[jira] [Commented] (AMQ-5100) PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ

Mon, 25 Jan 2016 15:36:06 -0800 

    [ 
https://issues.apache.org/jira/browse/AMQ-5100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15116284#comment-15116284
 ] 

Arthur Naseef commented on AMQ-5100:
------------------------------------

This seems like a reasonable scenario and fix.  Anytime the SSL context needs 
to be customized, this is how it must be done.

Can we close this ticket?

> PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ
> ------------------------------------------
>
>                 Key: AMQ-5100
>                 URL: https://issues.apache.org/jira/browse/AMQ-5100
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker
>            Reporter: Jesse Sightler
>
> I have attempted to configure PKCS11/NSS support in ActiveMQ, however, I am 
> receiving the following exception:
> Caused by: java.io.FileNotFoundException: class path resource [NONE] cannot 
> be opened because it does not exist
>         at 
> org.springframework.core.io.ClassPathResource.getInputStream(ClassPathResource.java:157)
>         at 
> org.apache.activemq.spring.SpringSslContext.createKeyManagerKeyStore(SpringSslContext.java:119)
>         at 
> org.apache.activemq.spring.SpringSslContext.createKeyManagers(SpringSslContext.java:88)
>         at 
> org.apache.activemq.spring.SpringSslContext.afterPropertiesSet(SpringSslContext.java:65)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:622)
>         at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1581)
>         at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1522)
>         at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452)
>         ... 40 more
> My configured sslContext for the broker looks like this:
>         <sslContext>
>                 <sslContext
>                         keyStore="NONE" keyStoreType="PKCS11" 
> keyStorePassword="password"
>                         trustStore="/etc/activemqssl/truststore.jks" 
> trustStorePassword="password"
>                 />
>         </sslContext>
> AFAIK, setting keyStore to "NONE" is the generally accepted way to do with 
> with PKCS11. The code should generate a warning at most for this, but instead 
> I receive the above exception and a failure to load the keystore.
> The activemq code looks like this (in 
> org.apache.activemq.spring.SpringSslContext):
>     private KeyStore createKeyManagerKeyStore() throws Exception {
>         if( keyStore ==null ) {
>             return null;
>         }
>         KeyStore ks = KeyStore.getInstance(keyStoreType);
>         InputStream is=Utils.resourceFromString(keyStore).getInputStream();
>         try {
>             ks.load(is, keyStorePassword==null? null : 
> keyStorePassword.toCharArray());
>         } finally {
>             is.close();
>         }
>         return ks;
>     }
> It looks like this should just be setting "is" to null, generating a warning, 
> and then calling ks.load with the null inputstream (the nss library will load 
> the nss files based upon the nss.cfg file).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to