Another update I now have the following configured and working
activemq.xml <jaasDualAuthenticationPlugin configuration="queueUserModules" sslConfiguration="queueCertModules"/> The certificate base authentication works but the username and password authentication fails. Any configuration setting suggestions for the jaasDualAuthentication plugin Jason ________________________________ From: Jason Jackson <[email protected]> Sent: Tuesday, June 9, 2026 1:16 PM To: [email protected] <[email protected]> Subject: Re: ActiveMQ Classic 6.2.6 mTLS Failure and Assistance After continued troubleshooting and testing, I have been able to get mTLS to work. Here is how I was able to get mTLS to work correctly activemq.xml <jaasAuthenticationPlugin configuration="queueModules"/> --> <jaasCertificateAuthenticationPlugin configuration="queueModules"/> The issue I have now is I have some accounts that provide a username and password and also need the ability for Certificate base authentication. I have tried the following <jaasDualAuthenticationPlugin configuration="queueModules"/> This causes all authentication methods to fail; meaning username and password as well as certificate authentication all fail. Are there any suggestions on how to enable username and password along with certification authentication at the same time? Jason ________________________________ From: Jason Jackson <[email protected]> Sent: Tuesday, June 9, 2026 9:40 AM To: [email protected] <[email protected]> Subject: ActiveMQ Classic 6.2.6 mTLS Failure and Assistance I am using ActiveMQ in a Linux environment with OpenJDK 17.x. I have a JAVA Client that is connecting to the ActiveMQ broker but fails to authenticate/authorize using mTLS using SSL Certificates. The client is able to reach the broker, perform all of the necessary handshakes, attempts the connection and fails on the authentication portion. I see all of the communication and failures within the broker log files and see the connection attempt. I have enabled debug logging on the client and broker, the client provides the following information: Caused by: java.lang.SecurityException: User name [null] or password is invalid. Looking through the broker log files I see the client connection and see that userName = null and password = ****. From the documentation I found this is expected if JAAS is configured for certificate authentication. The client logs the additional information after the above: Caused by: javax.security.auth.login.LoginException: Client certificates not found. Cannot authenticate My client and broker certificates have the following: 1. Client/server certificates 2. X.509 certificates 3. Signed by the same intermediate 4. Signed by the same root I am using the same P12 for the keystore and truststore, I am not sure if these must be separated for mTLS to function correctly. My broker transport is configured the following way activemq.xml <transportConnectors> <transportConnector name="nio+ssl_6161" uri="nio+ssl://host_name:6161?verifyHostName=false&needClientAuth=true"/> </transportConnectors> login.conf certModule (Tried this the first time) { org.apache.activemq.jaas.TextFileCertificateLoginModule required org.apache.activemq.jaas.textfiledn.user=users.properties org.apache.activemq.jaas.textfiledn.group=groups.properties } certModule (Tried this the second time) { org.apache.activemq.jaas.CertificateLoginModule required org.apache.activemq.jaas.textfiledn.user=users.properties org.apache.activemq.jaas.textfiledn.group=groups.properties } users.properties partner=CN=PARTNER, OU=My Sub Org, O=My Org, L=City, ST=State, C=Country groups.propertiesd partnerg=CN=PARTNER, OU=My Sub Org, O=My Org, L=City, ST=State, C=Country Admin=admin,partner,partnerg The JAVA ActiveMQ client has the following set and connects using the following options: String brokerConnection = "nio+ssl://host_name:6161"?verifyHostName=false; ActiveMQSslConnectionFactory connectionFactory = new ActiveMQSslConnectionFactory(brokerConnection); connectionFactory.setKeyStore("myKeyStore.p12"); connectionFactory.setKeyStorePassword("myPassword"); connectionFactory.setKeyStoreType("PKCS12"); connectionFactory.setTrustStore("myKeyStore.p12"); connectionFactory.setTrustStorePassword("myPassword"); connectionFactory.setTrustStoreType("PKCS12"); Connection connection = connectionFactory.createConnection(); connection.start(); session = connection.CreateSession(false, Session.Auto_ACKNOWLEDGE); What am I missing on the client or broker side that would allow mTLS to be successful? Jason
