Re: Broker to Broker authentication using JAAS fails

Jim Lloyd Fri, 21 May 2010 10:06:05 -0700

James,

Are you sure this should is fixed in 5.3.1? (You said fix in > 5.3.1, not >=
5.3.1). As it turns out I was using 5.3.0 for the client side (i.e. a
'spoke') for much of this week, but last night I started working on smaller
test configuration running on one machine, and my script to start the two
brokers explicitly runs 5.3.1:


/usr/stlocal/apache-activemq-5.3.1/bin/activemq \

 -Djava.security.auth.login.config=/home/jim/amqexperiment/login.config \
        xbean:/home/jim/amqexperiment/hub.xml \
        &> /home/jim/amqexperiment/hub.log &

/usr/stlocal/apache-activemq-5.3.1/bin/activemq \

 -Djava.security.auth.login.config=/home/jim/amqexperiment/login.config \
        xbean:/home/jim/amqexperiment/spoke.xml \
        &> /home/jim/amqexperiment/spoke.log &

I had been using the JaasCertificateAuthenticationPlugin only on the hub
broker, but I just enabled it on the stub broker too and restarted and I
still get the same error. Below is the log output from the hub broker. Do
you have any other ideas of what I should try? Can you share with me your
entire config files for the two brokers activemq.network.broker1 &
activemq.network.broker2?

[...@flash amqexperiment]$ less hub.log
Java Runtime: Sun Microsystems Inc. 1.6.0_18 /nas/local/jdk1.6.0_18/jre
  Heap sizes: current=493696k  free=488542k  max=493696k
    JVM args: -Xmx512M -Dorg.apache.activemq.UseDedicatedTaskRunner=true
-Djava.util.logging.config.file=logging.prop
erties -Dcom.sun.management.jmxremote
-Dactivemq.classpath=/usr/stlocal/apache-activemq-5.3.1/conf;
-Dactivemq.home=/
usr/stlocal/apache-activemq-5.3.1
-Dactivemq.base=/usr/stlocal/apache-activemq-5.3.1
ACTIVEMQ_HOME: /usr/stlocal/apache-activemq-5.3.1
ACTIVEMQ_BASE: /usr/stlocal/apache-activemq-5.3.1
Loading message broker from: xbean:/home/jim/amqexperiment/hub.xml
 INFO | Using Persistence Adapter: MemoryPersistenceAdapter
 INFO | ActiveMQ 5.3.1 JMS Message Broker (hub) is starting
 INFO | For help or more information please see: http://activemq.apache.org/
 INFO | Listening for connections at: tcp://
flash.silvertailsystems.com:51001
 INFO | Connector openwire Started
 INFO | Listening for connections at: ssl://
flash.silvertailsystems.com:51000?transport.needClientAuth=true
 INFO | Connector ssl Started
 INFO | ActiveMQ JMS Message Broker (hub,
ID:flash.silvertailsystems.com-50094-1274456418477-0:0) started
 INFO | Logging to org.slf4j.impl.JCLLoggerAdapter(org.mortbay.log) via
org.mortbay.log.Slf4jLog
 INFO | jetty-6.1.9
 WARN | Failed to add Connection
java.lang.SecurityException: Unable to authenticate transport without SSL
certificate.
        at
org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticati
onBroker.java:75)
        at
org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89)
        at
org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:676)
        at
org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.
java:83)
        at
org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134)
        at
org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:300)
        at
org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:178)
        at
org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
        at
org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113)
        at
org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:216)
        at
org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
        at
org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:91)
        at
org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:204)
        at
org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:186)
        at java.lang.Thread.run(Thread.java:619)
 WARN | Async error occurred: java.lang.SecurityException: Unable to
authenticate transport without SSL certificate.

On Thu, May 20, 2010 at 11:54 PM, James Casey <jamesc....@gmail.com> wrote:

> Jim,
>
> what version of ActiveMQ are you using ?  This happened in 5.3
> (<https://issues.apache.org/activemq/browse/AMQ-2474>) but should be
> fixed in > 5.3.1.
>
> We have this working in production no problem.  I see we express the
> URL in the NC differently:
>
>  <networkConnector uri="static://(ssl://${activemq.network.broker2}:62001)"
>         name="network-${activemq.network.broker2}"/>
>
> but that doesn't seem to be the problem.  We also use simplex
> connections, with the JaasCertificateAuthenticationPlugin enabled on
> both brokers.
>
> James.
>
>
> On 21 May 2010 06:24, Jim Lloyd <jll...@silvertailsystems.com> wrote:
> > I'm not able to establish a network connection between two brokers via an
> > SSL transport when I turn on JAAS certificate authentication. I want to
> do
> > this with a hub & spoke architecture, where one broker is the hub, and
> > passively accepts network connections from spokes that use duplex
> > connections. I have this working without JAAS certificate authentication,
> > where the relevant configuration looks like this:
> >
> >
> > Broker "hub"
> >    <broker brokerName="hub" ... >
> >       <sslContext>
> >            <sslContext
> >                keyStore="file:hub.ks"
> >                keyStorePassword="hubpassword"
> >                trustStore="file:hub.ts"
> >                trustStorePassword="hubpassword"
> >            />
> >        </sslContext>
> >        <transportConnectors>
> >            <transportConnector name="openwire"
> uri="tcp://localhost:51001"
> > />
> >            <transportConnector name="ssl" uri="ssl://
> > 0.0.0.0:51000?transport.needClientAuth=true" />
> >        </transportConnectors>
> >    </broker>
> >
> > Broker "spoke"
> >    <broker brokerName="spoke" ...>
> >        <sslContext>
> >            <sslContext
> >                keyStore="file:spoke.ks"
> >                keyStorePassword="spokepassword"
> >                trustStore="file:spoke.ts"
> >                trustStorePassword="spokepassword"
> >            />
> >        </sslContext>
> >        <networkConnectors>
> >            <networkConnector
> >                name="tohub"
> >                uri="static:(ssl://127.0.0.1:51000)"
> >                duplex="true"
> >            />
> >        </networkConnectors>
> >        <transportConnectors>
> >            <transportConnector name="openwire"
> uri="tcp://localhost:51002"
> > />
> >        </transportConnectors>
> >    </broker>
> >
> > I now want to enable JAAS authentication, so I add this plugins section
> to
> > the hub broker (right before the closing </broker> tag):
> >        <plugins>
> >          <jaasCertificateAuthenticationPlugin configuration="CertLogin"
> />
> >        </plugins>
> >
> > When I do this, I start to get errors like this:
> >
> > 2010-05-20 20:32:29,350  WARN | Failed to add Connection
> > java.lang.SecurityException: Unable to authenticate transport without SSL
> > certificate.
> >        at
> >
> org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:75)
> >        at
> >
> org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89)
> >        at
> >
> org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:666)
> >        at
> >
> org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:83)
> >        at
> > org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134)
> >        at
> >
> org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:297)
> >        at
> >
> org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:175)
> >        at
> >
> org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
> >        at
> >
> org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113)
> >        at
> >
> org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:210)
> >        at
> >
> org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
> >        at
> >
> org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:104)
> >        at
> >
> org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:203)
> >        at
> > org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:185)
> >        at java.lang.Thread.run(Thread.java:619)
> >
> > I suspected that this might have to do with the duplex connection, but I
> get
> > the same error when the networkConnection uses duplex="false".
> >
> > Can anyone tell me what I might be doing wrong? FYI I have turned on ssl
> > debug and seen the SSL handshakes in the log.
> >
> > Thanks,
> > Jim Lloyd
> >
>

Re: Broker to Broker authentication using JAAS fails

Reply via email to