activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From RTactivemq <>
Subject ActiveMQ 2-Way Authentication
Date Wed, 15 Apr 2015 07:41:42 GMT
Hello, I've searched the forums, google sites, and of course ActiveMQ's
website for an answer but I am unable to find one.

I will start off by giving some basic information about my setup.

First, my activemq broker is running out of a JBoss AM-Q system with

server version: Apache activemq 5.9.0.redhat-611416 running on java 1.7

My client is Windows 7 java project running out of Eclipse Luna using java
jdk 1.7.

My api I'm using is the org.apache.qpid.amqp_1_0.jms and some of the
javax.jms libraries.

My objective is fairly simple, take the examples given in the activemq
release running out of an eclipse project and add 2 way authentication

Actions Taken:

I will start off by saying I fully read the How do I use SSL page on
apache's website.  Getting 1 way authentication worked and I can send and
receive messages just fine. Two way authentication is proving most

On the broker, I have a keystore and truststore already provided.  Also, I
have been provided with a certificate for that machine that matches the md5
found in the keystore.jks.  So I know that the certificate matches the

On the client machine I created a keystore first.  I ran the command in
Cygwin, "$JAVA_HOME/bin/keytool" -genkey -alias client -keyalg RSA -keystore
client.ks.  This created the ks file, to which I exported from that
client.ks file, a certificate.

I took the broker's certificate and imported it into a truststore on the
client machine.  Like above, I used my Java keytool, with options -import
-alias eap6 -keystore client.ts -file <provided broker cert>.  On the broker
machine, I did the same thing.  I went into the truststore and imported the
client_cert, using the alias client.


As stated I started off with the examples provided by ActiveMQ in the
examples directory for establishing a connection between client and broker
using the amqp protocol.

So my send message looks like this:

I set host, port, and clientid and pass those to a constructor that uses the
code below.  I then attempt to create a connection . One way ssl works
without the authentication so leaving the user and password blank I assume
is fine?

            ConnectionFactoryImpl factory = new ConnectionFactoryImpl(uri,
port, "", "", client, true);
            session = connection.createSession(false,
        } catch (Exception e){
            LOGGER.log(Level.SEVERE, "Exception caught:", e);

I then have a send method. Destination looks like this: private Destination
destination=new QueueImpl("queue://amqp-ssl-q");

            MessageProducer producer=session.createProducer(destination);
   " [x] Creating message" );
            TextMessage msg = session.createTextMessage("Hello World!");
   " [x] Sent Message");
        } catch (JMSException e){
            LOGGER.log(Level.SEVERE, "[X] Send Failed:", e);


I know the server and client need ways of getting the keystore and client. 
On the broker, I use the activemq.xml to set this:


I setup the transport connector as such:

<transportConnector name="amqp+ssl"

In eclipse I went into the Run Configurations and under arguments -> vm
arguments, I set the path to my truststore and keystore like so:<path>/<to>/<keystore>/client.ks"<password>"<path>/<to>/<truststore>/client.ts"<password>"

The following parameters I added because the debugger in eclipse had null
for these values. Before I used them I was just using the ones above. It
didn't seem to add a difference.  But I was desperate so I added these to
the vm arguments. I should also note that I also tried adding just the path
to the property but not including the file, like the keystore below. So I
tried running the send with parameters below missing the file at the end and
then with the file.<path>/<to>/<trustStore>/client.ts<path>/<to>/<keystore>


When I run this, it complains about a bad certificate.
main, WRITE: TLSv1 Handshake, length = 48
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT:  fatal, bad_certificate
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
main, called closeSocket()
main, handling exception: Received
fatal alert: bad_certificate
javax.jms.JMSException: Received fatal
alert: bad_certificate

Caused by: org.apache.qpid.amqp_1_0.client.ConnectionException: Received fatal alert: bad_certificate
	at org.apache.qpid.amqp_1_0.client.Connection.<init>(
	at org.apache.qpid.amqp_1_0.client.Connection.<init>(
	... 3 more

Caused by: Received fatal alert:
	... 6 more


Does this seem like I am doing something incorrectly?  I really don't
understand where I have made a mistake.  The instructions are fairly
straightforward in setting up the keystore and truststore in the How do I
use SSL page.  Also, I don't think I'm doing anything radical here with the
client side code, as I am basing it off the provided activemq release
examples.  One way also works fine, so it is pulling the broker's
certificate just fine when I set the NeedClientAuth=false.

If anyone has ideas, I would be happy to try them.  Also, if more
information is needed I will do what I can to provide it.

View this message in context:
Sent from the ActiveMQ - User mailing list archive at

View raw message