James, Are you sure this should is fixed in 5.3.1? (You said fix in > 5.3.1, not >= 5.3.1). As it turns out I was using 5.3.0 for the client side (i.e. a 'spoke') for much of this week, but last night I started working on smaller test configuration running on one machine, and my script to start the two brokers explicitly runs 5.3.1:
/usr/stlocal/apache-activemq-5.3.1/bin/activemq \ -Djava.security.auth.login.config=/home/jim/amqexperiment/login.config \ xbean:/home/jim/amqexperiment/hub.xml \ &> /home/jim/amqexperiment/hub.log & /usr/stlocal/apache-activemq-5.3.1/bin/activemq \ -Djava.security.auth.login.config=/home/jim/amqexperiment/login.config \ xbean:/home/jim/amqexperiment/spoke.xml \ &> /home/jim/amqexperiment/spoke.log & I had been using the JaasCertificateAuthenticationPlugin only on the hub broker, but I just enabled it on the stub broker too and restarted and I still get the same error. Below is the log output from the hub broker. Do you have any other ideas of what I should try? Can you share with me your entire config files for the two brokers activemq.network.broker1 & activemq.network.broker2? [...@flash amqexperiment]$ less hub.log Java Runtime: Sun Microsystems Inc. 1.6.0_18 /nas/local/jdk1.6.0_18/jre Heap sizes: current=493696k free=488542k max=493696k JVM args: -Xmx512M -Dorg.apache.activemq.UseDedicatedTaskRunner=true -Djava.util.logging.config.file=logging.prop erties -Dcom.sun.management.jmxremote -Dactivemq.classpath=/usr/stlocal/apache-activemq-5.3.1/conf; -Dactivemq.home=/ usr/stlocal/apache-activemq-5.3.1 -Dactivemq.base=/usr/stlocal/apache-activemq-5.3.1 ACTIVEMQ_HOME: /usr/stlocal/apache-activemq-5.3.1 ACTIVEMQ_BASE: /usr/stlocal/apache-activemq-5.3.1 Loading message broker from: xbean:/home/jim/amqexperiment/hub.xml INFO | Using Persistence Adapter: MemoryPersistenceAdapter INFO | ActiveMQ 5.3.1 JMS Message Broker (hub) is starting INFO | For help or more information please see: http://activemq.apache.org/ INFO | Listening for connections at: tcp:// flash.silvertailsystems.com:51001 INFO | Connector openwire Started INFO | Listening for connections at: ssl:// flash.silvertailsystems.com:51000?transport.needClientAuth=true INFO | Connector ssl Started INFO | ActiveMQ JMS Message Broker (hub, ID:flash.silvertailsystems.com-50094-1274456418477-0:0) started INFO | Logging to org.slf4j.impl.JCLLoggerAdapter(org.mortbay.log) via org.mortbay.log.Slf4jLog INFO | jetty-6.1.9 WARN | Failed to add Connection java.lang.SecurityException: Unable to authenticate transport without SSL certificate. at org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticati onBroker.java:75) at org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89) at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:676) at org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection. java:83) at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134) at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:300) at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:178) at org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68) at org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113) at org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:216) at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84) at org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:91) at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:204) at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:186) at java.lang.Thread.run(Thread.java:619) WARN | Async error occurred: java.lang.SecurityException: Unable to authenticate transport without SSL certificate. On Thu, May 20, 2010 at 11:54 PM, James Casey <jamesc....@gmail.com> wrote: > Jim, > > what version of ActiveMQ are you using ? This happened in 5.3 > (<https://issues.apache.org/activemq/browse/AMQ-2474>) but should be > fixed in > 5.3.1. > > We have this working in production no problem. I see we express the > URL in the NC differently: > > <networkConnector uri="static://(ssl://${activemq.network.broker2}:62001)" > name="network-${activemq.network.broker2}"/> > > but that doesn't seem to be the problem. We also use simplex > connections, with the JaasCertificateAuthenticationPlugin enabled on > both brokers. > > James. > > > On 21 May 2010 06:24, Jim Lloyd <jll...@silvertailsystems.com> wrote: > > I'm not able to establish a network connection between two brokers via an > > SSL transport when I turn on JAAS certificate authentication. I want to > do > > this with a hub & spoke architecture, where one broker is the hub, and > > passively accepts network connections from spokes that use duplex > > connections. I have this working without JAAS certificate authentication, > > where the relevant configuration looks like this: > > > > > > Broker "hub" > > <broker brokerName="hub" ... > > > <sslContext> > > <sslContext > > keyStore="file:hub.ks" > > keyStorePassword="hubpassword" > > trustStore="file:hub.ts" > > trustStorePassword="hubpassword" > > /> > > </sslContext> > > <transportConnectors> > > <transportConnector name="openwire" > uri="tcp://localhost:51001" > > /> > > <transportConnector name="ssl" uri="ssl:// > > 0.0.0.0:51000?transport.needClientAuth=true" /> > > </transportConnectors> > > </broker> > > > > Broker "spoke" > > <broker brokerName="spoke" ...> > > <sslContext> > > <sslContext > > keyStore="file:spoke.ks" > > keyStorePassword="spokepassword" > > trustStore="file:spoke.ts" > > trustStorePassword="spokepassword" > > /> > > </sslContext> > > <networkConnectors> > > <networkConnector > > name="tohub" > > uri="static:(ssl://127.0.0.1:51000)" > > duplex="true" > > /> > > </networkConnectors> > > <transportConnectors> > > <transportConnector name="openwire" > uri="tcp://localhost:51002" > > /> > > </transportConnectors> > > </broker> > > > > I now want to enable JAAS authentication, so I add this plugins section > to > > the hub broker (right before the closing </broker> tag): > > <plugins> > > <jaasCertificateAuthenticationPlugin configuration="CertLogin" > /> > > </plugins> > > > > When I do this, I start to get errors like this: > > > > 2010-05-20 20:32:29,350 WARN | Failed to add Connection > > java.lang.SecurityException: Unable to authenticate transport without SSL > > certificate. > > at > > > org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:75) > > at > > > org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89) > > at > > > org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:666) > > at > > > org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:83) > > at > > org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134) > > at > > > org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:297) > > at > > > org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:175) > > at > > > org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68) > > at > > > org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113) > > at > > > org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:210) > > at > > > org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84) > > at > > > org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:104) > > at > > > org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:203) > > at > > org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:185) > > at java.lang.Thread.run(Thread.java:619) > > > > I suspected that this might have to do with the duplex connection, but I > get > > the same error when the networkConnection uses duplex="false". > > > > Can anyone tell me what I might be doing wrong? FYI I have turned on ssl > > debug and seen the SSL handshakes in the log. > > > > Thanks, > > Jim Lloyd > > >