activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Timothy Bish <tabish...@gmail.com>
Subject Re: setting up c++ client app using CMS using SSL client certificate auth
Date Thu, 07 Nov 2013 17:32:21 GMT
On 11/07/2013 12:12 PM, darkrwe wrote:
> Hi Tim,
> thank you for answer.
> I installed oracle JDK7 and now i don't get below problems.
> Now I just want to summarize what i do.. Because my pem file is problematic
> in client side.
> Maybe another configuration i could miss.
>
>> I'm getting below error on the client side (ubuntu 13.04 -same machine
>> with
>> the client)
>> Error occurred while accessing an OpenSSL library method:
>> error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal
>> error
>>
>> I'm also getting below error from broker side (ubuntu 13.04 -same machine
>> with the client)
>> 2013-11-07 12:04:22,244 | ERROR | Could not accept connection from
>> tcp://127.0.0.1:55751: javax.net.ssl.SSLException:
>> java.security.ProviderException:
>> sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID |
>> org.apache.activemq.broker.TransportConnector | ActiveMQ
>> BrokerService[localhost] Task-3
> *But now I have got the these error from client:*
> *Error occurred while accessing an OpenSSL library method:
> error:0906D06C:PEM routines:PEM_read_bio:no start line
> error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib*
>
>
> *I use below configuration in my cms client:*
> I also enabled SSL in activeMQ.(installed openSSL and added proper prefix to
> activeMQ installation)
>   activemq::library::ActiveMQCPP::initializeLibrary();
>   decaf::lang::System::setProperty(
> "decaf.net.ssl.keyStore","/pathToPem/Client.pem");
>   decaf::lang::System::setProperty("decaf.net.ssl.keyStorePassword",
> "123456");
>   decaf::lang::System::setProperty( "decaf.net.ssl.trustStore",
> "/pathToPem/Broker.pem" );
>   url ="ssl://localhost:61617";
>
> in broker side i have done below configurations:
> *in activemq.xml:*
>
>      <sslContext>
>          <sslContext
>              keyStore="broker.ks" keyStorePassword="123456"
>              trustStore="client.ks" trustStorePassword="123456"/>
>      </sslContext>
>      <transportConnectors>
>           <transportConnector name="ssl"
> uri="ssl://localhost:61617?needClientAuth=true" />
>           <transportConnector name="openwire" uri="tcp://0.0.0.0:61616?
> maximumConnections=1000&amp;wireformat.maxFrameSize=104857600"/>
>           <transportConnector name="amqp"
> uri="amqp://0.0.0.0:5672?maximumConnections=1000&amp;wireformat.maxFrameSize=104857600"/>
>      </transportConnectors>
>
> *I also export the SSL_OPTS environment parameter before starting the
> broker:*
> $ export SSL_OPTS="-Djavax.net.ssl.keyStore=/pathTobrokerks/broker.ks
> -Djavax.net.ssl.keyStorePassword=123456
> -Djavax.net.ssl.trustStore=/pathTobrokerts/broker.ts"
>
> Below commands for generating keystores and certificates:
> $ keytool -genkey -alias broker -keyalg RSA -keystore broker.ks
> $ keytool -export -alias broker -keystore broker.ks -file broker_cert
> $ keytool -genkey -alias client -keyalg RSA -keystore client.ks
> $ keytool -import -alias broker -keystore client.ts -file broker_cert
> $ keytool -export -alias client -keystore client.ks -file client_cert
> $ keytool -import -alias client -keystore broker.ts -file client_cert
>
> *I have converted to cert files to pem files using below commands:*
> $ keytool -importkeystore -srckeystore broker.ks -destkeystore
> broker_cert.p12 -srcstoretype jks -deststoretype pkcs12
> $ openssl pkcs12 -in broker_cert.p12 -out Broker.pem
> $ keytool -importkeystore -srckeystore client.ks -destkeystore
> client_cert.p12 -srcstoretype jks -deststoretype pkcs12
> $ openssl pkcs12 -in client_cert.p12 -out Client.pem
>
> is there any thing that i miss? or wrong configuration in client or broker
> side ?
>
> Thanks a lot.
>
>
>
>
>   
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4674024.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>

You need to debug the SSL handshake and see what is going on.  You may 
need to enable other cipher suites etc to allow the broker and client to 
communicate.

-- 
Tim Bish
Sr Software Engineer | RedHat Inc.
tim.bish@redhat.com | www.fusesource.com | www.redhat.com
skype: tabish121 | twitter: @tabish121
blog: http://timbish.blogspot.com/


Mime
View raw message