activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geurt Schimmel <>
Subject RE: networkConnector over SSL results in certificate exception - AMQ 5.9.0
Date Mon, 17 Feb 2014 23:28:28 GMT

Looks your MQ-instances don't recognize the certs offered by the counterparty - as usual with
SSL, the errors are pretty obscure.

client.ts @ hostA should have the cert of hostB, and the other way around. 

You can check the content of the keystores/truststores with
keytool -list -storepass $kspassword -keystore $truststore

Importing certs:
keytool -import -alias $hostname -keystore $truststore -storepass $kspassword -file $certfile


-----Original Message-----
From: David Laube [] 
Sent: Monday, February 17, 2014 9:01 PM
Subject: networkConnector over SSL results in certificate exception - AMQ 5.9.0

Hi All,

We're experiencing some issues trying to get two brokers running on a single host (for simplicity)
talking to each other using a networkConnector over SSL. I suspect I'm missing something somewhere,
I just haven't found it yet ;) I've packaged two ActiveMQ 5.9.0 installations into a single
project available at along with a script (see below)
to generate broker and client keyStores and trustStores according to

The script to generate the broker/client trustStore and keyStores is amq-example/apache-activemq-5.9.0-b/conf/

Broker-a = (directory apache-activemq-5.9.0) Default 5.9.0 config with sslContext and a single
networkConnector which connects to Broker-b using the SSL protocol/transport via the following;
<networkConnector name="NC_toBroker-b_SSL" duplex="true" uri="static:(ssl://localhost:61626)"/>

Broker-b = (directory apache-activemq-5.9.0-b) An ActiveMQ 5.9.0 config with sslContext and
a single transportConnector using the following;
<transportConnector name="ssl" uri="ssl://;wireFormat.maxFrameSize=104857600"/>

Broker-a logs:
2014-02-17 11:16:20,357 | WARN  | Could not start network bridge between: vm://broker-a?async=false&network=true
and: ssl://localhost:61626 due to:
PKIX path validation failed: signature check
failed | | ActiveMQ Task-7

Broker-b logs:
2014-02-17 11:15:20,302 | ERROR | Could not accept connection from tcp:// Received fatal alert: certificate_unknown |
| ActiveMQ BrokerService[broker-b] Task-9

I have followed in that the client ts has
been copied to broker-a. I have also tried setting the following properties inside the ACTIVEMQ_OPTS
variable within bin/activemq;

Does anyone see any problems with my config or keyStore/trustStore setup? Any insight would
be greatly appreciated. Thanks in advance!

Best regards,
-David Laube

View raw message