[
https://issues.apache.org/jira/browse/AMQ-5100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15115562#comment-15115562
]
Tristan Leask commented on AMQ-5100:
------------------------------------
Resolved!!!!
Managed to get past that previous error and now the ActiveMQ is starting under
Java running in FIPS Mode, and thus hopefully, ActiveMQ is running ok with
FIPS. Had to edit the SSLContext to the following...
{code}
<sslContext keyStore="c:/nss/cert/key3.db" keyStoreType="PKCS11"
keyStorePassword="password" secureRandomAlgorithm="PKCS11"
trustStore="c:/nss/cert/cert8.db" trustStoreType="PKCS11"
trustStorePassword="password"/>
{code}
Basically, the stores should be pointing to the NSS certificate DB, and the
Store Types and Secure Random Number Generator Algorithms should be set to
PKCS11.
Note, I have disabled JMX on my broker as I don't need it, not sure if this has
any affect.
> PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ
> ------------------------------------------
>
> Key: AMQ-5100
> URL: https://issues.apache.org/jira/browse/AMQ-5100
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Reporter: Jesse Sightler
>
> I have attempted to configure PKCS11/NSS support in ActiveMQ, however, I am
> receiving the following exception:
> Caused by: java.io.FileNotFoundException: class path resource [NONE] cannot
> be opened because it does not exist
> at
> org.springframework.core.io.ClassPathResource.getInputStream(ClassPathResource.java:157)
> at
> org.apache.activemq.spring.SpringSslContext.createKeyManagerKeyStore(SpringSslContext.java:119)
> at
> org.apache.activemq.spring.SpringSslContext.createKeyManagers(SpringSslContext.java:88)
> at
> org.apache.activemq.spring.SpringSslContext.afterPropertiesSet(SpringSslContext.java:65)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:622)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1581)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1522)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452)
> ... 40 more
> My configured sslContext for the broker looks like this:
> <sslContext>
> <sslContext
> keyStore="NONE" keyStoreType="PKCS11"
> keyStorePassword="password"
> trustStore="/etc/activemqssl/truststore.jks"
> trustStorePassword="password"
> />
> </sslContext>
> AFAIK, setting keyStore to "NONE" is the generally accepted way to do with
> with PKCS11. The code should generate a warning at most for this, but instead
> I receive the above exception and a failure to load the keystore.
> The activemq code looks like this (in
> org.apache.activemq.spring.SpringSslContext):
> private KeyStore createKeyManagerKeyStore() throws Exception {
> if( keyStore ==null ) {
> return null;
> }
> KeyStore ks = KeyStore.getInstance(keyStoreType);
> InputStream is=Utils.resourceFromString(keyStore).getInputStream();
> try {
> ks.load(is, keyStorePassword==null? null :
> keyStorePassword.toCharArray());
> } finally {
> is.close();
> }
> return ks;
> }
> It looks like this should just be setting "is" to null, generating a warning,
> and then calling ks.load with the null inputstream (the nss library will load
> the nss files based upon the nss.cfg file).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
