activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From RTactivemq <what2...@yahoo.com>
Subject ActiveMQ 2-Way Authentication
Date Wed, 15 Apr 2015 07:41:42 GMT
Hello, I've searched the forums, google sites, and of course ActiveMQ's
website for an answer but I am unable to find one.

I will start off by giving some basic information about my setup.

First, my activemq broker is running out of a JBoss AM-Q system with
versions:

server version: Apache activemq 5.9.0.redhat-611416 running on java 1.7

My client is Windows 7 java project running out of Eclipse Luna using java
jdk 1.7.

My api I'm using is the org.apache.qpid.amqp_1_0.jms and some of the
javax.jms libraries.

My objective is fairly simple, take the examples given in the activemq
release running out of an eclipse project and add 2 way authentication
functionality.

Actions Taken:

I will start off by saying I fully read the How do I use SSL page on
apache's website.  Getting 1 way authentication worked and I can send and
receive messages just fine. Two way authentication is proving most
difficult.

On the broker, I have a keystore and truststore already provided.  Also, I
have been provided with a certificate for that machine that matches the md5
found in the keystore.jks.  So I know that the certificate matches the
keystore.

On the client machine I created a keystore first.  I ran the command in
Cygwin, "$JAVA_HOME/bin/keytool" -genkey -alias client -keyalg RSA -keystore
client.ks.  This created the ks file, to which I exported from that
client.ks file, a certificate.

I took the broker's certificate and imported it into a truststore on the
client machine.  Like above, I used my Java keytool, with options -import
-alias eap6 -keystore client.ts -file <provided broker cert>.  On the broker
machine, I did the same thing.  I went into the truststore and imported the
client_cert, using the alias client.

Development:

As stated I started off with the examples provided by ActiveMQ in the
examples directory for establishing a connection between client and broker
using the amqp protocol.

So my send message looks like this:

I set host, port, and clientid and pass those to a constructor that uses the
code below.  I then attempt to create a connection . One way ssl works
without the authentication so leaving the user and password blank I assume
is fine?

try{
            ConnectionFactoryImpl factory = new ConnectionFactoryImpl(uri,
port, "", "", client, true);
            connection=factory.createConnection("","");
            connection.start();
            session = connection.createSession(false,
Session.AUTO_ACKNOWLEDGE);
        } catch (Exception e){
            LOGGER.log(Level.SEVERE, "Exception caught:", e);
        }

I then have a send method. Destination looks like this: private Destination
destination=new QueueImpl("queue://amqp-ssl-q");

try{
            MessageProducer producer=session.createProducer(destination);
            LOGGER.info( " [x] Creating message" );
            
            TextMessage msg = session.createTextMessage("Hello World!");
            producer.send(msg);
            LOGGER.info( " [x] Sent Message");
        } catch (JMSException e){
            LOGGER.log(Level.SEVERE, "[X] Send Failed:", e);
        }

Configuration:

I know the server and client need ways of getting the keystore and client. 
On the broker, I use the activemq.xml to set this:

 <sslContext>
              <sslContext
                  keyStore="/security/ssl/keystore/keystore.jks"
                 keyStorePassword="%{keystore.password}"
                 trustStore="/security/ssl/truststore/truststore.jks"
                 trustStorePassword="%{truststore.password}"
                 />
</sslContext>

I setup the transport connector as such:

<transportConnector name="amqp+ssl"
uri="amqp+ssl://0.0.0.0:5671?transport.needClientAuth=true"/>


In eclipse I went into the Run Configurations and under arguments -> vm
arguments, I set the path to my truststore and keystore like so:

-Djavax.net.ssl.keyStore=C:/<path>/<to>/<keystore>/client.ks 
-Djavax.net.ssl.keyStorePassword="<password>"
-Djavax.net.ssl.trustStore=C:/<path>/<to>/<truststore>/client.ts 
-Djavax.net.ssl.trustStorePassword="<password>"
-Djavax.net.debug=ssl

The following parameters I added because the debugger in eclipse had null
for these values. Before I used them I was just using the ones above. It
didn't seem to add a difference.  But I was desperate so I added these to
the vm arguments. I should also note that I also tried adding just the path
to the property but not including the file, like the keystore below. So I
tried running the send with parameters below missing the file at the end and
then with the file.
-Djavax.net.ssl.trustStorePath=C:/<path>/<to>/<trustStore>/client.ts 
-Djavax.net.ssl.keyStorePath=C:/<path>/<to>/<keystore>

Error:

When I run this, it complains about a bad certificate.
main, WRITE: TLSv1 Handshake, length = 48
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT:  fatal, bad_certificate
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received
fatal alert: bad_certificate
 
javax.jms.JMSException: javax.net.ssl.SSLHandshakeException: Received fatal
alert: bad_certificate
	at
org.apache.qpid.amqp_1_0.jms.impl.ConnectionImpl.connect(ConnectionImpl.java:193)
	at
org.apache.qpid.amqp_1_0.jms.impl.ConnectionImpl.start(ConnectionImpl.java:365)

Caused by: org.apache.qpid.amqp_1_0.client.ConnectionException:
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
	at
org.apache.qpid.amqp_1_0.client.TCPTransportProvider.connect(TCPTransportProvider.java:203)
	at org.apache.qpid.amqp_1_0.client.Connection.<init>(Connection.java:278)
	at org.apache.qpid.amqp_1_0.client.Connection.<init>(Connection.java:167)
	at
org.apache.qpid.amqp_1_0.jms.impl.ConnectionImpl.connect(ConnectionImpl.java:173)
	... 3 more

Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert:
bad_certificate
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
	at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1979)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1086)
	at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
	at
org.apache.qpid.amqp_1_0.client.TCPTransportProvider.connect(TCPTransportProvider.java:106)
	... 6 more

Questions:

Does this seem like I am doing something incorrectly?  I really don't
understand where I have made a mistake.  The instructions are fairly
straightforward in setting up the keystore and truststore in the How do I
use SSL page.  Also, I don't think I'm doing anything radical here with the
client side code, as I am basing it off the provided activemq release
examples.  One way also works fine, so it is pulling the broker's
certificate just fine when I set the NeedClientAuth=false.

If anyone has ideas, I would be happy to try them.  Also, if more
information is needed I will do what I can to provide it.



--
View this message in context: http://activemq.2283324.n4.nabble.com/ActiveMQ-2-Way-Authentication-tp4694960.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Mime
View raw message