qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adel Boutros <adelbout...@live.com>
Subject RE: [Qpid Java Broker-6.0.0] Using SSL with JMS clients for AMQP‏
Date Fri, 03 Jun 2016 07:59:46 GMT
I changed the port configuration to have an anonymous Authentication Provider but an SSL transport
and it seems to be working.Do the below logs confirm that the message was encrypted using
SSL?SSL log when sender sends message: nioEventLoopGroup-2-1, WRITE: TLSv1.2 Application Data,
length = 178
> Date: Thu, 2 Jun 2016 20:57:01 +0200
> Subject: Re: [Qpid Java Broker-6.0.0] Using SSL with JMS clients for AMQP‏
> From: jakub@scholz.cz
> To: users@qpid.apache.org
> 
> Well, you should be of course able to also use SSL + anonymous ... without
> the client authentication the SSL layer would not help with identity, but
> will still encrypt the communication.
> 
> Jakub
> 
> On Thu, Jun 2, 2016 at 6:30 PM, Adel Boutros <adelboutros@live.com> wrote:
> 
> > So Just
> > to confirm I understood you correctly, I have to use either full anonymous
> > connections or SSL + SASL connections. Correct?
> >
> >
> >
> > Regards,
> >
> > Adel
> > > Date: Thu, 2 Jun 2016 18:16:28 +0200
> > > Subject: Re: [Qpid Java Broker-6.0.0] Using SSL with JMS clients for
> > AMQP‏
> > > From: jakub@scholz.cz
> > > To: users@qpid.apache.org
> > >
> > > The SASL basically covers everything. You can either connect without SASL
> > > as anonymous connection or with SASL. SASL has several different
> > mechanisms
> > > which do different kind of authentication ... username/password, external
> > > with certificates and more. I think the Python and C++ bindings for
> > > Proton-c now in 0.12 support both username / password based
> > authentication
> > > as well as certificate based authentication. I'm not sure for the other
> > > parts of Proton-c.
> > >
> > > Jakub
> > >
> > > On Thu, Jun 2, 2016 at 5:15 PM, Adel Boutros <adelboutros@live.com>
> > wrote:
> > >
> > > > If I remember correctly, proton-c clients do not support Plain
> > mechanism.
> > > > So I cannot use a simple username and password and I am forced to use
> > SASL
> > > > then.
> > > > Correct?
> > > > Regards,Adel
> > > >
> > > > > Date: Thu, 2 Jun 2016 17:11:58 +0200
> > > > > Subject: Re: [Qpid Java Broker-6.0.0] Using SSL with JMS clients
for
> > > > AMQP‏
> > > > > From: jakub@scholz.cz
> > > > > To: users@qpid.apache.org
> > > > >
> > > > > If you want something else than anonymous connection, you still need
> > to
> > > > do
> > > > > SASL authentication inside of the SSL connection. The SASL EXTERNAL
> > > > > mechanism would take the identity of the connected user from the
SSL
> > > > layer.
> > > > > But do be able to use it, you would need to enable the SSL Client
> > > > > Authentication again - because only with the client authentication
> > the
> > > > > broker will have the identity.
> > > > >
> > > > > With your current SSL setup, you should be able to use for example
> > > > username
> > > > > / password based mechanisms (PLAIN, DIGEST-MD5 etc.). The client
> > should
> > > > > enable them if you specify the username and password in the
> > connection
> > > > URL
> > > > > (see the JMS client documentation). You of course need to have them
> > also
> > > > > enabled on the broker.
> > > > >
> > > > > J.
> > > > >
> > > > > On Thu, Jun 2, 2016 at 4:52 PM, Adel Boutros <adelboutros@live.com>
> > > > wrote:
> > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > Hello Jakub,Indeed that was the issue. I turned off "Client
> > > > > > Certificate".Now I have an exception about SASL. Can I use SSL
> > without
> > > > > > SASL? Is it because I am using an "External" authentication
> > > > > > provider?Exception in thread "main" javax.jms.JMSSecurityException:
> > > > Could
> > > > > > not find a suitable SASL mechanism for the remote peer using
the
> > > > available
> > > > > > credentials.        at
> > > > > >
> > > >
> > org.apache.qpid.jms.provider.amqp.AmqpSaslAuthenticator.handleSaslInit(AmqpSaslAuthenticator.java:120)
> > > > > >      at
> > > > > >
> > > >
> > org.apache.qpid.jms.provider.amqp.AmqpSaslAuthenticator.authenticate(AmqpSaslAuthenticator.java:87)
> > > > > > at
> > > > > >
> > > >
> > org.apache.qpid.jms.provider.amqp.AmqpProvider.processSaslAuthentication(AmqpProvider.java:827)
> > > > > >     at
> > > > > >
> > > >
> > org.apache.qpid.jms.provider.amqp.AmqpProvider.processUpdates(AmqpProvider.java:814)
> > > > > > at
> > > > > >
> > > >
> > org.apache.qpid.jms.provider.amqp.AmqpProvider.access$1900(AmqpProvider.java:92)
> > > > > >    at
> > > > > >
> > > >
> > org.apache.qpid.jms.provider.amqp.AmqpProvider$17.run(AmqpProvider.java:701)
> > > > > > at
> > > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> > > > > >     at java.util.concurrent.FutureTask.run(FutureTask.java:262)
> >  at
> > > > > >
> > > >
> > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178)
> > > > > >       at
> > > > > >
> > > >
> > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292)
> > > > > >      at
> > > > > >
> > > >
> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > > > > >     at
> > > > > >
> > > >
> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > > > > >     at java.lang.Thread.run(Thread.java:744)Regards,Adel
> > > > > > > Date: Thu, 2 Jun 2016 16:36:28 +0200
> > > > > > > Subject: Re: [Qpid Java Broker-6.0.0] Using SSL with JMS
clients
> > for
> > > > > > AMQP‏
> > > > > > > From: jakub@scholz.cz
> > > > > > > To: users@qpid.apache.org
> > > > > > >
> > > > > > > The bad_certificate error means that the broker doesn't
like the
> > > > client
> > > > > > SSL
> > > > > > > certificate.
> > > > > > >
> > > > > > > What kind of SSL authentication do you want? It looks like
you
> > > > configured
> > > > > > > the port on the broker in a way that it requires SSL client
> > > > > > authentication
> > > > > > > (using the fields Need SSL Client Certificate: Yes and
Want SSL
> > > > Client
> > > > > > > Certificate: Yes). But in the client you seem to define
only the
> > > > > > truststore
> > > > > > > which contains the broker public key. Maybe you can try
to
> > switch the
> > > > > > > client authentication off in the broker.
> > > > > > >
> > > > > > > Running the client with system property javax.net.debug
set to
> > "ssl"
> > > > > > would
> > > > > > > produce a nice detailed SSL log which can help further.
> > > > > > >
> > > > > > > Regards
> > > > > > > Jakub
> > > > > > >
> > > > > > > On Thu, Jun 2, 2016 at 4:10 PM, Adel Boutros <
> > adelboutros@live.com>
> > > > > > wrote:
> > > > > > >
> > > > > > > > Hello,
> > > > > > > >
> > > > > > > > I have generated a certificate for my machine using
openssl
> > 1.0.2
> > > > > > (openssl
> > > > > > > > req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem
> > -nodes).
> > > > > > > >
> > > > > > > > I have created a new Authentication Provider of type
> > "External".
> > > > > > > >
> > > > > > > > I have created a new KeyStore of type "Non Java Key
Store" and
> > > > > > uploaded the
> > > > > > > > private key and certificate generated by the previous
step.
> > > > > > > >
> > > > > > > > I have created a new TrustStore of type "Non Java
Key Store"
> > and
> > > > > > uploaded
> > > > > > > > the certificate generated by the first step.
> > > > > > > >
> > > > > > > > I have created an AMQP port with the following configuration
> > > > > > > >         Name: AMQPS
> > > > > > > >         Port Type: AMQP
> > > > > > > >         Port Number: 10400
> > > > > > > >         Protocols: AMQP_1_0
> > > > > > > >         Authentication Provider: sslWithTlsProvider
> > > > > > > >         Binding address: *
> > > > > > > >         Transports: SSL
> > > > > > > >         Key Store: SslCertificateStore
> > > > > > > >         Need SSL Client Certificate: Yes
> > > > > > > >         Want SSL Client Certificate: Yes
> > > > > > > >         Trust Stores: SSLTrustStore
> > > > > > > >         Number of connection threads: 8
> > > > > > > >
> > > > > > > > I restarted the broker after all of this configuration.
> > > > > > > >
> > > > > > > > Now, I want to have a JMS consumer connect to this
broker using
> > > > SSL. I
> > > > > > > > couldn't find any documentation about it beside the
doc page
> > > > > > > > (
> > https://qpid.apache.org/releases/qpid-jms-0.8.0/docs/index.html)
> > > > > > which
> > > > > > > > doesn't provide an example or detailed information.
> > > > > > > >
> > > > > > > > I created a trustStore for the JMS client and added
the
> > > > certificate to
> > > > > > it
> > > > > > > > (keytool -import -file cert.pem --keystore
> > > > > > D:\qpid-broker\myTrustStore) but
> > > > > > > > it isn't working
> > > > > > > >
> > > > > > > > Can you please help me setup a working example?
> > > > > > > >
> > > > > > > > PS: I am using Non Java stores becasue I will have
Proton-c
> > clients
> > > > > > later
> > > > > > > > on.
> > > > > > > >
> > > > > > > > public static void main(String[] args) throws JMSException
{
> > > > > > > >     System.setProperty("javax.net.ssl.trustStore",
> > > > > > > > "D:\\qpid-broker\\myTrustStore");
> > > > > > > >     System.setProperty("javax.net.ssl.trustStorePassword",
> > > > "password");
> > > > > > > >     ConnectionFactory connectionFactory = new
> > > > > > > > JmsConnectionFactory("amqps://aboutros:10400");
> > > > > > > >     Connection connection =
> > connectionFactory.createConnection();
> > > > > > > > }
> > > > > > > >
> > > > > > > > Error: javax.net.ssl.SSLException: Received fatal
alert:
> > > > > > bad_certificate
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > Adel
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > View this message in context:
> > > > > > > >
> > > > > >
> > > >
> > http://qpid.2158936.n2.nabble.com/Qpid-Java-Broker-6-0-0-Using-SSL-with-JMS-clients-for-AMQP-tp7644953.html
> > > > > > > > Sent from the Apache Qpid users mailing list archive
at
> > Nabble.com.
> > > > > > > >
> > > > > > > >
> > > > ---------------------------------------------------------------------
> > > > > > > > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> > > > > > > > For additional commands, e-mail: users-help@qpid.apache.org
> > > > > > > >
> > > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > >
> > > >
> >
> >
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message