[jira] [Created] (AMQ-5100) PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ

Thu, 13 Mar 2014 12:16:30 -0700 

Jesse Sightler created AMQ-5100:
-----------------------------------

             Summary: PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ
                 Key: AMQ-5100
                 URL: https://issues.apache.org/jira/browse/AMQ-5100
             Project: ActiveMQ
          Issue Type: Bug
          Components: Broker
            Reporter: Jesse Sightler


I have attempted to configure PKCS11/NSS support in ActiveMQ, however, I am 
receiving the following exception:

Caused by: java.io.FileNotFoundException: class path resource [NONE] cannot be 
opened because it does not exist
        at 
org.springframework.core.io.ClassPathResource.getInputStream(ClassPathResource.java:157)
        at 
org.apache.activemq.spring.SpringSslContext.createKeyManagerKeyStore(SpringSslContext.java:119)
        at 
org.apache.activemq.spring.SpringSslContext.createKeyManagers(SpringSslContext.java:88)
        at 
org.apache.activemq.spring.SpringSslContext.afterPropertiesSet(SpringSslContext.java:65)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:622)
        at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1581)
        at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1522)
        at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452)
        ... 40 more

My configured sslContext for the broker looks like this:

        <sslContext>
                <sslContext
                        keyStore="NONE" keyStoreType="PKCS11" 
keyStorePassword="password"
                        trustStore="/etc/activemqssl/truststore.jks" 
trustStorePassword="password"
                />
        </sslContext>

AFAIK, setting keyStore to "NONE" is the generally accepted way to do with with 
PKCS11. The code should generate a warning at most for this, but instead I 
receive the above exception and a failure to load the keystore.

The activemq code looks like this (in 
org.apache.activemq.spring.SpringSslContext):
    private KeyStore createKeyManagerKeyStore() throws Exception {
        if( keyStore ==null ) {
            return null;
        }

        KeyStore ks = KeyStore.getInstance(keyStoreType);
        InputStream is=Utils.resourceFromString(keyStore).getInputStream();
        try {
            ks.load(is, keyStorePassword==null? null : 
keyStorePassword.toCharArray());
        } finally {
            is.close();
        }
        return ks;
    }

It looks like this should just be setting "is" to null, generating a warning, 
and then calling ks.load with the null inputstream (the nss library will load 
the nss files based upon the nss.cfg file).




--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to