qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jakub Scholz <ja...@scholz.cz>
Subject Re: [Qpid Java Broker-6.0.0] Using SSL with JMS clients for AMQP‏
Date Thu, 02 Jun 2016 18:57:01 GMT
Well, you should be of course able to also use SSL + anonymous ... without
the client authentication the SSL layer would not help with identity, but
will still encrypt the communication.

Jakub

On Thu, Jun 2, 2016 at 6:30 PM, Adel Boutros <adelboutros@live.com> wrote:

> So Just
> to confirm I understood you correctly, I have to use either full anonymous
> connections or SSL + SASL connections. Correct?
>
>
>
> Regards,
>
> Adel
> > Date: Thu, 2 Jun 2016 18:16:28 +0200
> > Subject: Re: [Qpid Java Broker-6.0.0] Using SSL with JMS clients for
> AMQP‏
> > From: jakub@scholz.cz
> > To: users@qpid.apache.org
> >
> > The SASL basically covers everything. You can either connect without SASL
> > as anonymous connection or with SASL. SASL has several different
> mechanisms
> > which do different kind of authentication ... username/password, external
> > with certificates and more. I think the Python and C++ bindings for
> > Proton-c now in 0.12 support both username / password based
> authentication
> > as well as certificate based authentication. I'm not sure for the other
> > parts of Proton-c.
> >
> > Jakub
> >
> > On Thu, Jun 2, 2016 at 5:15 PM, Adel Boutros <adelboutros@live.com>
> wrote:
> >
> > > If I remember correctly, proton-c clients do not support Plain
> mechanism.
> > > So I cannot use a simple username and password and I am forced to use
> SASL
> > > then.
> > > Correct?
> > > Regards,Adel
> > >
> > > > Date: Thu, 2 Jun 2016 17:11:58 +0200
> > > > Subject: Re: [Qpid Java Broker-6.0.0] Using SSL with JMS clients for
> > > AMQP‏
> > > > From: jakub@scholz.cz
> > > > To: users@qpid.apache.org
> > > >
> > > > If you want something else than anonymous connection, you still need
> to
> > > do
> > > > SASL authentication inside of the SSL connection. The SASL EXTERNAL
> > > > mechanism would take the identity of the connected user from the SSL
> > > layer.
> > > > But do be able to use it, you would need to enable the SSL Client
> > > > Authentication again - because only with the client authentication
> the
> > > > broker will have the identity.
> > > >
> > > > With your current SSL setup, you should be able to use for example
> > > username
> > > > / password based mechanisms (PLAIN, DIGEST-MD5 etc.). The client
> should
> > > > enable them if you specify the username and password in the
> connection
> > > URL
> > > > (see the JMS client documentation). You of course need to have them
> also
> > > > enabled on the broker.
> > > >
> > > > J.
> > > >
> > > > On Thu, Jun 2, 2016 at 4:52 PM, Adel Boutros <adelboutros@live.com>
> > > wrote:
> > > >
> > > > >
> > > > >
> > > > >
> > > > > Hello Jakub,Indeed that was the issue. I turned off "Client
> > > > > Certificate".Now I have an exception about SASL. Can I use SSL
> without
> > > > > SASL? Is it because I am using an "External" authentication
> > > > > provider?Exception in thread "main" javax.jms.JMSSecurityException:
> > > Could
> > > > > not find a suitable SASL mechanism for the remote peer using the
> > > available
> > > > > credentials.        at
> > > > >
> > >
> org.apache.qpid.jms.provider.amqp.AmqpSaslAuthenticator.handleSaslInit(AmqpSaslAuthenticator.java:120)
> > > > >      at
> > > > >
> > >
> org.apache.qpid.jms.provider.amqp.AmqpSaslAuthenticator.authenticate(AmqpSaslAuthenticator.java:87)
> > > > > at
> > > > >
> > >
> org.apache.qpid.jms.provider.amqp.AmqpProvider.processSaslAuthentication(AmqpProvider.java:827)
> > > > >     at
> > > > >
> > >
> org.apache.qpid.jms.provider.amqp.AmqpProvider.processUpdates(AmqpProvider.java:814)
> > > > > at
> > > > >
> > >
> org.apache.qpid.jms.provider.amqp.AmqpProvider.access$1900(AmqpProvider.java:92)
> > > > >    at
> > > > >
> > >
> org.apache.qpid.jms.provider.amqp.AmqpProvider$17.run(AmqpProvider.java:701)
> > > > > at
> > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> > > > >     at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>  at
> > > > >
> > >
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178)
> > > > >       at
> > > > >
> > >
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292)
> > > > >      at
> > > > >
> > >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > > > >     at
> > > > >
> > >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > > > >     at java.lang.Thread.run(Thread.java:744)Regards,Adel
> > > > > > Date: Thu, 2 Jun 2016 16:36:28 +0200
> > > > > > Subject: Re: [Qpid Java Broker-6.0.0] Using SSL with JMS clients
> for
> > > > > AMQP‏
> > > > > > From: jakub@scholz.cz
> > > > > > To: users@qpid.apache.org
> > > > > >
> > > > > > The bad_certificate error means that the broker doesn't like
the
> > > client
> > > > > SSL
> > > > > > certificate.
> > > > > >
> > > > > > What kind of SSL authentication do you want? It looks like you
> > > configured
> > > > > > the port on the broker in a way that it requires SSL client
> > > > > authentication
> > > > > > (using the fields Need SSL Client Certificate: Yes and Want
SSL
> > > Client
> > > > > > Certificate: Yes). But in the client you seem to define only
the
> > > > > truststore
> > > > > > which contains the broker public key. Maybe you can try to
> switch the
> > > > > > client authentication off in the broker.
> > > > > >
> > > > > > Running the client with system property javax.net.debug set
to
> "ssl"
> > > > > would
> > > > > > produce a nice detailed SSL log which can help further.
> > > > > >
> > > > > > Regards
> > > > > > Jakub
> > > > > >
> > > > > > On Thu, Jun 2, 2016 at 4:10 PM, Adel Boutros <
> adelboutros@live.com>
> > > > > wrote:
> > > > > >
> > > > > > > Hello,
> > > > > > >
> > > > > > > I have generated a certificate for my machine using openssl
> 1.0.2
> > > > > (openssl
> > > > > > > req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem
> -nodes).
> > > > > > >
> > > > > > > I have created a new Authentication Provider of type
> "External".
> > > > > > >
> > > > > > > I have created a new KeyStore of type "Non Java Key Store"
and
> > > > > uploaded the
> > > > > > > private key and certificate generated by the previous step.
> > > > > > >
> > > > > > > I have created a new TrustStore of type "Non Java Key Store"
> and
> > > > > uploaded
> > > > > > > the certificate generated by the first step.
> > > > > > >
> > > > > > > I have created an AMQP port with the following configuration
> > > > > > >         Name: AMQPS
> > > > > > >         Port Type: AMQP
> > > > > > >         Port Number: 10400
> > > > > > >         Protocols: AMQP_1_0
> > > > > > >         Authentication Provider: sslWithTlsProvider
> > > > > > >         Binding address: *
> > > > > > >         Transports: SSL
> > > > > > >         Key Store: SslCertificateStore
> > > > > > >         Need SSL Client Certificate: Yes
> > > > > > >         Want SSL Client Certificate: Yes
> > > > > > >         Trust Stores: SSLTrustStore
> > > > > > >         Number of connection threads: 8
> > > > > > >
> > > > > > > I restarted the broker after all of this configuration.
> > > > > > >
> > > > > > > Now, I want to have a JMS consumer connect to this broker
using
> > > SSL. I
> > > > > > > couldn't find any documentation about it beside the doc
page
> > > > > > > (
> https://qpid.apache.org/releases/qpid-jms-0.8.0/docs/index.html)
> > > > > which
> > > > > > > doesn't provide an example or detailed information.
> > > > > > >
> > > > > > > I created a trustStore for the JMS client and added the
> > > certificate to
> > > > > it
> > > > > > > (keytool -import -file cert.pem --keystore
> > > > > D:\qpid-broker\myTrustStore) but
> > > > > > > it isn't working
> > > > > > >
> > > > > > > Can you please help me setup a working example?
> > > > > > >
> > > > > > > PS: I am using Non Java stores becasue I will have Proton-c
> clients
> > > > > later
> > > > > > > on.
> > > > > > >
> > > > > > > public static void main(String[] args) throws JMSException
{
> > > > > > >     System.setProperty("javax.net.ssl.trustStore",
> > > > > > > "D:\\qpid-broker\\myTrustStore");
> > > > > > >     System.setProperty("javax.net.ssl.trustStorePassword",
> > > "password");
> > > > > > >     ConnectionFactory connectionFactory = new
> > > > > > > JmsConnectionFactory("amqps://aboutros:10400");
> > > > > > >     Connection connection =
> connectionFactory.createConnection();
> > > > > > > }
> > > > > > >
> > > > > > > Error: javax.net.ssl.SSLException: Received fatal alert:
> > > > > bad_certificate
> > > > > > >
> > > > > > > Regards,
> > > > > > > Adel
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > View this message in context:
> > > > > > >
> > > > >
> > >
> http://qpid.2158936.n2.nabble.com/Qpid-Java-Broker-6-0-0-Using-SSL-with-JMS-clients-for-AMQP-tp7644953.html
> > > > > > > Sent from the Apache Qpid users mailing list archive at
> Nabble.com.
> > > > > > >
> > > > > > >
> > > ---------------------------------------------------------------------
> > > > > > > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> > > > > > > For additional commands, e-mail: users-help@qpid.apache.org
> > > > > > >
> > > > > > >
> > > > >
> > > > >
> > > > >
> > >
> > >
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message