qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Porto <Joe.Po...@agilex.com>
Subject RE: SSL connection problems from rabbitMQ client
Date Sun, 13 Nov 2011 20:59:42 GMT
PS My config.xml file looks like this (slightly different than yours, maybe because it's .012
version ) ?:

<connector>
        <!-- To enable SSL edit the keystorePath and keystorePassword
             and set enabled to true.
             To disasble Non-SSL port set sslOnly to true -->
        <ssl>
            <enabled>true</enabled>
            <sslOnly>false</sslOnly>
            <keystorePath>/Users/portohome/Development/java_broker_keystore.jks</keystorePath>
            <keystorePassword>password</keystorePassword>
        </ssl>
        <qpidnio>false</qpidnio>
        <protectio>
            <enabled>false</enabled>
            <readBufferLimitSize>262144</readBufferLimitSize>
            <writeBufferLimitSize>262144</writeBufferLimitSize>
        </protectio>
        <transport>nio</transport>
        <port>5672</port>
        <sslport>8672</sslport>
        <socketReceiveBuffer>32768</socketReceiveBuffer>
        <socketSendBuffer>32768</socketSendBuffer>
    </connector>

-Joe
________________________________________
From: Robbie Gemmell [robbie.gemmell@gmail.com]
Sent: Sunday, November 13, 2011 1:38 PM
To: users@qpid.apache.org
Subject: Re: SSL connection problems from rabbitMQ client

Hi Joe,

For the broker side I edited the etc/config.xml file as follows:
1. Enable SSL by setting connector.ssl.enabled to true.
2. Give the keystore path via connector.ssl.keyStorePath
3. Give the keystore password via connector.ssl.keyStorePassword (I
admitedly forgot to tell you that its 'password' for those keystore
files, but it complains about that if its wrong).

Giving the following (replacing /path/to as appropriate):
...
<connector>
    <ssl>
        <port>5671</port>
        <enabled>true</enabled>
        <sslOnly>false</sslOnly>
        <keyStorePath>/path/to/qpid/java/test-profiles/test_resources/ssl/java_broker_keystore.jks</keyStorePath>
        <keyStorePassword>password</keyStorePassword>
    </ssl>
...etc

For the client side I used two examples based on those at
http://www.rabbitmq.com/ssl.html, the first of which doesnt specify a
truststore and a second which does:

RabbitExample.java
==============
import java.io.*;
import java.security.*;
import javax.net.ssl.*;

import com.rabbitmq.client.*;

public class RabbitExample
{
    public static void main(String[] args) throws Exception
    {
        ConnectionFactory factory = new ConnectionFactory();
        factory.setHost("localhost");
        factory.setPort(5671);
        factory.useSslProtocol("TLS"); //Using just
factory.useSslProtocol(); works equally well here.

        Connection conn = factory.newConnection();
        Channel channel = conn.createChannel();

        channel.queueDeclare("rabbitmq-java-test", false, true, true, null);
        channel.basicPublish("", "rabbitmq-java-test", null, "Hello,
World".getBytes());

        GetResponse chResponse = channel.basicGet("rabbitmq-java-test", false);
        if(chResponse == null) {
            System.out.println("No message retrieved");
        } else {
            byte[] body = chResponse.getBody();
            System.out.println("Recieved: " + new String(body));
        }

        channel.close();
        conn.close();
    }
}


ExpandedRabbitExample.java
=====================
import java.io.*;
import java.security.*;
import javax.net.ssl.*;

import com.rabbitmq.client.*;

public class ExpandedRabbitExample
{
    private static final String TRUSTSTORE =
"/path/to/qpid/java/test-profiles/test_resources/ssl/java_client_truststore.jks";
    private static final String TRUSTSTORE_PASSWORD = "password";

    public static void main(String[] args) throws Exception
    {
        KeyStore tks = KeyStore.getInstance("JKS");
        tks.load(new FileInputStream(TRUSTSTORE),
TRUSTSTORE_PASSWORD.toCharArray());

        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
        tmf.init(tks);

        SSLContext c = SSLContext.getInstance("TLS");
        c.init(null, tmf.getTrustManagers(), null);

        ConnectionFactory factory = new ConnectionFactory();
        factory.setHost("localhost");
        factory.setPort(5671);
        factory.useSslProtocol(c);

        Connection conn = factory.newConnection();
        Channel channel = conn.createChannel();

        channel.queueDeclare("rabbitmq-java-test", false, true, true, null);
        channel.basicPublish("", "rabbitmq-java-test", null, "Hello,
World".getBytes());

        GetResponse chResponse = channel.basicGet("rabbitmq-java-test", false);
        if(chResponse == null) {
            System.out.println("No message retrieved");
        } else {
            byte[] body = chResponse.getBody();
            System.out.println("Recieved: " + new String(body));
        }

        channel.close();
        conn.close();
    }
}


If you cant get the above working, it would be good if you turned on
SSL debug logging to get more information by setting the
'javax.net.debug' system property to 'ssl' for both the client and
broker (for which you can export "-Djavax.net.debug=ssl" into the
JAVA_OPTS environment variable before startup to pass the value),
which will cause them to emit SSL logging to stdout.

Robbie

On 13 November 2011 00:52, Joe Porto <Joe.Porto@agilex.com> wrote:
> Hmm I tried this again (this time with the trunk version of qpid) with the same problem
(socket times out)… I put the broker_keystore path in the config file…. Did you?  Can
you list the steps you did to make this work?  And the code you're using on the client?
>
>
> Joe
> ________________________________________
> From: Robbie Gemmell [robbie.gemmell@gmail.com]
> Sent: Friday, November 11, 2011 6:03 PM
> To: users@qpid.apache.org
> Subject: Re: SSL connection problems from rabbitMQ client
>
> On 11 November 2011 22:13, Joe Porto <Joe.Porto@agilex.com> wrote:
>> I'm assuming you imported those files into your keystore…. When I do that, I'm
getting the following error:
>>
>
> Which files? The test ones I mentioned from our repo? Those already
> are keystore files, with our test certificates/keys/cacerts imported
> as necessary, so you dont need to do anything to them to use them for
> testing.
>
> My comments about importing were directed at the guide you linked to,
> which says nothing about Java keystores because it seems to be for
> configuring an HTTPD installation and therefore the files created by
> it certainly wont work as-is.
>
>>  Certificate not imported, alias <RootCA> already exists
>>
>> I've tried running:  keytool -delete -alias RootCA
>>
>> But, I get an exception:  keystore file does not exist….. I've been messing around
with trying to tell it which keystore, but I don't know which keystore it's complaining about?
>>
>> Keystore –list returns an error saying keystore file does not exist… (and the
path to follow doesn't exist…)
>>
>
> You dont appear to be telling it any keystore file location (
> -keystore <store>) in the above commands, so I imagine it is just
> looking in the default location as a result?
>
> This isnt a process we have documented since there are a wealth of
> different options to choose from, everyones needs are slightly
> different, and the various component parts of [self signed] SSL
> certificates and Java with SSL are documented to death elsewhere
> already...but perhaps we need to.
>
>> Joe
>>
>> From: Robbie Gemmell <robbie.gemmell@gmail.com<mailto:robbie.gemmell@gmail.com>>
>> Date: Thu, 10 Nov 2011 18:10:53 -0500
>> To: Joe Porto <joe.porto@agilex.com<mailto:joe.porto@agilex.com>>
>> Cc: "users@qpid.apache.org<mailto:users@qpid.apache.org>" <users@qpid.apache.org<mailto:users@qpid.apache.org>>
>> Subject: Re: SSL connection problems from rabbitMQ client
>>
>> Are you just using the files created from that guide directly? If so
>> that could be the problem, since you need to import the certificate /
>> key into a truststore / keystore file before using them, e.g. using
>> the keytool command bundled with the JDK.
>>
>> Robbie
>>
>> On 10 November 2011 22:21, Joe Porto <Joe.Porto@agilex.com<mailto:Joe.Porto@agilex.com>>
wrote:
>> Ah I read your response too quickly!  I enabled the use SSL setting to true
>> in the config.xml…and I used the keystore and truststore  that I created
>> myself following this website:
>>  http://www.akadia.com/services/ssh_test_certificate.html
>> I'll give the sample ones a shot…
>>
>> Joe
>>
>> From: Robbie Gemmell <robbie.gemmell@gmail.com<mailto:robbie.gemmell@gmail.com>>
>>
>> Date: Thu, 10 Nov 2011 16:48:32 -0500
>> To: Joe Porto <joe.porto@agilex.com<mailto:joe.porto@agilex.com>>
>> Cc: "users@qpid.apache.org<mailto:users@qpid.apache.org>" <users@qpid.apache.org<mailto:users@qpid.apache.org>>
>> Subject: Re: SSL connection problems from rabbitMQ client
>>
>> Erm, so was I ? :)
>> Robbie
>> On 10 November 2011 21:26, Joe Porto <Joe.Porto@agilex.com<mailto:Joe.Porto@agilex.com>>
wrote:
>>
>> I was using a Qpid Broker…
>> Joe
>> From: Robbie Gemmell <robbie.gemmell@gmail.com<mailto:robbie.gemmell@gmail.com>>
>> Date: Thu, 10 Nov 2011 16:20:54 -0500
>> To: Joe Porto <joe.porto@agilex.com<mailto:joe.porto@agilex.com>>
>> Cc: "users@qpid.apache.org<mailto:users@qpid.apache.org>" <users@qpid.apache.org<mailto:users@qpid.apache.org>>
>> Subject: Re: SSL connection problems from rabbitMQ client
>> Hi Joe,
>> I just tried out connecting the RabbitMQ client using SSL to the
>> latest trunk revision of the Java broker, and it seemed to work ok
>> (well, it did make me notice that when we changed IO layers for the
>> broker and some protocols for the client recently that we missed a
>> limitation of SSLSocket that mean ConnectionClose currently generates
>> a nice stacktrace...but other than that, it works). Deliberately
>> making the client connect to the brokers 'plain' port failed as
>> expected, as did setting the client not to use SSL and connecting it
>> to the brokers SSL port. As well as the simpler 'no verification'
>> example you were using, I used an exapanded example based on those at
>> http://www.rabbitmq.com/ssl.html (the Java broker doesnt currently
>> support validating client certificates so I removed those bits).
>> Could you share how you are configuring the broker, and creating your
>> certificates? I used the broker keystore and client truststore we use
>> in our tests, which are located at
>> qpid/java/test-profiles/test_resources/ssl/java_broker_keystore.jks
>> and qpid/java/test-profiles/test_resources/ssl/java_client_truststore.jks
>> in a checkout of our trunk
>> (http://svn.apache.org/repos/asf/qpid/trunk/)
>> Regards,
>> Robbie
>> On 9 November 2011 20:45, Joe Porto <Joe.Porto@agilex.com<mailto:Joe.Porto@agilex.com>>
wrote:
>> I don't know… only have been playing with the qpid broker….
>> From: Robbie Gemmell <robbie.gemmell@gmail.com<mailto:robbie.gemmell@gmail.com>>
>> Date: Wed, 9 Nov 2011 15:44:04 -0500
>> To: "users@qpid.apache.org<mailto:users@qpid.apache.org>" <users@qpid.apache.org<mailto:users@qpid.apache.org>>
>> Cc: Joe Porto <joe.porto@agilex.com<mailto:joe.porto@agilex.com>>
>> Subject: Re: SSL connection problems from rabbitMQ client
>> Interesting. This isnt a combination that I have tried before, but I
>> dont know any obvious reason it wouldnt work. I will try to take a
>> look at it, but it isnt likely to be for a few days at best. The
>> default example broker config was changed to use port 5671 because
>> that is the assigned port for AMQP + SSL, I dont know where the number
>> previously [not] used in the config came from.
>> Out of interest, do you know if the client SSL example works ok when
>> using the RabbitMQ broker?
>> Robbie
>> On 8 November 2011 20:55, Joe Porto <Joe.Porto@agilex.com<mailto:Joe.Porto@agilex.com>>
wrote:
>> Hi Robbie,
>> Thanks for the quick feedback.  I installed the .15 version and enabled the
>> configuration to use SSL (interesting they changed the port to 5671).  It
>> still fails from the client side at the same point (when it's trying to send
>> the header) , but this time it doesn't throw an error in the server log.
>> Thoughts?
>> Joe
>> From: Robbie Gemmell <robbie.gemmell@gmail.com<mailto:robbie.gemmell@gmail.com>>
>> Reply-To: "users@qpid.apache.org<mailto:users@qpid.apache.org>" <users@qpid.apache.org<mailto:users@qpid.apache.org>>
>> Date: Tue, 8 Nov 2011 15:16:04 -0500
>> To: "users@qpid.apache.org<mailto:users@qpid.apache.org>" <users@qpid.apache.org<mailto:users@qpid.apache.org>>
>> Subject: Re: SSL connection problems from rabbitMQ client
>> Put simply, SSL support in the broker wasnt functional until after
>> 0.12 was finalised. It was fixed as part of the development stream for
>> 0.14, which branched from trunk a few days ago for release in around a
>> month.
>> You will need to use a non-release version if you want to make it work
>> in the mean time. You can get a nightly release build of the current
>> trunk broker at the following URL if you want to at least try it out:
>> https://builds.apache.org/view/M-R/view/Qpid/job/Qpid-Java-Release/lastSuccessfulBuild/artifact/trunk/qpid/java/broker/release/
>> Robbie
>> On 8 November 2011 19:42, Joe Porto <Joe.Porto@agilex.com<mailto:Joe.Porto@agilex.com>>
wrote:
>> I am running the .12 release of a java qpid broker.  I am trying to access
>> it via a rabbitmq java client.  When not using SSL, this works well and I am
>> able to send and receive a msg on the client. When I enable SSL and try to
>> connect to the SSL port on the broker, I get a SocketTimeOutException on the
>> client side.  Tracing through the rabbitMQ code – it looks like this occurs
>> when the client tries sending just the AMQP header.  On the qpid broker,
>> this error is thrown in the log:
>> ERROR [MINANetworkDriver(Acceptor)-15] (MINANetworkDriver.java:315) -
>> Exception thrown and no ProtocolEngine to handle it
>> java.lang.NullPointerException
>> at
>> org.apache.qpid.transport.network.mina.MINANetworkDriver.messageReceived(MINANetworkDriver.java:337)
>> at
>> org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived(AbstractIoFilterChain.java:703)
>> at
>> org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)
>> at
>> org.apache.mina.common.support.AbstractIoFilterChain.access$1200(AbstractIoFilterChain.java:54)
>> at
>> org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:800)
>> at
>> org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:243)
>> at
>> org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:305)
>> at
>> edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:665)
>> at
>> edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:690)
>> at java.lang.Thread.run(Thread.java:680)
>> ---------------------------
>> My sample client code looks like this: (the client hangs on
>> factory.newConnection();, and eventually the socket times out)
>> ConnectionFactory factory = new ConnectionFactory();
>> factory.setHost("10.1.21.21");
>> factory.setPort(8672);
>> factory.setVirtualHost("10.1.21.21");
>> factory.useSslProtocol("TLS");
>> Connection conn = factory.newConnection();
>> Channel channel = conn.createChannel();
>> …
>> ---------------------
>> Any help would be greatly appreciated!
>> -Joe
>> ---------------------------------------------------------------------
>> Apache Qpid - AMQP Messaging Implementation
>> Project:      http://qpid.apache.org
>> Use/Interact: mailto:users-subscribe@qpid.apache.org
>>
>>
>>
>>
>>
>>
>>
>
> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project:      http://qpid.apache.org
> Use/Interact: mailto:users-subscribe@qpid.apache.org
>
>
> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project:      http://qpid.apache.org
> Use/Interact: mailto:users-subscribe@qpid.apache.org
>
>

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org


Mime
View raw message