activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Bertram <jbert...@apache.org>
Subject Re: How to configure a symmetric cluster with SSL acceptors/connectors
Date Tue, 13 Jun 2017 19:37:56 GMT
I wouldn't expect a connector using "0.0.0.0" to actually work unless the thing using that
connector was on the same machine as the server where it's configured.  Can you configure
all your connectors to use actual IP addresses?

If you still have problems after this could you work up a reproducible test-case using e.g.
one of the clustered examples shipped with the broker?


Justin

----- Original Message -----
From: "igge47" <igna_garcia@hotmail.com>
To: users@activemq.apache.org
Sent: Tuesday, June 13, 2017 6:47:33 AM
Subject: How to configure a symmetric cluster with SSL acceptors/connectors

Hello,
I am using AMQ7, with Java version "1.8.0_111". 

I want to configure a symmetric cluster of static connectors, and I want to
enable SSL connection between them. The connection is done between /server1/
and /server2/
I have successfully set this configuration with TCP connectors: the bridges
are correctly set and I can see the different nodes in the Management
Console. The problem comes when trying to enable SSL inside the
connectors/acceptors. I receive this error:

AMQ222186: unable to authorize cluster control.

The acceptors/connectors & cluster definition on */server1/*:
…
      <acceptors>
		<acceptor
name="ssl-pulheim1m">tcp://0.0.0.0:10611?sslEnabled=true;keyStorePath=../etc/pulheim1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd;needClientAuth=true</acceptor>

      </acceptors>
      <connectors>
                <connector
name="ssl-pulheim1m">tcp://0.0.0.0:10611?sslEnabled=true;keyStorePath=../etc/pulheim1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd</connector>
                <connector
name="ssl-roki1m">tcp://server2:10711?sslEnabled=true;keyStorePath=../etc/roki1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd</connector>

      </connectors>

      <ha-policy>
         <shared-store>
                <master>
                        <failover-on-shutdown>true</failover-on-shutdown>
                        
                </master>
         </shared-store>
      </ha-policy>
      
	<cluster-user>username</cluster-user>
      	<cluster-password>pwd</cluster-password> 
      	<cluster-connections>
         <cluster-connection name="pulheim-roki">
                <connector-ref>ssl-pulheim1m</connector-ref>
                <retry-interval>500</retry-interval>
                <use-duplicate-detection>true</use-duplicate-detection>
                <message-load-balancing>STRICT</message-load-balancing>
		<max-hops>1</max-hops>
		<static-connectors>
                    <connector-ref>ssl-roki1m</connector-ref>  
                </static-connectors>
         </cluster-connection> 
      	</cluster-connections>

      	<security-settings>
         <security-setting match="#">
            <permission type="createNonDurableQueue" roles="amq, admin"/>
            <permission type="deleteNonDurableQueue" roles="amq, admin"/>
            <permission type="createDurableQueue" roles="amq, admin"/>
            <permission type="deleteDurableQueue" roles="amq, admin"/>
            <permission type="createAddress" roles="amq, admin"/>
            <permission type="deleteAddress" roles="amq, admin"/>
            <permission type="consume" roles="amq, admin"/>
            <permission type="browse" roles="amq, admin"/>
            <permission type="send" roles="amq, admin"/>
            
            <permission type="manage" roles="amq, admin"/>
            <permission roles="consumers, admin" type="consume"/>
            <permission roles="producers, admin" type="manage"/>
         </security-setting>
      	</security-settings>
…

The acceptors/connectors & cluster definition on */server2/*:

…      
	<acceptors>
		<acceptor
name="ssl-roki1m">tcp://0.0.0.0:10711?sslEnabled=true;keyStorePath=../etc/roki1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd;needClientAuth=true</acceptor>

      	</acceptors>
	<connectors>
		<connector
name="ssl-pulheim1m">tcp://server1:10611?sslEnabled=true;keyStorePath=../etc/roki1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd</connector>
              <connector
name="ssl-roki1m">tcp://0.0.0.0:10711?sslEnabled=true;keyStorePath=../etc/roki1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd</connector>
      </connectors>
        <ha-policy>
        <shared-store>
                <master>
                        <failover-on-shutdown>true</failover-on-shutdown>
                        
                </master>
        </shared-store>
         </ha-policy>

      <cluster-user>username</cluster-user>
      <cluster-password>pwd</cluster-password> 
      <cluster-connections>
         <cluster-connection name="pulheim-roki">
                <connector-ref>ssl-roki1m</connector-ref>
                <retry-interval>500</retry-interval>
                <use-duplicate-detection>true</use-duplicate-detection>
                <message-load-balancing>STRICT</message-load-balancing>
		<max-hops>1</max-hops>
		<static-connectors>
                    <connector-ref>ssl-pulheim1m</connector-ref>
                </static-connectors>
         </cluster-connection>
      </cluster-connections>

      <security-settings>
         <security-setting match="#">
            <permission type="createNonDurableQueue" roles="amq, admin"/>
            <permission type="deleteNonDurableQueue" roles="amq, admin"/>
            <permission type="createDurableQueue" roles="amq, admin"/>
            <permission type="deleteDurableQueue" roles="amq, admin"/>
            <permission type="createAddress" roles="amq, admin"/>
            <permission type="deleteAddress" roles="amq, admin"/>
            <permission type="consume" roles="amq, admin"/>
            <permission type="browse" roles="amq, admin"/>
            <permission type="send" roles="amq, admin"/>
            
            <permission type="manage" roles="amq, admin"/>
            <permission roles="consumers, admin" type="consume"/>
            <permission roles="producers, admin" type="manage"/>
         </security-setting>
      </security-settings>
…

I use self-signed certificates inside the trust-/keystores. The
trust-/keystores are local directories on each server, and they have both
Server A’s and Server B’s certificates included. The SSL Handshake doesn’t
cast any error. 

*/login.conf/*:

activemq {
   org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule
sufficient
       debug=false
       reload=true
       org.apache.activemq.jaas.properties.user="artemis-users.properties"
       org.apache.activemq.jaas.properties.role="artemis-roles.properties";

   org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule
sufficient
       debug=false
       org.apache.activemq.jaas.guest.user="admin011"
       org.apache.activemq.jaas.guest.role="amq";
};

activemq-cert {
  
org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule
optional
       debug=true
       org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
       org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
};

*/cert-users.properties/* - I use the DN from the certificates:

producer=EMAILADDRESS=xxxx@xxx.xxx,CN=SecZone_2,OU=XXX,O=XXX,ST=XXX,C=XX

*/cert-roles.properties/*

Producers=producer

*/bootstrap.xml/*

<broker xmlns="http://activemq.org/schema">

   <jaas-security domain="activemq" certificate-domain="activemq-cert"/>

   <server configuration="${artemis.URI.instance}/etc/broker.xml"/>

   
   <web bind="https://zs03ne:8164" path="web"
keyStorePath="/opt/amq/jboss-amq-7.0.0.redhat-1/roki1/etc/keystore_zs03ne_https.jks"
keyStorePassword="admin011" clientAuth="false"
trustStorePath="/opt/amq/jboss-amq-7.0.0.redhat-1/roki1/etc/truststore_https.jks"
trustStorePassword="admin011">
       <app url="redhat-branding" war="redhat-branding.war"/>
       <app url="jolokia" war="jolokia.war"/>
       <app url="hawtio" war="hawtio-no-slf4j.war"/>
       <app url="artemis-plugin" war="artemis-plugin.war"/>
       <app url="dispatch-hawtio-console"
war="dispatch-hawtio-console.war"/>
   </web>
</broker>

Looking forward to receiving a further guidance,
Ignacio







--
View this message in context: http://activemq.2283324.n4.nabble.com/How-to-configure-a-symmetric-cluster-with-SSL-acceptors-connectors-tp4727351.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Mime
View raw message