
    <broker brokerName="hub" ... >
       <sslContext>
            <sslContext
                keyStore="file:hub.ks"
                keyStorePassword="hubpassword"
                trustStore="file:hub.ts"
                trustStorePassword="hubpassword"
            />
        </sslContext>
        <transportConnectors>
            <transportConnector name="openwire" uri="tcp://localhost:51001"
/>
            <transportConnector name="ssl" uri="ssl://
0.0.0.0:51000?transport.needClientAuth=true" />
        </transportConnectors>
    </broker>

Broker "spoke"
    <broker brokerName="spoke" ...>
        <sslContext>
            <sslContext
                keyStore="file:spoke.ks"
                keyStorePassword="spokepassword"
                trustStore="file:spoke.ts"
                trustStorePassword="spokepassword"
            />
        </sslContext>
        <networkConnectors>
            <networkConnector
                name="tohub"
                uri="static:(ssl://127.0.0.1:51000)"
                duplex="true"
            />
        </networkConnectors>
        <transportConnectors>
            <transportConnector name="openwire" uri="tcp://localhost:51002"
/>
        </transportConnectors>
    </broker>

I now want to enable JAAS authentication, so I add this plugins section to
the hub broker (right before the closing </broker> tag):
        <plugins>
          <jaasCertificateAuthenticationPlugin configuration="CertLogin" />
        </plugins>

When I do this, I start to get errors like this:

2010-05-20 20:32:29,350  WARN | Failed to add Connection
java.lang.SecurityException: Unable to authenticate transport without SSL
certificate.
        at
org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:75)
        at
org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89)
        at
org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:666)
        at
org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:83)
        at
org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134)
        at
org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:297)
        at
org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:175)
        at
org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
        at
org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113)
        at
org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:210)
        at
org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
        at
org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:104)
        at
org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:203)
        at
org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:185)
        at java.lang.Thread.run(Thread.java:619)

I suspected that this might have to do with the duplex connection, but I get
the same error when the networkConnection uses duplex="false".

Can anyone tell me what I might be doing wrong? FYI I have turned on ssl
debug and seen the SSL handshakes in the log.

Thanks,
Jim Lloyd

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message