activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Laube <d...@stormpath.com>
Subject networkConnector over SSL results in certificate exception - AMQ 5.9.0
Date Mon, 17 Feb 2014 20:00:43 GMT
Hi All,

We're experiencing some issues trying to get two brokers running on a single host (for simplicity)
talking to each other using a networkConnector over SSL. I suspect I'm missing something somewhere,
I just haven't found it yet ;) I've packaged two ActiveMQ 5.9.0 installations into a single
project available at https://github.com/dlaube/amq-example along with a script (see below)
to generate broker and client keyStores and trustStores according to http://activemq.apache.org/how-do-i-use-ssl.html

The script to generate the broker/client trustStore and keyStores is amq-example/apache-activemq-5.9.0-b/conf/gen-certs.sh


Broker-a = (directory apache-activemq-5.9.0) Default 5.9.0 config with sslContext and a single
networkConnector which connects to Broker-b using the SSL protocol/transport via the following;
<networkConnector name="NC_toBroker-b_SSL" duplex="true" uri="static:(ssl://localhost:61626)"/>

Broker-b = (directory apache-activemq-5.9.0-b) An ActiveMQ 5.9.0 config with sslContext and
a single transportConnector using the following;
<transportConnector name="ssl" uri="ssl://0.0.0.0:61626?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>


Broker-a logs:
2014-02-17 11:16:20,357 | WARN  | Could not start network bridge between: vm://broker-a?async=false&network=true
and: ssl://localhost:61626 due to: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check
failed | org.apache.activemq.network.DiscoveryNetworkConnector | ActiveMQ Task-7

Broker-b logs:
2014-02-17 11:15:20,302 | ERROR | Could not accept connection from tcp://127.0.0.1:50663:
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown | org.apache.activemq.broker.TransportConnector
| ActiveMQ BrokerService[broker-b] Task-9


I have followed http://activemq.apache.org/certificateunknown.html in that the client ts has
been copied to broker-a. I have also tried setting the following properties inside the ACTIVEMQ_OPTS
variable within bin/activemq;

javax.net.ssl.keyStore=/path/to/client.ks
javax.net.ssl.keyStorePassword=password
javax.net.ssl.trustStore=/path/to/client.ts

Does anyone see any problems with my config or keyStore/trustStore setup? Any insight would
be greatly appreciated. Thanks in advance!

Best regards,
-David Laube
Mime
View raw message