activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Parodi, Flavio" <>
Subject Client certificate update on a TLS connection
Date Fri, 14 Jun 2019 14:08:39 GMT
Hi all,

I’m trying to find a solution for the following use case. I’m running a JMS client that
needs to connect on a secure (TLS) broker transport. The client is authenticated on server
side via X509 certificates. The code that creates connections, sessions and producer or consumers
on top is quite consolidated and has been running stable for some time. To give an idea, a
producer is created as follows:

String remoteAddress = "failover:(nio+ssl://<host>:61616?daemon=true&amp;soTimeout=60000)?initialReconnectDelay=5000"
// Configure the secure connection factory.
ActiveMQSslConnectionFactory connectionFactory = new ActiveMQSslConnectionFactory(remoteAddress);

Connection connection = connectionFactory.createConnection();

Session session = connection.createSession(transacted, Session.AUTO_ACKNOWLEDGE);
Destination destination = session.createQueue(subject);

MessageProducer producer = session.createProducer(destination);

I need to implement a procedure to update a client certificate as it approaches expiration.
After some investigation and testing, I could see that new connections are created using the
new certificate, once the connection factory keyStore is updated with it. This was confirmed
by inspecting handshake packets via Wireshark. As for running connections, my initial plan
was not to close them explicitly and wait for a disconnection (e.g. either enforced by the
backend or due to a connection outage). In short, I expected existing connections to keep
on running with the current certificate and use the updated one after the first reconnection.
Unfortunately, tests showed that this is not taking place; apparently, the usage of failover
does not allow the connection to be recreated from the updated factory. Even after an active
connection is closed due to a network outage, once it is re-established by the failover it
still references the old certificate.

Given that, I tried out to explicitly close the connection (javax.jms.Connection.close())
once the updated certificate is available. But this seems to be rather uncorrelated to the
lifecycle of the underlying TLS transport and hence does not work consistently.
Does anyone have suggestions/can point me to some documentation resource that could help?

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message