You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by cl...@apache.org on 2021/08/03 22:14:59 UTC
[activemq-artemis] branch main updated: ARTEMIS-3367 Set verifyHost
true for connectors by default
This is an automated email from the ASF dual-hosted git repository.
clebertsuconic pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git
The following commit(s) were added to refs/heads/main by this push:
new a741ae9 ARTEMIS-3367 Set verifyHost true for connectors by default
new 2715980 This closes #3667
a741ae9 is described below
commit a741ae9994e15b1ea9e798c157535d47924e622f
Author: Domenico Francesco Bruscino <br...@apache.org>
AuthorDate: Tue Aug 3 20:11:20 2021 +0200
ARTEMIS-3367 Set verifyHost true for connectors by default
---
.../core/remoting/impl/netty/NettyConnector.java | 4 +-
.../remoting/impl/netty/TransportConstants.java | 4 +-
.../core/remoting/impl/netty/NettyAcceptor.java | 4 +-
examples/features/standard/jmx-ssl/readme.md | 54 ++++++-
.../artemis/jms/example/JMXOverSSLExample.java | 8 +-
.../activemq/server0/client-ca-truststore.jks | Bin 0 -> 950 bytes
.../resources/activemq/server0/client-keystore.jks | Bin 0 -> 4144 bytes
.../activemq/server0/client-side-keystore.jks | Bin 1303 -> 0 bytes
.../activemq/server0/client-side-truststore.jks | Bin 963 -> 0 bytes
.../main/resources/activemq/server0/management.xml | 8 +-
.../activemq/server0/server-ca-truststore.jks | Bin 0 -> 950 bytes
.../resources/activemq/server0/server-keystore.jks | Bin 0 -> 4122 bytes
.../activemq/server0/server-side-keystore.jks | Bin 2253 -> 0 bytes
.../activemq/server0/server-side-truststore.jks | Bin 1732 -> 0 bytes
.../standard/ssl-enabled-crl-mqtt/readme.md | 154 ++++++++++----------
.../artemis/jms/example/MqttCrlEnabledExample.java | 4 +-
.../src/main/resources/activemq/server0/broker.xml | 2 +-
.../activemq/server0/client-ca-truststore.jks | Bin 0 -> 950 bytes
.../main/resources/activemq/server0/keystore1.jks | Bin 2371 -> 0 bytes
.../activemq/server0/other-client-crl.pem | 12 ++
.../main/resources/activemq/server0/root.crl.pem | 12 --
.../resources/activemq/server0/server-keystore.jks | Bin 0 -> 4122 bytes
.../main/resources/activemq/server0/truststore.jks | Bin 975 -> 0 bytes
.../src/main/resources/client-keystore.jks | Bin 0 -> 4144 bytes
.../src/main/resources/client_not_revoked.jks | Bin 2380 -> 0 bytes
.../src/main/resources/client_revoked.jks | Bin 2377 -> 0 bytes
.../src/main/resources/other-client-keystore.jks | Bin 0 -> 4156 bytes
.../src/main/resources/server-ca-truststore.jks | Bin 0 -> 950 bytes
.../src/main/resources/truststore.jks | Bin 975 -> 0 bytes
.../ssl-enabled-dual-authentication/readme.md | 62 ++++++--
.../src/main/resources/activemq/server0/broker.xml | 2 +-
.../activemq/server0/client-ca-truststore.jks | Bin 0 -> 950 bytes
.../activemq/server0/client-side-keystore.jks | Bin 1303 -> 0 bytes
.../activemq/server0/client-side-truststore.jks | Bin 963 -> 0 bytes
.../resources/activemq/server0/server-keystore.jks | Bin 0 -> 4122 bytes
.../activemq/server0/server-side-keystore.jks | Bin 2253 -> 0 bytes
.../activemq/server0/server-side-truststore.jks | Bin 1732 -> 0 bytes
.../src/main/resources/client-keystore.jks | Bin 0 -> 4144 bytes
.../src/main/resources/jndi.properties | 2 +-
.../src/main/resources/server-ca-truststore.jks | Bin 0 -> 950 bytes
examples/features/standard/ssl-enabled/pom.xml | 2 +-
examples/features/standard/ssl-enabled/readme.md | 33 ++++-
.../activemq/server0/activemq.example.keystore | Bin 2251 -> 0 bytes
.../activemq/server0/activemq.example.truststore | Bin 963 -> 0 bytes
.../src/main/resources/activemq/server0/broker.xml | 2 +-
.../activemq/server0/server-ca-truststore.jks | Bin 0 -> 950 bytes
.../resources/activemq/server0/server-keystore.jks | Bin 0 -> 4122 bytes
.../ssl-enabled/src/main/resources/jndi.properties | 2 +-
.../example/StompDualAuthenticationExample.java | 8 +-
tests/integration-tests/pom.xml | 3 +
.../amqp/AmqpFailoverEndpointDiscoveryTest.java | 25 ++--
.../integration/amqp/JMSSaslExternalLDAPTest.java | 19 +--
.../integration/amqp/JMSSaslExternalTest.java | 27 ++--
.../amqp/connect/AMQPConnectSaslTest.java | 23 +--
.../management/SSLSecurityNotificationTest.java | 37 ++---
.../mqtt/imported/MQTTSecurityCRLTest.java | 97 ++-----------
.../tests/integration/security/SecurityTest.java | 105 +++++++-------
.../ssl/CoreClientOverOneWaySSLTest.java | 75 +++-------
.../ssl/CoreClientOverTwoWaySSLTest.java | 95 ++-----------
.../integration/ssl/DualAuthenticationTest.java | 12 +-
.../artemis/tests/integration/ssl/SSLTestBase.java | 13 +-
.../netty/NettyConnectorWithHTTPUpgradeTest.java | 8 +-
.../src/test/resources/AMQauth.ldif | 2 +-
.../src/test/resources/cert-regexps.properties | 2 +-
.../src/test/resources/cert-users.properties | 2 +-
.../src/test/resources/client_not_revoked.jks | Bin 2380 -> 0 bytes
.../src/test/resources/client_revoked.jks | Bin 2377 -> 0 bytes
.../src/test/resources/keystore1.jks | Bin 2371 -> 0 bytes
.../src/test/resources/truststore.jks | Bin 975 -> 0 bytes
tests/security-resources/build.sh | 156 +++++++++++++++++++++
tests/security-resources/client-ca-keystore.p12 | Bin 0 -> 2589 bytes
.../security-resources/client-ca-truststore.jceks | Bin 0 -> 950 bytes
tests/security-resources/client-ca-truststore.jks | Bin 0 -> 950 bytes
tests/security-resources/client-ca-truststore.p12 | Bin 0 -> 1186 bytes
tests/security-resources/client-ca.pem | 32 +++++
tests/security-resources/client-keystore.jceks | Bin 0 -> 4124 bytes
tests/security-resources/client-keystore.jks | Bin 0 -> 4144 bytes
tests/security-resources/client-keystore.p12 | Bin 0 -> 4759 bytes
.../security-resources/openssl.conf | 12 +-
tests/security-resources/other-client-crl.pem | 12 ++
.../security-resources/other-client-keystore.jceks | Bin 0 -> 4136 bytes
tests/security-resources/other-client-keystore.jks | Bin 0 -> 4156 bytes
tests/security-resources/other-client-keystore.p12 | Bin 0 -> 4787 bytes
tests/security-resources/other-server-crl.pem | 12 ++
.../security-resources/other-server-keystore.jceks | Bin 0 -> 4136 bytes
tests/security-resources/other-server-keystore.jks | Bin 0 -> 4155 bytes
tests/security-resources/other-server-keystore.p12 | Bin 0 -> 4787 bytes
.../other-server-truststore.jceks | Bin 0 -> 1053 bytes
.../security-resources/other-server-truststore.jks | Bin 0 -> 1053 bytes
.../security-resources/other-server-truststore.p12 | Bin 0 -> 1290 bytes
tests/security-resources/server-ca-keystore.p12 | Bin 0 -> 2589 bytes
.../security-resources/server-ca-truststore.jceks | Bin 0 -> 950 bytes
tests/security-resources/server-ca-truststore.jks | Bin 0 -> 950 bytes
tests/security-resources/server-ca-truststore.p12 | Bin 0 -> 1186 bytes
tests/security-resources/server-ca.pem | 32 +++++
tests/security-resources/server-keystore.jceks | Bin 0 -> 4103 bytes
tests/security-resources/server-keystore.jks | Bin 0 -> 4122 bytes
tests/security-resources/server-keystore.p12 | Bin 0 -> 4735 bytes
.../unknown-client-keystore.jceks | Bin 0 -> 4112 bytes
.../security-resources/unknown-client-keystore.jks | Bin 0 -> 4132 bytes
.../security-resources/unknown-client-keystore.p12 | Bin 0 -> 4767 bytes
.../unknown-server-keystore.jceks | Bin 0 -> 4112 bytes
.../security-resources/unknown-server-keystore.jks | Bin 0 -> 4131 bytes
.../security-resources/unknown-server-keystore.p12 | Bin 0 -> 4767 bytes
tests/smoke-tests/pom.xml | 5 +
.../audit-logging-amqp-mutual-ssl/broker.xml | 2 +-
.../client-side-keystore.jks | Bin 2252 -> 0 bytes
.../client-side-truststore.jks | Bin 963 -> 0 bytes
.../server-side-keystore.jks | Bin 2254 -> 0 bytes
.../server-side-truststore.jks | Bin 963 -> 0 bytes
.../logging/AuditLoggerAMQPMutualSSLTest.java | 17 +--
tests/unit-tests/pom.xml | 5 +
.../remoting/impl/netty/NettyConnectorTest.java | 67 ++++-----
.../core/remoting/impl/ssl/SSLSupportTest.java | 11 +-
.../test/resources/bad-client-side-keystore.jks | Bin 2226 -> 0 bytes
tests/unit-tests/src/test/resources/beans1.xml | 20 ---
.../src/test/resources/client-side-keystore.jceks | Bin 2233 -> 0 bytes
.../src/test/resources/client-side-keystore.jks | Bin 2253 -> 0 bytes
.../src/test/resources/client-side-keystore.p12 | Bin 2589 -> 0 bytes
.../test/resources/client-side-truststore.jceks | Bin 963 -> 0 bytes
.../src/test/resources/client-side-truststore.jks | Bin 963 -> 0 bytes
.../src/test/resources/client-side-truststore.p12 | Bin 1194 -> 0 bytes
.../resources/openssl-client-side-keystore.jceks | Bin 684 -> 0 bytes
.../resources/openssl-client-side-keystore.jks | Bin 706 -> 0 bytes
.../resources/openssl-client-side-keystore.p12 | Bin 1034 -> 0 bytes
.../resources/openssl-client-side-truststore.jceks | Bin 571 -> 0 bytes
.../resources/openssl-client-side-truststore.jks | Bin 572 -> 0 bytes
.../resources/openssl-client-side-truststore.p12 | Bin 802 -> 0 bytes
.../resources/openssl-server-side-keystore.jceks | Bin 685 -> 0 bytes
.../resources/openssl-server-side-keystore.jks | Bin 707 -> 0 bytes
.../resources/openssl-server-side-keystore.p12 | Bin 1034 -> 0 bytes
.../resources/openssl-server-side-truststore.jceks | Bin 570 -> 0 bytes
.../resources/openssl-server-side-truststore.jks | Bin 571 -> 0 bytes
.../resources/openssl-server-side-truststore.p12 | Bin 802 -> 0 bytes
.../resources/other-client-side-truststore.jceks | Bin 975 -> 0 bytes
.../resources/other-client-side-truststore.jks | Bin 975 -> 0 bytes
.../resources/other-client-side-truststore.p12 | Bin 1202 -> 0 bytes
.../resources/other-server-side-keystore.jceks | Bin 2245 -> 0 bytes
.../test/resources/other-server-side-keystore.jks | Bin 2265 -> 0 bytes
.../test/resources/other-server-side-keystore.p12 | Bin 2605 -> 0 bytes
.../src/test/resources/server-side-keystore.jceks | Bin 2233 -> 0 bytes
.../src/test/resources/server-side-keystore.jks | Bin 2254 -> 0 bytes
.../src/test/resources/server-side-keystore.p12 | Bin 2589 -> 0 bytes
.../test/resources/server-side-truststore.jceks | Bin 963 -> 0 bytes
.../src/test/resources/server-side-truststore.jks | Bin 1866 -> 0 bytes
.../src/test/resources/server-side-truststore.p12 | Bin 1194 -> 0 bytes
.../resources/verified-client-side-keystore.jceks | Bin 2222 -> 0 bytes
.../resources/verified-client-side-keystore.jks | Bin 2270 -> 0 bytes
.../resources/verified-client-side-keystore.p12 | Bin 2581 -> 0 bytes
.../verified-client-side-truststore.jceks | Bin 935 -> 0 bytes
.../resources/verified-client-side-truststore.jks | Bin 935 -> 0 bytes
.../resources/verified-client-side-truststore.p12 | Bin 1162 -> 0 bytes
.../verified-openssl-client-side-keystore.jceks | Bin 673 -> 0 bytes
.../verified-openssl-client-side-keystore.jks | Bin 695 -> 0 bytes
.../verified-openssl-client-side-keystore.p12 | Bin 1026 -> 0 bytes
.../verified-openssl-server-side-truststore.jceks | Bin 559 -> 0 bytes
.../verified-openssl-server-side-truststore.jks | Bin 560 -> 0 bytes
.../verified-openssl-server-side-truststore.p12 | Bin 794 -> 0 bytes
.../resources/verified-server-side-keystore.jceks | Bin 2205 -> 0 bytes
.../resources/verified-server-side-keystore.jks | Bin 2227 -> 0 bytes
.../resources/verified-server-side-keystore.p12 | Bin 2565 -> 0 bytes
.../verified-server-side-truststore.jceks | Bin 952 -> 0 bytes
.../resources/verified-server-side-truststore.jks | Bin 980 -> 0 bytes
.../resources/verified-server-side-truststore.p12 | Bin 1186 -> 0 bytes
164 files changed, 750 insertions(+), 557 deletions(-)
diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
index 08001c6..dde607f 100644
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java
@@ -423,7 +423,7 @@ public class NettyConnector extends AbstractConnector {
enabledProtocols = ConfigurationHelper.getStringProperty(TransportConstants.ENABLED_PROTOCOLS_PROP_NAME, TransportConstants.DEFAULT_ENABLED_PROTOCOLS, configuration);
- verifyHost = ConfigurationHelper.getBooleanProperty(TransportConstants.VERIFY_HOST_PROP_NAME, TransportConstants.DEFAULT_VERIFY_HOST, configuration);
+ verifyHost = ConfigurationHelper.getBooleanProperty(TransportConstants.VERIFY_HOST_PROP_NAME, TransportConstants.DEFAULT_CONNECTOR_VERIFY_HOST, configuration);
trustAll = ConfigurationHelper.getBooleanProperty(TransportConstants.TRUST_ALL_PROP_NAME, TransportConstants.DEFAULT_TRUST_ALL, configuration);
@@ -450,7 +450,7 @@ public class NettyConnector extends AbstractConnector {
crlPath = TransportConstants.DEFAULT_CRL_PATH;
enabledCipherSuites = TransportConstants.DEFAULT_ENABLED_CIPHER_SUITES;
enabledProtocols = TransportConstants.DEFAULT_ENABLED_PROTOCOLS;
- verifyHost = TransportConstants.DEFAULT_VERIFY_HOST;
+ verifyHost = TransportConstants.DEFAULT_CONNECTOR_VERIFY_HOST;
trustAll = TransportConstants.DEFAULT_TRUST_ALL;
sniHost = TransportConstants.DEFAULT_SNIHOST_CONFIG;
useDefaultSslContext = TransportConstants.DEFAULT_USE_DEFAULT_SSL_CONTEXT;
diff --git a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java
index 82ae944..3710087 100644
--- a/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java
+++ b/artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/TransportConstants.java
@@ -246,7 +246,9 @@ public class TransportConstants {
public static final boolean DEFAULT_WANT_CLIENT_AUTH = false;
- public static final boolean DEFAULT_VERIFY_HOST = false;
+ public static final boolean DEFAULT_ACCEPTOR_VERIFY_HOST = false;
+
+ public static final boolean DEFAULT_CONNECTOR_VERIFY_HOST = true;
public static final String DEFAULT_SSL_PROVIDER = "JDK";
diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
index 8593399..72c732f 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyAcceptor.java
@@ -321,7 +321,7 @@ public class NettyAcceptor extends AbstractAcceptor {
wantClientAuth = ConfigurationHelper.getBooleanProperty(TransportConstants.WANT_CLIENT_AUTH_PROP_NAME, TransportConstants.DEFAULT_WANT_CLIENT_AUTH, configuration);
- verifyHost = ConfigurationHelper.getBooleanProperty(TransportConstants.VERIFY_HOST_PROP_NAME, TransportConstants.DEFAULT_VERIFY_HOST, configuration);
+ verifyHost = ConfigurationHelper.getBooleanProperty(TransportConstants.VERIFY_HOST_PROP_NAME, TransportConstants.DEFAULT_ACCEPTOR_VERIFY_HOST, configuration);
sslProvider = ConfigurationHelper.getStringProperty(TransportConstants.SSL_PROVIDER, TransportConstants.DEFAULT_SSL_PROVIDER, configuration);
@@ -356,7 +356,7 @@ public class NettyAcceptor extends AbstractAcceptor {
enabledProtocols = TransportConstants.DEFAULT_ENABLED_PROTOCOLS;
needClientAuth = TransportConstants.DEFAULT_NEED_CLIENT_AUTH;
wantClientAuth = TransportConstants.DEFAULT_WANT_CLIENT_AUTH;
- verifyHost = TransportConstants.DEFAULT_VERIFY_HOST;
+ verifyHost = TransportConstants.DEFAULT_ACCEPTOR_VERIFY_HOST;
sslProvider = TransportConstants.DEFAULT_SSL_PROVIDER;
sniHost = TransportConstants.DEFAULT_SNIHOST_CONFIG;
trustManagerFactoryPlugin = TransportConstants.DEFAULT_TRUST_MANAGER_FACTORY_PLUGIN;
diff --git a/examples/features/standard/jmx-ssl/readme.md b/examples/features/standard/jmx-ssl/readme.md
index 454dfb6..b5154bd 100644
--- a/examples/features/standard/jmx-ssl/readme.md
+++ b/examples/features/standard/jmx-ssl/readme.md
@@ -16,12 +16,54 @@ With these properties, ActiveMQ Artemis broker will be manageable remotely using
The various keystore files are generated using the following commands:
-* `keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA`
-* `keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample`
-* `keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt`
-* `keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA`
-* `keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample`
-* `keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt`
+```shell
+#!/bin/bash
+set -e
+
+KEY_PASS=securepass
+STORE_PASS=securepass
+CA_VALIDITY=365000
+VALIDITY=36500
+
+# Create a key and self-signed certificate for the CA, to sign server certificate requests and use for trust:
+# -----------------------------------------------------------------------------------------------------------
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias server-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -exportcert -rfc > server-ca.crt
+
+# Create trust store with the server CA cert:
+# -------------------------------------------
+keytool -keystore server-ca-truststore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+
+# Create a key pair for the server, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias server -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=sA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -alias server -certreq -file server.csr
+keytool -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -gencert -rfc -infile server.csr -outfile server.crt -validity $VALIDITY -ext bc=ca:false -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server -file server.crt
+
+# Create a key and self-signed certificate for the CA, to sign client certificate requests and use for trust:
+# -----------------------------------------------------------------------------------------------------------
+keytool -keystore client-ca-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias client-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -keystore client-ca-keystore.jks -storepass $STORE_PASS -alias client-ca -exportcert -rfc > client-ca.crt
+
+# Create trust store with the client CA cert:
+# -------------------------------------------
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias client-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -exportcert -rfc > client-ca.crt
+
+# Create a key pair for the client, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias client -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -alias client -certreq -file client.csr
+keytool -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -gencert -rfc -infile client.csr -outfile client.crt -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client -file client.crt
+```
## More information
diff --git a/examples/features/standard/jmx-ssl/src/main/java/org/apache/activemq/artemis/jms/example/JMXOverSSLExample.java b/examples/features/standard/jmx-ssl/src/main/java/org/apache/activemq/artemis/jms/example/JMXOverSSLExample.java
index 8681a19..6e0adff 100644
--- a/examples/features/standard/jmx-ssl/src/main/java/org/apache/activemq/artemis/jms/example/JMXOverSSLExample.java
+++ b/examples/features/standard/jmx-ssl/src/main/java/org/apache/activemq/artemis/jms/example/JMXOverSSLExample.java
@@ -83,10 +83,10 @@ public class JMXOverSSLExample {
String[] creds = {"guest", "guest"};
env.put(JMXConnector.CREDENTIALS, creds);
- System.setProperty("javax.net.ssl.trustStore", args[0] + "client-side-truststore.jks");
- System.setProperty("javax.net.ssl.trustStorePassword", "secureexample");
- System.setProperty("javax.net.ssl.keyStore", args[0] + "client-side-keystore.jks");
- System.setProperty("javax.net.ssl.keyStorePassword", "secureexample");
+ System.setProperty("javax.net.ssl.trustStore", args[0] + "server-ca-truststore.jks");
+ System.setProperty("javax.net.ssl.trustStorePassword", "securepass");
+ System.setProperty("javax.net.ssl.keyStore", args[0] + "client-keystore.jks");
+ System.setProperty("javax.net.ssl.keyStorePassword", "securepass");
JMXConnector connector = JMXConnectorFactory.connect(new JMXServiceURL(JMXOverSSLExample.JMX_URL), env);
diff --git a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-ca-truststore.jks b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-ca-truststore.jks
new file mode 100644
index 0000000..e2dfeff
Binary files /dev/null and b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-ca-truststore.jks differ
diff --git a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-keystore.jks b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-keystore.jks
new file mode 100644
index 0000000..b968a0c
Binary files /dev/null and b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-keystore.jks differ
diff --git a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-side-keystore.jks b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-side-keystore.jks
deleted file mode 100644
index cb65a44..0000000
Binary files a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-side-keystore.jks and /dev/null differ
diff --git a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-side-truststore.jks b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-side-truststore.jks
deleted file mode 100644
index 7eb1d56..0000000
Binary files a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/client-side-truststore.jks and /dev/null differ
diff --git a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/management.xml b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/management.xml
index dd15e5c..77beedb 100644
--- a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/management.xml
+++ b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/management.xml
@@ -20,10 +20,10 @@
connector-port="1099"
connector-host="localhost"
secured="true"
- key-store-path="${data.dir}/../etc/server-side-keystore.jks"
- key-store-password="ENC(2a7c211d21c295cdbcde3589c205decb)"
- trust-store-path="${data.dir}/../etc/server-side-truststore.jks"
- trust-store-password="ENC(2a7c211d21c295cdbcde3589c205decb)"/>
+ key-store-path="${data.dir}/../etc/server-keystore.jks"
+ key-store-password="ENC(1f0e6cd7ced61232730f9e82cc91c1e1)"
+ trust-store-path="${data.dir}/../etc/client-ca-truststore.jks"
+ trust-store-password="ENC(1f0e6cd7ced61232730f9e82cc91c1e1)"/>
<authorisation>
<whitelist>
<entry domain="hawtio"/>
diff --git a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-ca-truststore.jks b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-ca-truststore.jks
new file mode 100644
index 0000000..3fe0f29
Binary files /dev/null and b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-ca-truststore.jks differ
diff --git a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-keystore.jks b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-keystore.jks
new file mode 100644
index 0000000..5a7e2c0
Binary files /dev/null and b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-keystore.jks differ
diff --git a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-side-keystore.jks b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-side-keystore.jks
deleted file mode 100644
index 6089c6e..0000000
Binary files a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-side-keystore.jks and /dev/null differ
diff --git a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-side-truststore.jks b/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-side-truststore.jks
deleted file mode 100644
index 0b7e224..0000000
Binary files a/examples/features/standard/jmx-ssl/src/main/resources/activemq/server0/server-side-truststore.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/readme.md b/examples/features/standard/ssl-enabled-crl-mqtt/readme.md
index 56be3ce..399c7e8 100644
--- a/examples/features/standard/ssl-enabled-crl-mqtt/readme.md
+++ b/examples/features/standard/ssl-enabled-crl-mqtt/readme.md
@@ -7,92 +7,96 @@ This example shows you how to configure 2-way SSL with CRL along with 2 differen
To configure 2-way SSL with CRL you need to configure the acceptor as follows:
```
-<acceptor name="mqtt">tcp://0.0.0.0:1883?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=MQTT;useEpoll=true;sslEnabled=true;keyStorePath=${data.dir}/../etc/keystore1.jks;keyStorePassword=changeit;trustStorePath=${data.dir}/../etc/truststore.jks;keyStorePassword=changeit;crlPath=${data.dir}/../etc/root.crl.pem;needClientAuth=true</acceptor>`
+<acceptor name="mqtt">tcp://0.0.0.0:1883?protocols=MQTT;sslEnabled=true;keyStorePath=server-keystore.jks;keyStorePassword=securepass;trustStorePath=client-ca-truststore.jks;keyStorePassword=securepass;crlPath=other-client-crl.pem;needClientAuth=true</acceptor>
```
-In the server-side URL, the `keystore1.jks` is the key store file holding the server's key certificate. The `truststore.jks` is the file holding the certificates which the server trusts. The `root.crl.pem` is the file holding the revoked certificates. Notice also the `sslEnabled` and `needClientAuth` parameters which enable SSL and require clients to present their own certificate respectively.
+In the server-side URL, the `server-keystore.jks` is the key store file holding the server's key certificate. The `client-ca-truststore.jks` is the file holding the certificates which the server trusts. The `other-client-crl.pem` is the file holding the revoked certificates. Notice also the `sslEnabled` and `needClientAuth` parameters which enable SSL and require clients to present their own certificate respectively.
-The various keystore files are generated using the following commands. Keep in mind that each common name should be different and the passwords should be `changeit`.
+The various keystore files are generated using the following commands. Keep in mind that each common name should be different and the passwords should be `securepass`.
-```
-openssl genrsa -out ca.key 2048
-openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
-touch certindex
-echo 01 > certserial
-echo 01 > crlnumber
-```
+```shell
+#!/bin/bash
+set -e
+
+KEY_PASS=securepass
+STORE_PASS=securepass
+CA_VALIDITY=365000
+VALIDITY=36500
+
+# Create a key and self-signed certificate for the CA, to sign server certificate requests and use for trust:
+# -----------------------------------------------------------------------------------------------------------
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias server-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -exportcert -rfc > server-ca.crt
+
+# Create trust store with the server CA cert:
+# -------------------------------------------
+keytool -keystore server-ca-truststore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+
+# Create a key pair for the server, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias server -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=sA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -alias server -certreq -file server.csr
+keytool -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -gencert -rfc -infile server.csr -outfile server.crt -validity $VALIDITY -ext bc=ca:false -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server -file server.crt
+
+# Create a key and self-signed certificate for the CA, to sign client certificate requests and use for trust:
+# -----------------------------------------------------------------------------------------------------------
+keytool -keystore client-ca-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias client-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -keystore client-ca-keystore.jks -storepass $STORE_PASS -alias client-ca -exportcert -rfc > client-ca.crt
+
+# Create trust store with the client CA cert:
+# -------------------------------------------
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias client-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -exportcert -rfc > client-ca.crt
+
+# Create a key pair for the client, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias client -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -alias client -certreq -file client.csr
+keytool -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -gencert -rfc -infile client.csr -outfile client.crt -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client -file client.crt
+
+# Create a key pair for the other client, and sign it with the CA:
+# ----------------------------------------------------------------
+keytool -keystore other-client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias other-client -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Other Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore other-client-keystore.jks -storepass $STORE_PASS -alias other-client -certreq -file other-client.csr
+keytool -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -gencert -rfc -infile other-client.csr -outfile other-client.crt -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore other-client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt
+keytool -keystore other-client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias other-client -file other-client.crt
+```
## Create the ca.conf file:
```
[ ca ]
-default_ca = myca
-
-[ crl_ext ]
-# issuerAltName=issuer:copy #this would copy the issuer name to altname
-authorityKeyIdentifier=keyid:always
-
-[ myca ]
-dir = ./
-new_certs_dir = $dir
-unique_subject = no
-certificate = $dir/ca.crt
-database = $dir/certindex
-private_key = $dir/ca.key
-serial = $dir/certserial
-default_days = 730
-default_md = sha1
-policy = myca_policy
-x509_extensions = myca_extensions
-crlnumber = $dir/crlnumber
-default_crl_days = 730
-
-[ myca_policy ]
-commonName = supplied
-stateOrProvinceName = supplied
-countryName = optional
-emailAddress = optional
-organizationName = supplied
-organizationalUnitName = optional
-
-[ myca_extensions ]
-basicConstraints = CA:false
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always
-keyUsage = digitalSignature,keyEncipherment
-extendedKeyUsage = serverAuth, clientAuth
-crlDistributionPoints = URI:http://example.com/root.crl
-subjectAltName = @alt_names
-
-[alt_names]
-DNS.1 = example.com
-DNS.2 = *.example.com`
+default_ca = CA_default
+
+[ CA_default ]
+dir = ./
+database = $dir/openssl-database
+crlnumber = $dir/openssl-crlnumber
+default_md = default
```
## Continue with the following commands:
-```
-openssl genrsa -out keystore1.key 2048
-openssl req -new -key keystore1.key -out keystore1.csr
-openssl ca -batch -config ca.conf -notext -in keystore1.csr -out keystore1.crt
-openssl genrsa -out client_revoked.key 2048
-openssl req -new -key client_revoked.key -out client_revoked.csr
-openssl ca -batch -config ca.conf -notext -in client_revoked.csr -out client_revoked.crt
-openssl genrsa -out client_not_revoked.key 2048
-openssl req -new -key client_not_revoked.key -out client_not_revoked.csr
-openssl ca -batch -config ca.conf -notext -in client_not_revoked.csr -out client_not_revoked.crt
-openssl ca -config ca.conf -gencrl -keyfile ca.key -cert ca.crt -out root.crl.pem
-openssl ca -config ca.conf -revoke client_revoked.crt -keyfile ca.key -cert ca.crt
-openssl ca -config ca.conf -gencrl -keyfile ca.key -cert ca.crt -out root.crl.pem
-
-openssl pkcs12 -export -name client_revoked -in client_revoked.crt -inkey client_revoked.key -out client_revoked.p12
-keytool -importkeystore -destkeystore client_revoked.jks -srckeystore client_revoked.p12 -srcstoretype pkcs12 -alias client_revoked
-
-openssl pkcs12 -export -name client_not_revoked -in client_not_revoked.crt -inkey client_not_revoked.key -out client_not_revoked.p12
-keytool -importkeystore -destkeystore client_not_revoked.jks -srckeystore client_not_revoked.p12 -srcstoretype pkcs12 -alias client_not_revoked
-
-openssl pkcs12 -export -name keystore1 -in keystore1.crt -inkey keystore1.key -out keystore1.p12
-keytool -importkeystore -destkeystore keystore1.jks -srckeystore keystore1.p12 -srcstoretype pkcs12 -alias keystore1
-
-keytool -import -trustcacerts -alias trust_key -file ca.crt -keystore truststore.jks
+```shell
+# Export the key of the server CA:
+# ----------------------------------------------------------------------------------------------------
+openssl pkcs12 -in client-ca-keystore.p12 -nodes -nocerts -out client-ca.pem -password pass:$STORE_PASS
+
+# Create crl with the other client cert:
+# -------------------------------------------------------
+> openssl-database
+echo 00 > openssl-crlnumber
+openssl ca -config openssl.conf -revoke other-client.crt -keyfile client-ca.pem -cert client-ca.crt
+openssl ca -config openssl.conf -gencrl -keyfile client-ca.pem -cert client-ca.crt -out other-client-crl.pem -crldays $VALIDITY
```
\ No newline at end of file
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/java/org/apache/activemq/artemis/jms/example/MqttCrlEnabledExample.java b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/java/org/apache/activemq/artemis/jms/example/MqttCrlEnabledExample.java
index 46e0ad1..43982be 100644
--- a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/java/org/apache/activemq/artemis/jms/example/MqttCrlEnabledExample.java
+++ b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/java/org/apache/activemq/artemis/jms/example/MqttCrlEnabledExample.java
@@ -31,14 +31,14 @@ public class MqttCrlEnabledExample {
public static void main(final String[] args) throws Exception {
boolean exception = false;
try {
- callBroker("truststore.jks", "changeit", "client_revoked.jks", "changeit");
+ callBroker("server-ca-truststore.jks", "securepass", "other-client-keystore.jks", "securepass");
} catch (SSLException e) {
exception = true;
}
if (!exception) {
throw new RuntimeException("The connection should be revoked");
}
- callBroker("truststore.jks", "changeit", "client_not_revoked.jks", "changeit");
+ callBroker("server-ca-truststore.jks", "securepass", "client-keystore.jks", "securepass");
}
private static void callBroker(String truststorePath, String truststorePass, String keystorePath, String keystorePass) throws Exception {
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/broker.xml b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/broker.xml
index 9877bd5..fa630dc 100644
--- a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/broker.xml
+++ b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/broker.xml
@@ -22,7 +22,7 @@ under the License.
<acceptors>
<acceptor name="netty-acceptor">tcp://localhost:61616</acceptor>
- <acceptor name="mqtt">tcp://0.0.0.0:1883?protocols=MQTT;sslEnabled=true;keyStorePath=keystore1.jks;keyStorePassword=changeit;trustStorePath=truststore.jks;keyStorePassword=changeit;crlPath=root.crl.pem;needClientAuth=true</acceptor>
+ <acceptor name="mqtt">tcp://0.0.0.0:1883?protocols=MQTT;sslEnabled=true;keyStorePath=server-keystore.jks;keyStorePassword=securepass;trustStorePath=client-ca-truststore.jks;keyStorePassword=securepass;crlPath=other-client-crl.pem;needClientAuth=true</acceptor>
</acceptors>
<wildcard-addresses>
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/client-ca-truststore.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/client-ca-truststore.jks
new file mode 100644
index 0000000..e2dfeff
Binary files /dev/null and b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/client-ca-truststore.jks differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/keystore1.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/keystore1.jks
deleted file mode 100644
index 5d85fa7..0000000
Binary files a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/keystore1.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/other-client-crl.pem b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/other-client-crl.pem
new file mode 100644
index 0000000..45f51ab
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/other-client-crl.pem
@@ -0,0 +1,12 @@
+-----BEGIN X509 CRL-----
+MIIB0zCBvAIBATANBgkqhkiG9w0BAQsFADBfMREwDwYDVQQKEwhBY3RpdmVNUTEQ
+MA4GA1UECxMHQXJ0ZW1pczE4MDYGA1UEAxMvQWN0aXZlTVEgQXJ0ZW1pcyBDbGll
+bnQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkXDTIxMDgwMzEzMDMwN1oYDzIxMjEw
+NzEwMTMwMzA3WjAXMBUCBH493qkXDTIxMDgwMzEzMDMwN1qgDjAMMAoGA1UdFAQD
+AgEAMA0GCSqGSIb3DQEBCwUAA4IBAQBzM0YCos5sHRAN4pPzNWCAonqezX6FfcY+
+SuufVcxD583O2Vnuwmz9i9PhGJJbWxGuCtXwS1JNldm7/rXhpZOd539W1BJQprGb
+nwooQWTBBU8qTaXmUVWiPsMlL/IcMUTB/DVgWsRuwjA7wtVAseIoa2Z/geZZAOwO
+vgp7RAtWW9M1Vr7/XWNsJqIOoPnPqGhg8Nve2sFfySQmJQZP8LnnDgC6pv51TnRa
+VrOmHtralj2d0U3z78nRZW26S1XMxA0wb5yTc4T8lxCZ969vwtiWOQRCoKL/EFWe
+Yy2oBbRjTHEZWYyhYHCMcGP2JSGcDnSZmc+d7ydgx4Gq7nHy3FCM
+-----END X509 CRL-----
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/root.crl.pem b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/root.crl.pem
deleted file mode 100644
index 972afba..0000000
--- a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/root.crl.pem
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN X509 CRL-----
-MIIBwzCBrAIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJBVTETMBEGA1UE
-CAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk
-MQ0wCwYDVQQDDARjZXJ0Fw0yMDAxMDcxNjU0NTdaFw0yMjAxMDYxNjU0NTdaMBQw
-EgIBAhcNMjAwMTA3MTY1NDUwWqAOMAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEF
-BQADggEBABMQJLN47mGcjUL4MzSwCwRZRuD53jrjQNVJ/0k69VGhwku5wCBzkT1G
-qFMmmIxIk3n24UORXqHXuJTLeZj6ibGGYVDUz0gFDHIaBBczy///mguC0yN4nWtl
-VR9r4LB9+ShzgL8mm5f1fB6nLZFXLbe4uLPNY600Z34AdtQrfQ7KumTlKQDGhNy0
-jNWmygLihTGVc4zoTcVKS7VJq/IuPJJzTm7AJ3zmLe5uq5lLmUAxzcF7YWTo85gZ
-8K8kRJ0U75ujFez5Qx2oiuEPOvie0N6tpsV6JEE62Nbvso/jbbbOoG/1DTyaN1IM
-xT78WqZYTHjJd4X0aoovUmFEhwOvzGs=
------END X509 CRL-----
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/server-keystore.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/server-keystore.jks
new file mode 100644
index 0000000..5a7e2c0
Binary files /dev/null and b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/server-keystore.jks differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/truststore.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/truststore.jks
deleted file mode 100644
index 8410bc3..0000000
Binary files a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/activemq/server0/truststore.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client-keystore.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client-keystore.jks
new file mode 100644
index 0000000..b968a0c
Binary files /dev/null and b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client-keystore.jks differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client_not_revoked.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client_not_revoked.jks
deleted file mode 100644
index b03e57a..0000000
Binary files a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client_not_revoked.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client_revoked.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client_revoked.jks
deleted file mode 100644
index 5e9987c..0000000
Binary files a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/client_revoked.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/other-client-keystore.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/other-client-keystore.jks
new file mode 100644
index 0000000..f2061bd
Binary files /dev/null and b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/other-client-keystore.jks differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/server-ca-truststore.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/server-ca-truststore.jks
new file mode 100644
index 0000000..3fe0f29
Binary files /dev/null and b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/server-ca-truststore.jks differ
diff --git a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/truststore.jks b/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/truststore.jks
deleted file mode 100644
index 8410bc3..0000000
Binary files a/examples/features/standard/ssl-enabled-crl-mqtt/src/main/resources/truststore.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/readme.md b/examples/features/standard/ssl-enabled-dual-authentication/readme.md
index 1fbe0da..10584e6 100644
--- a/examples/features/standard/ssl-enabled-dual-authentication/readme.md
+++ b/examples/features/standard/ssl-enabled-dual-authentication/readme.md
@@ -6,21 +6,63 @@ This example shows you how to configure 2-way SSL along with 2 different authent
To configure 2-way SSL you need to configure the acceptor as follows:
- <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=server-side-keystore.jks;keyStorePassword=secureexample;trustStorePath=server-side-truststore.jks;trustStorePassword=secureexample</acceptor>
+ <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=server-keystore.jks;keyStorePassword=securepass;trustStorePath=client-ca-truststore.jks;trustStorePassword=securepass</acceptor>
-In the server-side URL, the `server-side-keystore.jks` is the key store file holding the server's certificate. The `server-side-truststore.jks` is the file holding the certificates which the broker trusts. Notice also the `sslEnabled` and `needClientAuth` parameters which enable SSL and require clients to present their own certificate respectively.
+In the server-side URL, the `server-keystore.jks` is the key store file holding the server's certificate. The `client-ca-truststore.jks` is the file holding the certificates which the broker trusts. Notice also the `sslEnabled` and `needClientAuth` parameters which enable SSL and require clients to present their own certificate respectively.
Here's the URL the client uses to connect over SSL:
- tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/client-side-truststore.jks&trustStorePassword=secureexample&keyStorePath=activemq/server0/client-side-keystore.jks&keyStorePassword=secureexample
+ tcp://localhost:5500?sslEnabled=true&trustStorePath=server-ca-truststore.jks&trustStorePassword=securepass&keyStorePath=client-keystore.jks&keyStorePassword=securepass
-In the client-side URL, the `client-side-keystore.jks` is the key store file holding the client's certificate. The `client-side-truststore.jks` is the file holding the certificates which the client trusts. The `sslEnabled` parameter is present here as well just as it is on the server.
+In the client-side URL, the `client-keystore.jks` is the key store file holding the client's certificate. The `server-ca-truststore.jks` is the file holding the certificates which the client trusts. The `sslEnabled` parameter is present here as well just as it is on the server.
The various keystore files are generated using the following commands:
-* `keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA`
-* `keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample`
-* `keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt`
-* `keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA`
-* `keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample`
-* `keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt`
+```shell
+#!/bin/bash
+set -e
+
+KEY_PASS=securepass
+STORE_PASS=securepass
+CA_VALIDITY=365000
+VALIDITY=36500
+
+# Create a key and self-signed certificate for the CA, to sign server certificate requests and use for trust:
+# -----------------------------------------------------------------------------------------------------------
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias server-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -exportcert -rfc > server-ca.crt
+
+# Create trust store with the server CA cert:
+# -------------------------------------------
+keytool -keystore server-ca-truststore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+
+# Create a key pair for the server, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias server -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=sA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -alias server -certreq -file server.csr
+keytool -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -gencert -rfc -infile server.csr -outfile server.crt -validity $VALIDITY -ext bc=ca:false -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server -file server.crt
+
+# Create a key and self-signed certificate for the CA, to sign client certificate requests and use for trust:
+# -----------------------------------------------------------------------------------------------------------
+keytool -keystore client-ca-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias client-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -keystore client-ca-keystore.jks -storepass $STORE_PASS -alias client-ca -exportcert -rfc > client-ca.crt
+
+# Create trust store with the client CA cert:
+# -------------------------------------------
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias client-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -exportcert -rfc > client-ca.crt
+
+# Create a key pair for the client, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias client -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -alias client -certreq -file client.csr
+keytool -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -gencert -rfc -infile client.csr -outfile client.crt -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt
+keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client -file client.crt
+```
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/broker.xml b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/broker.xml
index 1bba774..4de5a06 100644
--- a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/broker.xml
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/broker.xml
@@ -31,7 +31,7 @@ under the License.
<!-- Acceptors -->
<acceptors>
<acceptor name="netty-acceptor">tcp://localhost:61616</acceptor>
- <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=server-side-keystore.jks;keyStorePassword=secureexample;trustStorePath=server-side-truststore.jks;trustStorePassword=secureexample</acceptor>
+ <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=server-keystore.jks;keyStorePassword=securepass;trustStorePath=client-ca-truststore.jks;trustStorePassword=securepass</acceptor>
</acceptors>
<!-- Other config -->
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-ca-truststore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-ca-truststore.jks
new file mode 100644
index 0000000..e2dfeff
Binary files /dev/null and b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-ca-truststore.jks differ
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-keystore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-keystore.jks
deleted file mode 100644
index cb65a44..0000000
Binary files a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-keystore.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-truststore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-truststore.jks
deleted file mode 100644
index 7eb1d56..0000000
Binary files a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-truststore.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-keystore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-keystore.jks
new file mode 100644
index 0000000..5a7e2c0
Binary files /dev/null and b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-keystore.jks differ
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-keystore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-keystore.jks
deleted file mode 100644
index 6089c6e..0000000
Binary files a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-keystore.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-truststore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-truststore.jks
deleted file mode 100644
index 0b7e224..0000000
Binary files a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-truststore.jks and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/client-keystore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/client-keystore.jks
new file mode 100644
index 0000000..b968a0c
Binary files /dev/null and b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/client-keystore.jks differ
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/jndi.properties b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/jndi.properties
index 12fbef6..aa50486 100644
--- a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/jndi.properties
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/jndi.properties
@@ -16,6 +16,6 @@
# under the License.
java.naming.factory.initial=org.apache.activemq.artemis.jndi.ActiveMQInitialContextFactory
-connectionFactory.SslConnectionFactory=tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/client-side-truststore.jks&trustStorePassword=secureexample&keyStorePath=activemq/server0/client-side-keystore.jks&keyStorePassword=secureexample
+connectionFactory.SslConnectionFactory=tcp://localhost:5500?sslEnabled=true&trustStorePath=server-ca-truststore.jks&trustStorePassword=securepass&keyStorePath=client-keystore.jks&keyStorePassword=securepass
connectionFactory.ConnectionFactory=tcp://localhost:61616
queue.queue/exampleQueue=exampleQueue
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/server-ca-truststore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/server-ca-truststore.jks
new file mode 100644
index 0000000..3fe0f29
Binary files /dev/null and b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/server-ca-truststore.jks differ
diff --git a/examples/features/standard/ssl-enabled/pom.xml b/examples/features/standard/ssl-enabled/pom.xml
index 718ca7e..8eb6dcf 100644
--- a/examples/features/standard/ssl-enabled/pom.xml
+++ b/examples/features/standard/ssl-enabled/pom.xml
@@ -66,7 +66,7 @@ under the License.
<configuration>
<ignore>${noServer}</ignore>
<spawn>true</spawn>
- <testURI>tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/activemq.example.truststore&trustStorePassword=activemqexample</testURI>
+ <testURI>tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/server-ca-truststore.jks&trustStorePassword=securepass</testURI>
<args>
<param>run</param>
</args>
diff --git a/examples/features/standard/ssl-enabled/readme.md b/examples/features/standard/ssl-enabled/readme.md
index 6038f6d..5c3a12d 100644
--- a/examples/features/standard/ssl-enabled/readme.md
+++ b/examples/features/standard/ssl-enabled/readme.md
@@ -6,10 +6,35 @@ This example shows you how to configure SSL with ActiveMQ Artemis to send and re
Using SSL can make your messaging applications interact with ActiveMQ Artemis securely. An application can be secured transparently without extra coding effort. To secure your messaging application with SSL, you need to configure connector and acceptor as follows:
- <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;keyStorePath=activemq.example.keystore;keyStorePassword=activemqexample</acceptor>
+ <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;keyStorePath=server-keystore.jks;keyStorePassword=securepass</acceptor>
In the configuration, the `activemq.example.keystore` is the key store file holding the server's certificate. The `activemq.example.truststore` is the file holding the certificates which the client trusts (i.e. the server's certificate exported from activemq.example.keystore). They are generated via the following commands:
-* `keytool -genkey -keystore activemq.example.keystore -storepass activemqexample -keypass activemqexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA`
-* `keytool -export -keystore activemq.example.keystore -file server-side-cert.cer -storepass activemqexample`
-* `keytool -import -keystore activemq.example.truststore -file server-side-cert.cer -storepass activemqexample -keypass activemqexample -noprompt`
\ No newline at end of file
+```shell
+#!/bin/bash
+set -e
+
+KEY_PASS=securepass
+STORE_PASS=securepass
+CA_VALIDITY=365000
+VALIDITY=36500
+
+# Create a key and self-signed certificate for the CA, to sign server certificate requests and use for trust:
+# -----------------------------------------------------------------------------------------------------------
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias server-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -exportcert -rfc > server-ca.crt
+
+# Create trust store with the server CA cert:
+# -------------------------------------------
+keytool -keystore server-ca-truststore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+
+# Create a key pair for the server, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias server -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=sA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -alias server -certreq -file server.csr
+keytool -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -gencert -rfc -infile server.csr -outfile server.crt -validity $VALIDITY -ext bc=ca:false -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server -file server.crt
+```
diff --git a/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/activemq.example.keystore b/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/activemq.example.keystore
deleted file mode 100644
index 4ed2413..0000000
Binary files a/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/activemq.example.keystore and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/activemq.example.truststore b/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/activemq.example.truststore
deleted file mode 100644
index 45ab086..0000000
Binary files a/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/activemq.example.truststore and /dev/null differ
diff --git a/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/broker.xml b/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/broker.xml
index 04bcec5..1a34630 100644
--- a/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/broker.xml
+++ b/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/broker.xml
@@ -31,7 +31,7 @@ under the License.
<!-- Acceptors -->
<acceptors>
<!-- keystores will be found automatically if they are on the classpath -->
- <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;keyStorePath=activemq.example.keystore;keyStorePassword=activemqexample</acceptor>
+ <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;keyStorePath=server-keystore.jks;keyStorePassword=securepass</acceptor>
</acceptors>
<!-- Other config -->
diff --git a/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/server-ca-truststore.jks b/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/server-ca-truststore.jks
new file mode 100644
index 0000000..3fe0f29
Binary files /dev/null and b/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/server-ca-truststore.jks differ
diff --git a/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/server-keystore.jks b/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/server-keystore.jks
new file mode 100644
index 0000000..5a7e2c0
Binary files /dev/null and b/examples/features/standard/ssl-enabled/src/main/resources/activemq/server0/server-keystore.jks differ
diff --git a/examples/features/standard/ssl-enabled/src/main/resources/jndi.properties b/examples/features/standard/ssl-enabled/src/main/resources/jndi.properties
index 7929c7c..1b2906f 100644
--- a/examples/features/standard/ssl-enabled/src/main/resources/jndi.properties
+++ b/examples/features/standard/ssl-enabled/src/main/resources/jndi.properties
@@ -16,5 +16,5 @@
# under the License.
java.naming.factory.initial=org.apache.activemq.artemis.jndi.ActiveMQInitialContextFactory
-connectionFactory.ConnectionFactory=tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/activemq.example.truststore&trustStorePassword=activemqexample
+connectionFactory.ConnectionFactory=tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/server-ca-truststore.jks&trustStorePassword=securepass
queue.queue/exampleQueue=exampleQueue
diff --git a/examples/protocols/stomp/stomp-dual-authentication/src/main/java/org/apache/activemq/artemis/jms/example/StompDualAuthenticationExample.java b/examples/protocols/stomp/stomp-dual-authentication/src/main/java/org/apache/activemq/artemis/jms/example/StompDualAuthenticationExample.java
index 688c03a..8346494 100644
--- a/examples/protocols/stomp/stomp-dual-authentication/src/main/java/org/apache/activemq/artemis/jms/example/StompDualAuthenticationExample.java
+++ b/examples/protocols/stomp/stomp-dual-authentication/src/main/java/org/apache/activemq/artemis/jms/example/StompDualAuthenticationExample.java
@@ -45,10 +45,10 @@ public class StompDualAuthenticationExample {
try {
// set up SSL keystores for Stomp connection
- System.setProperty("javax.net.ssl.trustStore", args[0] + "client-side-truststore.jks");
- System.setProperty("javax.net.ssl.trustStorePassword", "secureexample");
- System.setProperty("javax.net.ssl.keyStore", args[0] + "client-side-keystore.jks");
- System.setProperty("javax.net.ssl.keyStorePassword", "secureexample");
+ System.setProperty("javax.net.ssl.trustStore", args[0] + "server-ca-truststore.jks");
+ System.setProperty("javax.net.ssl.trustStorePassword", "securepass");
+ System.setProperty("javax.net.ssl.keyStore", args[0] + "client-keystore.jks");
+ System.setProperty("javax.net.ssl.keyStorePassword", "securepass");
// Step 1. Create an SSL socket to connect to the broker
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
diff --git a/tests/integration-tests/pom.xml b/tests/integration-tests/pom.xml
index d7e71e5..7517eee 100644
--- a/tests/integration-tests/pom.xml
+++ b/tests/integration-tests/pom.xml
@@ -474,6 +474,9 @@
<exclude>**/rest/*.xml</exclude>
</excludes>
</testResource>
+ <testResource>
+ <directory>../security-resources</directory>
+ </testResource>
</testResources>
<plugins>
<plugin>
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/AmqpFailoverEndpointDiscoveryTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/AmqpFailoverEndpointDiscoveryTest.java
index 5ded6f2..c135dc5 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/AmqpFailoverEndpointDiscoveryTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/AmqpFailoverEndpointDiscoveryTest.java
@@ -36,6 +36,9 @@ import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
@RunWith(Parameterized.class)
public class AmqpFailoverEndpointDiscoveryTest extends FailoverTestBase {
@@ -90,9 +93,9 @@ public class AmqpFailoverEndpointDiscoveryTest extends FailoverTestBase {
if (protocol == 0) {
return new JmsConnectionFactory("failover:(amqp://localhost:61616)");
} else {
- String keystore = this.getClass().getClassLoader().getResource("client-side-keystore.jks").getFile();
- String truststore = this.getClass().getClassLoader().getResource("client-side-truststore.jks").getFile();
- return new JmsConnectionFactory("failover:(amqps://localhost:61616?transport.keyStoreLocation=" + keystore + "&transport.keyStorePassword=secureexample&transport.trustStoreLocation=" + truststore + "&transport.trustStorePassword=secureexample&transport.verifyHost=false)");
+ String keystore = this.getClass().getClassLoader().getResource("client-keystore.jks").getFile();
+ String truststore = this.getClass().getClassLoader().getResource("server-ca-truststore.jks").getFile();
+ return new JmsConnectionFactory("failover:(amqps://localhost:61616?transport.keyStoreLocation=" + keystore + "&transport.keyStorePassword=securepass&transport.trustStoreLocation=" + truststore + "&transport.trustStorePassword=securepass&transport.verifyHost=false)");
}
}
@@ -101,10 +104,10 @@ public class AmqpFailoverEndpointDiscoveryTest extends FailoverTestBase {
if (protocol == 1) {
server1Params.put(TransportConstants.SSL_ENABLED_PROP_NAME, "true");
- server1Params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks");
- server1Params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
- server1Params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
- server1Params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+ server1Params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+ server1Params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ server1Params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+ server1Params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
}
if (live) {
@@ -120,10 +123,10 @@ public class AmqpFailoverEndpointDiscoveryTest extends FailoverTestBase {
Map<String, Object> server1Params = new HashMap<>();
if (protocol == 1) {
server1Params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- server1Params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-side-truststore.jks");
- server1Params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
- server1Params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-side-keystore.jks");
- server1Params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
+ server1Params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+ server1Params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+ server1Params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+ server1Params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
}
if (live) {
return new TransportConfiguration(NETTY_CONNECTOR_FACTORY, server1Params);
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslExternalLDAPTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslExternalLDAPTest.java
index 6320b4f..7e10973 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslExternalLDAPTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslExternalLDAPTest.java
@@ -58,6 +58,9 @@ import org.junit.runner.RunWith;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertEquals;
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
@RunWith(FrameworkRunner.class)
@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port = 1024)})
@ApplyLdifFiles("AMQauth.ldif")
@@ -117,10 +120,10 @@ public class JMSSaslExternalLDAPTest extends AbstractLdapTestUnit {
Map<String, Object> params = new HashMap<>();
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "keystore1.jks");
- params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "changeit");
- params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "truststore.jks");
- params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "changeit");
+ params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+ params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+ params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
Map<String, Object> extraParams = new HashMap<>();
@@ -146,14 +149,14 @@ public class JMSSaslExternalLDAPTest extends AbstractLdapTestUnit {
@Test(timeout = 600000)
public void testRoundTrip() throws Exception {
- final String keystore = this.getClass().getClassLoader().getResource("client_not_revoked.jks").getFile();
- final String truststore = this.getClass().getClassLoader().getResource("truststore.jks").getFile();
+ final String keystore = this.getClass().getClassLoader().getResource("client-keystore.jks").getFile();
+ final String truststore = this.getClass().getClassLoader().getResource("server-ca-truststore.jks").getFile();
String connOptions = "?amqp.saslMechanisms=EXTERNAL" + "&" +
"transport.trustStoreLocation=" + truststore + "&" +
- "transport.trustStorePassword=changeit" + "&" +
+ "transport.trustStorePassword=securepass" + "&" +
"transport.keyStoreLocation=" + keystore + "&" +
- "transport.keyStorePassword=changeit" + "&" +
+ "transport.keyStorePassword=securepass" + "&" +
"transport.verifyHost=false";
JmsConnectionFactory factory = new JmsConnectionFactory(new URI("amqps://localhost:" + 61616 + connOptions));
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslExternalTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslExternalTest.java
index b9da886..078d39f 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslExternalTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/JMSSaslExternalTest.java
@@ -60,6 +60,9 @@ import org.junit.After;
import org.junit.Before;
import org.junit.Test;
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
public class JMSSaslExternalTest extends ActiveMQTestBase {
static {
@@ -98,10 +101,10 @@ public class JMSSaslExternalTest extends ActiveMQTestBase {
Map<String, Object> params = new HashMap<>();
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "keystore1.jks");
- params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "changeit");
- params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "truststore.jks");
- params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "changeit");
+ params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+ params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+ params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
Map<String, Object> extraParams = new HashMap<>();
@@ -127,14 +130,14 @@ public class JMSSaslExternalTest extends ActiveMQTestBase {
@Test(timeout = 600000)
public void testConnection() throws Exception {
- final String keystore = this.getClass().getClassLoader().getResource("client_not_revoked.jks").getFile();
- final String truststore = this.getClass().getClassLoader().getResource("truststore.jks").getFile();
+ final String keystore = this.getClass().getClassLoader().getResource("other-client-keystore.jks").getFile();
+ final String truststore = this.getClass().getClassLoader().getResource("server-ca-truststore.jks").getFile();
String connOptions = "?amqp.saslMechanisms=EXTERNAL" + "&" +
"transport.trustStoreLocation=" + truststore + "&" +
- "transport.trustStorePassword=changeit" + "&" +
+ "transport.trustStorePassword=securepass" + "&" +
"transport.keyStoreLocation=" + keystore + "&" +
- "transport.keyStorePassword=changeit" + "&" +
+ "transport.keyStorePassword=securepass" + "&" +
"transport.verifyHost=false";
JmsConnectionFactory factory = new JmsConnectionFactory(new URI("amqps://localhost:" + 61616 + connOptions));
@@ -164,10 +167,10 @@ public class JMSSaslExternalTest extends ActiveMQTestBase {
final Map<String, Object> config = new LinkedHashMap<>(); config.put(TransportConstants.HOST_PROP_NAME, "localhost");
config.put(TransportConstants.PORT_PROP_NAME, String.valueOf(61616));
- config.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client_not_revoked.jks");
- config.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "changeit");
- config.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "truststore.jks");
- config.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "changeit");
+ config.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+ config.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ config.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+ config.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
config.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
config.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/connect/AMQPConnectSaslTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/connect/AMQPConnectSaslTest.java
index 0a37e89..7140d75 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/connect/AMQPConnectSaslTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/connect/AMQPConnectSaslTest.java
@@ -52,16 +52,21 @@ import io.vertx.proton.ProtonConnection;
import io.vertx.proton.ProtonServerOptions;
import io.vertx.proton.sasl.ProtonSaslAuthenticator;
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
public class AMQPConnectSaslTest extends AmqpClientTestSupport {
private static final int BROKER_PORT_NUM = AMQP_PORT + 1;
- private static final String SERVER_KEYSTORE_NAME = "keystore1.jks";
- private static final String SERVER_KEYSTORE_PASSWORD = "changeit";
- private static final String CLIENT_KEYSTORE_NAME = "client_not_revoked.jks";
- private static final String CLIENT_KEYSTORE_PASSWORD = "changeit";
- private static final String TRUSTSTORE_NAME = "truststore.jks";
- private static final String TRUSTSTORE_PASSWORD = "changeit";
+ private static final String SERVER_KEYSTORE_NAME = "server-keystore.jks";
+ private static final String SERVER_KEYSTORE_PASSWORD = "securepass";
+ private static final String CLIENT_KEYSTORE_NAME = "client-keystore.jks";
+ private static final String CLIENT_KEYSTORE_PASSWORD = "securepass";
+ private static final String SERVER_TRUSTSTORE_NAME = "server-ca-truststore.jks";
+ private static final String SERVER_TRUSTSTORE_PASSWORD = "securepass";
+ private static final String CLIENT_TRUSTSTORE_NAME = "client-ca-truststore.jks";
+ private static final String CLIENT_TRUSTSTORE_PASSWORD = "securepass";
private static final String USER = "MY_USER";
private static final String PASSWD = "PASSWD_VALUE";
@@ -220,8 +225,8 @@ public class AMQPConnectSaslTest extends AmqpClientTestSupport {
serverOptions.setKeyStoreOptions(jksKeyStoreOptions);
if (requireClientCert) {
- final String trustStorePath = this.getClass().getClassLoader().getResource(TRUSTSTORE_NAME).getFile();
- JksOptions jksTrustStoreOptions = new JksOptions().setPath(trustStorePath).setPassword(TRUSTSTORE_PASSWORD);
+ final String trustStorePath = this.getClass().getClassLoader().getResource(CLIENT_TRUSTSTORE_NAME).getFile();
+ JksOptions jksTrustStoreOptions = new JksOptions().setPath(trustStorePath).setPassword(CLIENT_TRUSTSTORE_PASSWORD);
serverOptions.setTrustStoreOptions(jksTrustStoreOptions);
serverOptions.setClientAuth(ClientAuth.REQUIRED);
@@ -236,7 +241,7 @@ public class AMQPConnectSaslTest extends AmqpClientTestSupport {
});
String amqpServerConnectionURI = "tcp://localhost:" + mockServer.actualPort() +
- "?sslEnabled=true;trustStorePath=" + TRUSTSTORE_NAME + ";trustStorePassword=" + TRUSTSTORE_PASSWORD;
+ "?sslEnabled=true;trustStorePath=" + SERVER_TRUSTSTORE_NAME + ";trustStorePassword=" + SERVER_TRUSTSTORE_PASSWORD;
if (requireClientCert) {
amqpServerConnectionURI +=
";keyStorePath=" + CLIENT_KEYSTORE_NAME + ";keyStorePassword=" + CLIENT_KEYSTORE_PASSWORD;
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/SSLSecurityNotificationTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/SSLSecurityNotificationTest.java
index e4d1a6e..71476f5 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/SSLSecurityNotificationTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/management/SSLSecurityNotificationTest.java
@@ -51,6 +51,9 @@ import org.junit.Test;
import static org.apache.activemq.artemis.api.core.management.CoreNotificationType.CONSUMER_CREATED;
import static org.apache.activemq.artemis.api.core.management.CoreNotificationType.SECURITY_AUTHENTICATION_VIOLATION;
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
public class SSLSecurityNotificationTest extends ActiveMQTestBase {
static {
@@ -78,10 +81,10 @@ public class SSLSecurityNotificationTest extends ActiveMQTestBase {
TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-side-truststore.jks");
- tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
- tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "bad-client-side-keystore.jks");
- tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+ tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "unknown-client-keystore.jks");
+ tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
ClientSessionFactory sf = addSessionFactory(createSessionFactory(locator));
@@ -96,7 +99,7 @@ public class SSLSecurityNotificationTest extends ActiveMQTestBase {
ClientMessage[] notifications = SSLSecurityNotificationTest.consumeMessages(1, notifConsumer);
Assert.assertEquals(SECURITY_AUTHENTICATION_VIOLATION.toString(), notifications[0].getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TYPE).toString());
Assert.assertEquals(null, notifications[0].getObjectProperty(ManagementHelper.HDR_USER));
- Assert.assertEquals("CN=Bad Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ", notifications[0].getObjectProperty(ManagementHelper.HDR_CERT_SUBJECT_DN).toString());
+ Assert.assertEquals("CN=ActiveMQ Artemis Unknown Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ", notifications[0].getObjectProperty(ManagementHelper.HDR_CERT_SUBJECT_DN).toString());
Assert.assertTrue(notifications[0].getObjectProperty(ManagementHelper.HDR_REMOTE_ADDRESS).toString().startsWith("/127.0.0.1"));
Assert.assertTrue(notifications[0].getTimestamp() >= start);
Assert.assertTrue((long) notifications[0].getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TIMESTAMP) >= start);
@@ -116,10 +119,10 @@ public class SSLSecurityNotificationTest extends ActiveMQTestBase {
TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-side-truststore.jks");
- tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
- tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-side-keystore.jks");
- tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+ tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+ tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
ClientSessionFactory sf = addSessionFactory(createSessionFactory(locator));
@@ -154,10 +157,10 @@ public class SSLSecurityNotificationTest extends ActiveMQTestBase {
Map<String, Object> params = new HashMap<>();
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks");
- params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
- params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
- params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+ params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+ params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+ params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
@@ -173,10 +176,10 @@ public class SSLSecurityNotificationTest extends ActiveMQTestBase {
TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-side-truststore.jks");
- tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
- tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-side-keystore.jks");
- tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+ tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+ tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
ClientSessionFactory sf = addSessionFactory(createSessionFactory(locator));
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java
index 3db9734..080fdda 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/mqtt/imported/MQTTSecurityCRLTest.java
@@ -37,87 +37,10 @@ import org.fusesource.mqtt.client.QoS;
import org.fusesource.mqtt.client.Topic;
import org.junit.Test;
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
public class MQTTSecurityCRLTest extends ActiveMQTestBase {
- /**
- * These artifacts are required for testing mqtt with CRL
- * <p>
- * openssl genrsa -out ca.key 2048
- * openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
- * touch certindex
- * echo 01 > certserial
- * echo 01 > crlnumber
- * <p>
- * Create ca.conf file with
- * <p>
- * [ ca ]
- * default_ca = myca
- * <p>
- * [ crl_ext ]
- * # issuerAltName=issuer:copy #this would copy the issuer name to altname
- * authorityKeyIdentifier=keyid:always
- * <p>
- * [ myca ]
- * dir = ./
- * new_certs_dir = $dir
- * unique_subject = no
- * certificate = $dir/ca.crt
- * database = $dir/certindex
- * private_key = $dir/ca.key
- * serial = $dir/certserial
- * default_days = 730
- * default_md = sha1
- * policy = myca_policy
- * x509_extensions = myca_extensions
- * crlnumber = $dir/crlnumber
- * default_crl_days = 730
- * <p>
- * [ myca_policy ]
- * commonName = supplied
- * stateOrProvinceName = supplied
- * countryName = optional
- * emailAddress = optional
- * organizationName = supplied
- * organizationalUnitName = optional
- * <p>
- * [ myca_extensions ]
- * basicConstraints = CA:false
- * subjectKeyIdentifier = hash
- * authorityKeyIdentifier = keyid:always
- * keyUsage = digitalSignature,keyEncipherment
- * extendedKeyUsage = serverAuth, clientAuth
- * crlDistributionPoints = URI:http://example.com/root.crl
- * subjectAltName = @alt_names
- * <p>
- * [alt_names]
- * DNS.1 = example.com
- * DNS.2 = *.example.com
- * <p>
- * Continue executing the commands:
- * <p>
- * openssl genrsa -out keystore1.key 2048
- * openssl req -new -key keystore1.key -out keystore1.csr
- * openssl ca -batch -config ca.conf -notext -in keystore1.csr -out keystore1.crt
- * openssl genrsa -out client_revoked.key 2048
- * openssl req -new -key client_revoked.key -out client_revoked.csr
- * openssl ca -batch -config ca.conf -notext -in client_revoked.csr -out client_revoked.crt
- * openssl genrsa -out client_not_revoked.key 2048
- * openssl req -new -key client_not_revoked.key -out client_not_revoked.csr
- * openssl ca -batch -config ca.conf -notext -in client_not_revoked.csr -out client_not_revoked.crt
- * openssl ca -config ca.conf -gencrl -keyfile ca.key -cert ca.crt -out root.crl.pem
- * openssl ca -config ca.conf -revoke client_revoked.crt -keyfile ca.key -cert ca.crt
- * openssl ca -config ca.conf -gencrl -keyfile ca.key -cert ca.crt -out root.crl.pem
- * <p>
- * openssl pkcs12 -export -name client_revoked -in client_revoked.crt -inkey client_revoked.key -out client_revoked.p12
- * keytool -importkeystore -destkeystore client_revoked.jks -srckeystore client_revoked.p12 -srcstoretype pkcs12 -alias client_revoked
- * <p>
- * openssl pkcs12 -export -name client_not_revoked -in client_not_revoked.crt -inkey client_not_revoked.key -out client_not_revoked.p12
- * keytool -importkeystore -destkeystore client_not_revoked.jks -srckeystore client_not_revoked.p12 -srcstoretype pkcs12 -alias client_not_revoked
- * <p>
- * openssl pkcs12 -export -name keystore1 -in keystore1.crt -inkey keystore1.key -out keystore1.p12
- * keytool -importkeystore -destkeystore keystore1.jks -srckeystore keystore1.p12 -srcstoretype pkcs12 -alias keystore1
- * <p>
- * keytool -import -trustcacerts -alias trust_key -file ca.crt -keystore truststore.jks
- */
@Test
public void crlRevokedTest() throws Exception {
@@ -131,7 +54,7 @@ public class MQTTSecurityCRLTest extends ActiveMQTestBase {
Thread.sleep(50);
}
- connection1 = retrieveMQTTConnection("ssl://localhost:1883", "truststore.jks", "changeit", "client_revoked.jks", "changeit");
+ connection1 = retrieveMQTTConnection("ssl://localhost:1883", "server-ca-truststore.jks", "securepass", "other-client-keystore.jks", "securepass");
// Subscribe to topics
Topic[] topics = {new Topic("test/+/some/#", QoS.AT_MOST_ONCE)};
@@ -170,7 +93,7 @@ public class MQTTSecurityCRLTest extends ActiveMQTestBase {
Thread.sleep(50);
}
- connection1 = retrieveMQTTConnection("ssl://localhost:1883", "truststore.jks", "changeit", "client_not_revoked.jks", "changeit");
+ connection1 = retrieveMQTTConnection("ssl://localhost:1883", "server-ca-truststore.jks", "securepass", "client-keystore.jks", "securepass");
// Subscribe to topics
Topic[] topics = {new Topic("test/+/some/#", QoS.AT_MOST_ONCE)};
@@ -220,11 +143,11 @@ public class MQTTSecurityCRLTest extends ActiveMQTestBase {
TransportConfiguration transportConfiguration = new TransportConfiguration(NettyAcceptorFactory.class.getCanonicalName(), null, "mqtt", null);
transportConfiguration.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- transportConfiguration.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "truststore.jks");
- transportConfiguration.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "changeit");
- transportConfiguration.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "keystore1.jks");
- transportConfiguration.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "changeit");
- transportConfiguration.getParams().put(TransportConstants.CRL_PATH_PROP_NAME, "root.crl.pem");
+ transportConfiguration.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+ transportConfiguration.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+ transportConfiguration.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+ transportConfiguration.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ transportConfiguration.getParams().put(TransportConstants.CRL_PATH_PROP_NAME, "other-client-crl.pem");
transportConfiguration.getParams().put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, "true");
transportConfiguration.getParams().put(TransportConstants.PORT_PROP_NAME, "1883");
transportConfiguration.getParams().put(TransportConstants.HOST_PROP_NAME, "localhost");
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java
index 1da806d..45b1082 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java
@@ -78,6 +78,9 @@ import org.junit.Before;
import org.junit.Ignore;
import org.junit.Test;
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
public class SecurityTest extends ActiveMQTestBase {
static {
@@ -183,10 +186,10 @@ public class SecurityTest extends ActiveMQTestBase {
Map<String, Object> params = new HashMap<>();
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks");
- params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
- params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
- params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+ params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+ params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+ params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
params.put(clientAuthPropName, true);
server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
@@ -195,10 +198,10 @@ public class SecurityTest extends ActiveMQTestBase {
TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-side-truststore.jks");
- tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
- tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-side-keystore.jks");
- tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+ tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+ tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
ClientSessionFactory cf = createSessionFactory(locator);
@@ -218,10 +221,10 @@ public class SecurityTest extends ActiveMQTestBase {
Map<String, Object> params = new HashMap<>();
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks");
- params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
- params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
- params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+ params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+ params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+ params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
@@ -234,10 +237,10 @@ public class SecurityTest extends ActiveMQTestBase {
server.start();
ActiveMQSslConnectionFactory factory = new ActiveMQSslConnectionFactory("ssl://localhost:61616?verifyHostName=false");
- factory.setTrustStore("client-side-truststore.jks");
- factory.setTrustStorePassword("secureexample");
- factory.setKeyStore("client-side-keystore.jks");
- factory.setKeyStorePassword("secureexample");
+ factory.setTrustStore("server-ca-truststore.jks");
+ factory.setTrustStorePassword("securepass");
+ factory.setKeyStore("client-keystore.jks");
+ factory.setKeyStorePassword("securepass");
try (ActiveMQConnection connection = (ActiveMQConnection) factory.createConnection()) {
Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
@@ -264,10 +267,10 @@ public class SecurityTest extends ActiveMQTestBase {
Map<String, Object> params = new HashMap<>();
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks");
- params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
- params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
- params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+ params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+ params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+ params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
@@ -275,10 +278,10 @@ public class SecurityTest extends ActiveMQTestBase {
ActiveMQSslConnectionFactory factory = new ActiveMQSslConnectionFactory("ssl://localhost:61616?verifyHostName=false");
factory.setUserName("test-user");
- factory.setTrustStore("client-side-truststore.jks");
- factory.setTrustStorePassword("secureexample");
- factory.setKeyStore("client-side-keystore.jks");
- factory.setKeyStorePassword("secureexample");
+ factory.setTrustStore("server-ca-truststore.jks");
+ factory.setTrustStorePassword("securepass");
+ factory.setKeyStore("client-keystore.jks");
+ factory.setKeyStorePassword("securepass");
factory.setWatchTopicAdvisories(false);
try (ActiveMQConnection connection = (ActiveMQConnection) factory.createConnection()) {
@@ -381,9 +384,9 @@ public class SecurityTest extends ActiveMQTestBase {
* This test requires a client-side certificate that will be trusted by the server but whose dname will be rejected
* by the CertLogin login module. I created this cert with the follow commands:
*
- * keytool -genkey -keystore bad-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=Bad Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
- * keytool -export -keystore bad-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
- * keytool -import -keystore server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt -alias bad
+ * keytool -genkey -keystore bad-client-keystore.jks -storepass securepass -keypass securepass -dname "CN=Bad Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
+ * keytool -export -keystore bad-client-keystore.jks -file activemq-jks.cer -storepass securepass
+ * keytool -import -keystore client-ca-truststore.jks -file activemq-jks.cer -storepass securepass -keypass securepass -noprompt -alias bad
*/
@Test
public void testJAASSecurityManagerAuthenticationWithBadClientCert() throws Exception {
@@ -392,10 +395,10 @@ public class SecurityTest extends ActiveMQTestBase {
Map<String, Object> params = new HashMap<>();
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks");
- params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
- params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
- params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+ params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+ params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+ params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
@@ -404,10 +407,10 @@ public class SecurityTest extends ActiveMQTestBase {
TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-side-truststore.jks");
- tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
- tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "bad-client-side-keystore.jks");
- tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+ tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "unknown-client-keystore.jks");
+ tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
ClientSessionFactory cf = createSessionFactory(locator);
@@ -701,10 +704,10 @@ public class SecurityTest extends ActiveMQTestBase {
Map<String, Object> params = new HashMap<>();
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks");
- params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
- params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
- params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+ params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+ params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+ params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
@@ -717,10 +720,10 @@ public class SecurityTest extends ActiveMQTestBase {
TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-side-truststore.jks");
- tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
- tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-side-keystore.jks");
- tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+ tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+ tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
ClientSessionFactory cf = createSessionFactory(locator);
@@ -894,10 +897,10 @@ public class SecurityTest extends ActiveMQTestBase {
Map<String, Object> params = new HashMap<>();
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks");
- params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
- params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
- params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+ params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+ params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+ params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
params.put(clientAuthPropName, true);
server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
@@ -909,10 +912,10 @@ public class SecurityTest extends ActiveMQTestBase {
TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-side-truststore.jks");
- tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
- tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-side-keystore.jks");
- tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+ tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+ tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
ClientSessionFactory cf = createSessionFactory(locator);
ClientSession session = addClientSession(cf.createSession());
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
index 5d912f6..710bb16 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverOneWaySSLTest.java
@@ -56,6 +56,9 @@ import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
@RunWith(value = Parameterized.class)
public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
String suffix = "";
@@ -82,60 +85,18 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
if (suffix.equalsIgnoreCase("PKCS12")) {
suffix = "p12";
}
- SERVER_SIDE_KEYSTORE = "server-side-keystore." + suffix;
- CLIENT_SIDE_TRUSTSTORE = "client-side-truststore." + suffix;
+ SERVER_SIDE_KEYSTORE = "server-keystore." + suffix;
+ CLIENT_SIDE_TRUSTSTORE = "server-ca-truststore." + suffix;
}
public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
- /**
- * These artifacts are required for testing 1-way SSL
- *
- * Commands to create the JKS artifacts:
- * keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
- * keytool -export -keystore server-side-keystore.jks -file activemq-jks.cer -storepass secureexample
- * keytool -import -keystore client-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore other-server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=Other ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
- * keytool -export -keystore other-server-side-keystore.jks -file activemq-jks.cer -storepass secureexample
- * keytool -import -keystore other-client-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore verified-server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
- * keytool -export -keystore verified-server-side-keystore.jks -file activemq-jks.cer -storepass secureexample
- * keytool -import -keystore verified-client-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * Commands to create the JCEKS artifacts:
- * keytool -genkey -keystore server-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
- * keytool -export -keystore server-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
- * keytool -import -keystore client-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore other-server-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=Other ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
- * keytool -export -keystore other-server-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
- * keytool -import -keystore other-client-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore verified-server-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
- * keytool -export -keystore verified-server-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
- * keytool -import -keystore verified-client-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * Commands to create the PKCS12 artifacts:
- * keytool -genkey -keystore server-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
- * keytool -export -keystore server-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
- * keytool -import -keystore client-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore other-server-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=Other ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
- * keytool -export -keystore other-server-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
- * keytool -import -keystore other-client-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore verified-server-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
- * keytool -export -keystore verified-server-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
- * keytool -import -keystore verified-client-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
- */
private boolean generateWarning;
private String storeProvider;
private String storeType;
private String SERVER_SIDE_KEYSTORE;
private String CLIENT_SIDE_TRUSTSTORE;
- private final String PASSWORD = "secureexample";
+ private final String PASSWORD = "securepass";
private ActiveMQServer server;
@@ -476,13 +437,13 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
@Test
public void testOneWaySSLVerifyHost() throws Exception {
- createCustomSslServer(true);
+ createCustomSslServer();
String text = RandomUtil.randomString();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "verified-" + CLIENT_SIDE_TRUSTSTORE);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
tc.getParams().put(TransportConstants.VERIFY_HOST_PROP_NAME, true);
@@ -505,7 +466,7 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
@Test
public void testOneWaySSLVerifyHostNegative() throws Exception {
- createCustomSslServer();
+ createCustomSslServer(true);
String text = RandomUtil.randomString();
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
@@ -548,7 +509,7 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
tc.getParams().put(TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME, storeProvider);
tc.getParams().put(TransportConstants.TRUSTSTORE_TYPE_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "other-client-side-truststore." + suffix);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "other-server-truststore." + suffix);
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc)).setCallTimeout(3000);
@@ -561,7 +522,7 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
// reload the acceptor to reload the SSL stores
NettyAcceptor acceptor = (NettyAcceptor) server.getRemotingService().getAcceptor("nettySSL");
- acceptor.setKeyStorePath("other-server-side-keystore." + suffix);
+ acceptor.setKeyStorePath("other-" + SERVER_SIDE_KEYSTORE);
acceptor.reload();
// create a session with the locator which failed previously proving that the SSL stores have been reloaded
@@ -1000,20 +961,20 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
createCustomSslServer(null, null, false, sniHost);
}
- private void createCustomSslServer(boolean useVerifiedKeystore) throws Exception {
- createCustomSslServer(null, null, useVerifiedKeystore, null);
+ private void createCustomSslServer(boolean useUnknownKeystore) throws Exception {
+ createCustomSslServer(null, null, useUnknownKeystore, null);
}
private void createCustomSslServer(String cipherSuites,
String protocols,
- boolean useVerifiedKeystore,
+ boolean useUnknownKeystore,
String sniHost) throws Exception {
- createCustomSslServer(cipherSuites, protocols, useVerifiedKeystore, sniHost, null);
+ createCustomSslServer(cipherSuites, protocols, useUnknownKeystore, sniHost, null);
}
private void createCustomSslServer(String cipherSuites,
String protocols,
- boolean useVerifiedKeystore,
+ boolean useUnknownKeystore,
String sniHost,
String trustManagerFactoryPlugin) throws Exception {
Map<String, Object> params = new HashMap<>();
@@ -1025,8 +986,8 @@ public class CoreClientOverOneWaySSLTest extends ActiveMQTestBase {
params.put(TransportConstants.SNIHOST_PROP_NAME, sniHost);
}
- if (useVerifiedKeystore) {
- params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "verified-" + SERVER_SIDE_KEYSTORE);
+ if (useUnknownKeystore) {
+ params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "unknown-" + SERVER_SIDE_KEYSTORE);
} else {
params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, SERVER_SIDE_KEYSTORE);
}
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
index ed78d72..c21dc45 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
@@ -55,6 +55,9 @@ import org.junit.runners.Parameterized;
import io.netty.handler.ssl.SslHandler;
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
@RunWith(value = Parameterized.class)
public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
@@ -96,90 +99,14 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
suffix = "p12";
}
- String prefix = "";
- if (TransportConstants.OPENSSL_PROVIDER.equals(clientSSLProvider) || TransportConstants.OPENSSL_PROVIDER.equals(serverSSLProvider)) {
- prefix = "openssl-";
- }
- SERVER_SIDE_KEYSTORE = prefix + "server-side-keystore." + suffix;
- SERVER_SIDE_TRUSTSTORE = prefix + "server-side-truststore." + suffix;
- CLIENT_SIDE_TRUSTSTORE = prefix + "client-side-truststore." + suffix;
- CLIENT_SIDE_KEYSTORE = prefix + "client-side-keystore." + suffix;
+ SERVER_SIDE_KEYSTORE = "server-keystore." + suffix;
+ SERVER_SIDE_TRUSTSTORE = "client-ca-truststore." + suffix;
+ CLIENT_SIDE_TRUSTSTORE = "server-ca-truststore." + suffix;
+ CLIENT_SIDE_KEYSTORE = "client-keystore." + suffix;
}
public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
- /**
- * These artifacts are required for testing 2-way SSL in addition to the artifacts for 1-way SSL from {@link CoreClientOverOneWaySSLTest}
- *
- * Commands to create the JKS artifacts:
- * keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
- * keytool -export -keystore client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
- * keytool -import -keystore server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore verified-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA -ext san=ip:127.0.0.1
- * keytool -export -keystore verified-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
- * keytool -import -keystore verified-server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * Commands to create the JCEKS artifacts:
- * keytool -genkey -keystore client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
- * keytool -export -keystore client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
- * keytool -import -keystore server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore verified-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA -ext san=ip:127.0.0.1
- * keytool -export -keystore verified-client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
- * keytool -import -keystore verified-server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * Commands to create the PKCS12 artifacts:
- * keytool -genkey -keystore client-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
- * keytool -export -keystore client-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
- * keytool -import -keystore server-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore verified-client-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA -ext san=ip:127.0.0.1
- * keytool -export -keystore verified-client-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
- * keytool -import -keystore verified-server-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * These artifacts are required for testing 2-way SSL with Open SSL - note the EC key and ECDSA signature to comply with what OpenSSL offers
- *
- * Commands to create the OpenSSL JKS artifacts:
- * keytool -genkey -keystore openssl-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
- * keytool -export -keystore openssl-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
- * keytool -import -keystore openssl-server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore openssl-server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
- * keytool -export -keystore openssl-server-side-keystore.jks -file activemq-jks.cer -storepass secureexample
- * keytool -import -keystore openssl-client-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore verified-openssl-client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA -ext san=ip:127.0.0.1
- * keytool -export -keystore verified-openssl-client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
- * keytool -import -keystore verified-openssl-server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * Commands to create the OpenSSL JCEKS artifacts:
- * keytool -genkey -keystore openssl-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
- * keytool -export -keystore openssl-client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
- * keytool -import -keystore openssl-server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore openssl-server-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
- * keytool -export -keystore openssl-server-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
- * keytool -import -keystore openssl-client-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore verified-openssl-client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA -ext san=ip:127.0.0.1
- * keytool -export -keystore verified-openssl-client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
- * keytool -import -keystore verified-openssl-server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * Commands to create the OpenSSL PKCS12 artifacts:
- * keytool -genkey -keystore openssl-client-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
- * keytool -export -keystore openssl-client-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
- * keytool -import -keystore openssl-server-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore openssl-server-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA
- * keytool -export -keystore openssl-server-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
- * keytool -import -keystore openssl-client-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
- *
- * keytool -genkey -keystore verified-openssl-client-side-keystore.p12 -storetype PKCS12 -storepass secureexample -keypass secureexample -dname "CN=localhost, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg EC -sigalg SHA256withECDSA -ext san=ip:127.0.0.1
- * keytool -export -keystore verified-openssl-client-side-keystore.p12 -file activemq-p12.cer -storetype PKCS12 -storepass secureexample
- * keytool -import -keystore verified-openssl-server-side-truststore.p12 -storetype PKCS12 -file activemq-p12.cer -storepass secureexample -keypass secureexample -noprompt
- */
-
private String storeType;
private String storeProvider;
private String clientSSLProvider;
@@ -188,7 +115,7 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
private String SERVER_SIDE_TRUSTSTORE;
private String CLIENT_SIDE_TRUSTSTORE;
private String CLIENT_SIDE_KEYSTORE;
- private final String PASSWORD = "secureexample";
+ private final String PASSWORD = "securepass";
private ActiveMQServer server;
@@ -255,7 +182,7 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
public void testTwoWaySSLVerifyClientHost() throws Exception {
NettyAcceptor acceptor = (NettyAcceptor) server.getRemotingService().getAcceptor("nettySSL");
acceptor.getConfiguration().put(TransportConstants.VERIFY_HOST_PROP_NAME, true);
- acceptor.getConfiguration().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "verified-" + SERVER_SIDE_TRUSTSTORE);
+ acceptor.getConfiguration().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, SERVER_SIDE_TRUSTSTORE);
server.getRemotingService().stop(false);
server.getRemotingService().start();
server.getRemotingService().startAcceptors();
@@ -272,7 +199,7 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeProvider);
tc.getParams().put(TransportConstants.KEYSTORE_TYPE_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "verified-" + CLIENT_SIDE_KEYSTORE);
+ tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
server.getRemotingService().addIncomingInterceptor(new MyInterceptor());
@@ -310,7 +237,7 @@ public class CoreClientOverTwoWaySSLTest extends ActiveMQTestBase {
tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
tc.getParams().put(TransportConstants.KEYSTORE_PROVIDER_PROP_NAME, storeType);
- tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
+ tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "unknown" + CLIENT_SIDE_KEYSTORE);
tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
server.getRemotingService().addIncomingInterceptor(new MyInterceptor());
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/DualAuthenticationTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/DualAuthenticationTest.java
index 7da92b2..d87b20a 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/DualAuthenticationTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/DualAuthenticationTest.java
@@ -50,7 +50,7 @@ import org.junit.Before;
import org.junit.Test;
/**
- * See {@link CoreClientOverTwoWaySSLTest} for details about the keystores required for this test.
+ * See the tests/security-resources/build.sh script for details on the security resources used.
*/
public class DualAuthenticationTest extends ActiveMQTestBase {
@@ -67,11 +67,11 @@ public class DualAuthenticationTest extends ActiveMQTestBase {
}
}
- private String SERVER_SIDE_KEYSTORE = "server-side-keystore.jks";
- private String SERVER_SIDE_TRUSTSTORE = "server-side-truststore.jks";
- private String CLIENT_SIDE_TRUSTSTORE = "client-side-truststore.jks";
- private String CLIENT_SIDE_KEYSTORE = "client-side-keystore.jks";
- private final String PASSWORD = "secureexample";
+ private String SERVER_SIDE_KEYSTORE = "server-keystore.jks";
+ private String SERVER_SIDE_TRUSTSTORE = "client-ca-truststore.jks";
+ private String CLIENT_SIDE_TRUSTSTORE = "server-ca-truststore.jks";
+ private String CLIENT_SIDE_KEYSTORE = "client-keystore.jks";
+ private final String PASSWORD = "securepass";
private ActiveMQServer server;
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLTestBase.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLTestBase.java
index 72db844..08e7c77 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLTestBase.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/SSLTestBase.java
@@ -32,6 +32,9 @@ import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
public abstract class SSLTestBase extends ActiveMQTestBase {
@Parameterized.Parameters(name = "sslProvider={0},clientProvider={1}")
@@ -44,11 +47,11 @@ public abstract class SSLTestBase extends ActiveMQTestBase {
protected static final String QUEUE = "ssl.test.queue";
- protected final String PASSWORD = "secureexample";
- protected String SERVER_SIDE_KEYSTORE = "openssl-server-side-keystore.jks";
- protected String SERVER_SIDE_TRUSTSTORE = "openssl-server-side-truststore.jks";
- protected String CLIENT_SIDE_TRUSTSTORE = "openssl-client-side-truststore.jks";
- protected String CLIENT_SIDE_KEYSTORE = "openssl-client-side-keystore.jks";
+ protected final String PASSWORD = "securepass";
+ protected String SERVER_SIDE_KEYSTORE = "server-keystore.jks";
+ protected String SERVER_SIDE_TRUSTSTORE = "client-ca-truststore.jks";
+ protected String CLIENT_SIDE_TRUSTSTORE = "server-ca-truststore.jks";
+ protected String CLIENT_SIDE_KEYSTORE = "client-keystore.jks";
protected ActiveMQServer server;
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/transports/netty/NettyConnectorWithHTTPUpgradeTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/transports/netty/NettyConnectorWithHTTPUpgradeTest.java
index 92aab6d..98c23d6 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/transports/netty/NettyConnectorWithHTTPUpgradeTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/transports/netty/NettyConnectorWithHTTPUpgradeTest.java
@@ -75,6 +75,8 @@ import static org.apache.activemq.artemis.tests.util.RandomUtil.randomString;
/**
* Test that Netty Connector can connect to a Web Server and upgrade from a HTTP request to its remoting protocol.
+ *
+ * See the tests/security-resources/build.sh script for details on the security resources used.
*/
@RunWith(value = Parameterized.class)
public class NettyConnectorWithHTTPUpgradeTest extends ActiveMQTestBase {
@@ -102,9 +104,9 @@ public class NettyConnectorWithHTTPUpgradeTest extends ActiveMQTestBase {
private NioEventLoopGroup bossGroup;
private NioEventLoopGroup workerGroup;
- private String SERVER_SIDE_KEYSTORE = "server-side-keystore.jks";
- private String CLIENT_SIDE_TRUSTSTORE = "client-side-truststore.jks";
- private final String PASSWORD = "secureexample";
+ private String SERVER_SIDE_KEYSTORE = "server-keystore.jks";
+ private String CLIENT_SIDE_TRUSTSTORE = "server-ca-truststore.jks";
+ private final String PASSWORD = "securepass";
@Override
@Before
diff --git a/tests/integration-tests/src/test/resources/AMQauth.ldif b/tests/integration-tests/src/test/resources/AMQauth.ldif
index 74f04f7..e4d18ff 100755
--- a/tests/integration-tests/src/test/resources/AMQauth.ldif
+++ b/tests/integration-tests/src/test/resources/AMQauth.ldif
@@ -144,6 +144,6 @@ uniquemember: cn=role3
## group with member identified just by DN from SASL external tls certificate subject DN
dn: cn=widgets,ou=system
cn: widgets
-member: uid=O=Internet Widgits Pty Ltd,C=AU,ST=Some-State,CN=cert4
+member: uid=CN=ActiveMQ Artemis Client,OU=Artemis,O=ActiveMQ,L=AMQ,ST=AMQ,C=AMQ
objectClass: groupOfNames
objectClass: top
\ No newline at end of file
diff --git a/tests/integration-tests/src/test/resources/cert-regexps.properties b/tests/integration-tests/src/test/resources/cert-regexps.properties
index 9677bd8..0083306 100644
--- a/tests/integration-tests/src/test/resources/cert-regexps.properties
+++ b/tests/integration-tests/src/test/resources/cert-regexps.properties
@@ -16,4 +16,4 @@
#
first=/CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ(, [A-Z]+=AMQ)+/
-second=O=Internet Widgits Pty Ltd, C=AU, ST=Some-State, CN=lakalkalaoioislkxn
+second=/CN=ActiveMQ Artemis Other Client, OU=Artemis, O=ActiveMQ(, [A-Z]+=AMQ)+/
diff --git a/tests/integration-tests/src/test/resources/cert-users.properties b/tests/integration-tests/src/test/resources/cert-users.properties
index d1b556e..97ca6ce 100644
--- a/tests/integration-tests/src/test/resources/cert-users.properties
+++ b/tests/integration-tests/src/test/resources/cert-users.properties
@@ -16,4 +16,4 @@
#
first=CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ
-second=O=Internet Widgits Pty Ltd, C=AU, ST=Some-State, CN=cert4
+second=CN=ActiveMQ Artemis Other Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ
diff --git a/tests/integration-tests/src/test/resources/client_not_revoked.jks b/tests/integration-tests/src/test/resources/client_not_revoked.jks
deleted file mode 100644
index b03e57a..0000000
Binary files a/tests/integration-tests/src/test/resources/client_not_revoked.jks and /dev/null differ
diff --git a/tests/integration-tests/src/test/resources/client_revoked.jks b/tests/integration-tests/src/test/resources/client_revoked.jks
deleted file mode 100644
index 5e9987c..0000000
Binary files a/tests/integration-tests/src/test/resources/client_revoked.jks and /dev/null differ
diff --git a/tests/integration-tests/src/test/resources/keystore1.jks b/tests/integration-tests/src/test/resources/keystore1.jks
deleted file mode 100644
index 5d85fa7..0000000
Binary files a/tests/integration-tests/src/test/resources/keystore1.jks and /dev/null differ
diff --git a/tests/integration-tests/src/test/resources/truststore.jks b/tests/integration-tests/src/test/resources/truststore.jks
deleted file mode 100644
index 8410bc3..0000000
Binary files a/tests/integration-tests/src/test/resources/truststore.jks and /dev/null differ
diff --git a/tests/security-resources/build.sh b/tests/security-resources/build.sh
new file mode 100755
index 0000000..82484a4
--- /dev/null
+++ b/tests/security-resources/build.sh
@@ -0,0 +1,156 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# The various SSL stores and certificates were created with the following commands:
+# Requires use of JDK 8+ keytool command.
+set -e
+
+KEY_PASS=securepass
+STORE_PASS=securepass
+CA_VALIDITY=365000
+VALIDITY=36500
+
+# Clean up existing files
+# -----------------------
+rm -f *.crt *.csr openssl-* *.jceks *.jks *.p12 *.pem
+
+# Create a key and self-signed certificate for the CA, to sign server certificate requests and use for trust:
+# ----------------------------------------------------------------------------------------------------
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias server-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -exportcert -rfc > server-ca.crt
+openssl pkcs12 -in server-ca-keystore.p12 -nodes -nocerts -out server-ca.pem -password pass:$STORE_PASS
+
+# Create trust store with the server CA cert:
+# -------------------------------------------------------
+keytool -storetype pkcs12 -keystore server-ca-truststore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+keytool -importkeystore -srckeystore server-ca-truststore.p12 -destkeystore server-ca-truststore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore server-ca-truststore.p12 -destkeystore server-ca-truststore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass securepass -deststorepass securepass
+
+# Create a key pair for the server, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -storetype pkcs12 -keystore server-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias server -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=sA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore server-keystore.p12 -storepass $STORE_PASS -alias server -certreq -file server.csr
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -gencert -rfc -infile server.csr -outfile server.crt -validity $VALIDITY -ext bc=ca:false -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore server-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+keytool -storetype pkcs12 -keystore server-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server -file server.crt
+
+keytool -importkeystore -srckeystore server-keystore.p12 -destkeystore server-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore server-keystore.p12 -destkeystore server-keystore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass securepass -deststorepass securepass
+
+# Create a key pair for the other server, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -storetype pkcs12 -keystore other-server-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias other-server -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Other Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore other-server-keystore.p12 -storepass $STORE_PASS -alias other-server -certreq -file other-server.csr
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -gencert -rfc -infile other-server.csr -outfile other-server.crt -validity $VALIDITY -ext bc=ca:false -ext eku=sA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore other-server-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+keytool -storetype pkcs12 -keystore other-server-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias other-server -file other-server.crt
+
+keytool -importkeystore -srckeystore other-server-keystore.p12 -destkeystore other-server-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore other-server-keystore.p12 -destkeystore other-server-keystore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass securepass -deststorepass securepass
+
+# Create trust store with the other server cert:
+# -------------------------------------------------------
+keytool -storetype pkcs12 -keystore other-server-truststore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias other-server -file other-server.crt -noprompt
+keytool -importkeystore -srckeystore other-server-truststore.p12 -destkeystore other-server-truststore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore other-server-truststore.p12 -destkeystore other-server-truststore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass securepass -deststorepass securepass
+
+# Create crl with the other server cert:
+# -------------------------------------------------------
+> openssl-database
+echo 00 > openssl-crlnumber
+openssl ca -config openssl.conf -revoke other-server.crt -keyfile server-ca.pem -cert server-ca.crt
+openssl ca -config openssl.conf -gencrl -keyfile server-ca.pem -cert server-ca.crt -out other-server-crl.pem -crldays $VALIDITY
+
+# Create a key pair for the broker with an unexpected hostname, and sign it with the CA:
+# --------------------------------------------------------------------------------------
+keytool -storetype pkcs12 -keystore unknown-server-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias unknown-server -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Unknown Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=sA
+
+keytool -storetype pkcs12 -keystore unknown-server-keystore.p12 -storepass $STORE_PASS -alias unknown-server -certreq -file unknown-server.csr
+keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -gencert -rfc -infile unknown-server.csr -outfile unknown-server.crt -validity $VALIDITY -ext bc=ca:false -ext eku=sA
+
+keytool -storetype pkcs12 -keystore unknown-server-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
+keytool -storetype pkcs12 -keystore unknown-server-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias unknown-server -file unknown-server.crt
+
+keytool -importkeystore -srckeystore unknown-server-keystore.p12 -destkeystore unknown-server-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore unknown-server-keystore.p12 -destkeystore unknown-server-keystore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass securepass -deststorepass securepass
+
+# Create a key and self-signed certificate for the CA, to sign client certificate requests and use for trust:
+# ----------------------------------------------------------------------------------------------------
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias client-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -exportcert -rfc > client-ca.crt
+openssl pkcs12 -in client-ca-keystore.p12 -nodes -nocerts -out client-ca.pem -password pass:$STORE_PASS
+
+# Create trust store with the client CA cert:
+# -------------------------------------------------------
+keytool -storetype pkcs12 -keystore client-ca-truststore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt
+keytool -importkeystore -srckeystore client-ca-truststore.p12 -destkeystore client-ca-truststore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore client-ca-truststore.p12 -destkeystore client-ca-truststore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass securepass -deststorepass securepass
+
+# Create a key pair for the client, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -storetype pkcs12 -keystore client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias client -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore client-keystore.p12 -storepass $STORE_PASS -alias client -certreq -file client.csr
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -gencert -rfc -infile client.csr -outfile client.crt -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt
+keytool -storetype pkcs12 -keystore client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client -file client.crt
+
+keytool -importkeystore -srckeystore client-keystore.p12 -destkeystore client-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore client-keystore.p12 -destkeystore client-keystore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass securepass -deststorepass securepass
+
+# Create a key pair for the other client, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -storetype pkcs12 -keystore other-client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias other-client -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Other Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore other-client-keystore.p12 -storepass $STORE_PASS -alias other-client -certreq -file other-client.csr
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -gencert -rfc -infile other-client.csr -outfile other-client.crt -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1
+
+keytool -storetype pkcs12 -keystore other-client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt
+keytool -storetype pkcs12 -keystore other-client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias other-client -file other-client.crt
+
+keytool -importkeystore -srckeystore other-client-keystore.p12 -destkeystore other-client-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore other-client-keystore.p12 -destkeystore other-client-keystore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass securepass -deststorepass securepass
+
+# Create crl with the other client cert:
+# -------------------------------------------------------
+> openssl-database
+echo 00 > openssl-crlnumber
+openssl ca -config openssl.conf -revoke other-client.crt -keyfile client-ca.pem -cert client-ca.crt
+openssl ca -config openssl.conf -gencrl -keyfile client-ca.pem -cert client-ca.crt -out other-client-crl.pem -crldays $VALIDITY
+
+# Create a key pair for the client with an unexpected hostname, and sign it with the CA:
+# ----------------------------------------------------------
+keytool -storetype pkcs12 -keystore unknown-client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias unknown-client -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Unknown Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=cA
+
+keytool -storetype pkcs12 -keystore unknown-client-keystore.p12 -storepass $STORE_PASS -alias unknown-client -certreq -file unknown-client.csr
+keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -gencert -rfc -infile unknown-client.csr -outfile unknown-client.crt -validity $VALIDITY -ext bc=ca:false -ext eku=cA
+
+keytool -storetype pkcs12 -keystore unknown-client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt
+keytool -storetype pkcs12 -keystore unknown-client-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias unknown-client -file unknown-client.crt
+
+keytool -importkeystore -srckeystore unknown-client-keystore.p12 -destkeystore unknown-client-keystore.jceks -srcstoretype pkcs12 -deststoretype jceks -srcstorepass securepass -deststorepass securepass
+keytool -importkeystore -srckeystore unknown-client-keystore.p12 -destkeystore unknown-client-keystore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass securepass -deststorepass securepass
+
+# Clean up working files
+# -----------------------
+rm -f *.crt *.csr openssl-*
diff --git a/tests/security-resources/client-ca-keystore.p12 b/tests/security-resources/client-ca-keystore.p12
new file mode 100644
index 0000000..7c6fae7
Binary files /dev/null and b/tests/security-resources/client-ca-keystore.p12 differ
diff --git a/tests/security-resources/client-ca-truststore.jceks b/tests/security-resources/client-ca-truststore.jceks
new file mode 100644
index 0000000..8c7f939
Binary files /dev/null and b/tests/security-resources/client-ca-truststore.jceks differ
diff --git a/tests/security-resources/client-ca-truststore.jks b/tests/security-resources/client-ca-truststore.jks
new file mode 100644
index 0000000..e2dfeff
Binary files /dev/null and b/tests/security-resources/client-ca-truststore.jks differ
diff --git a/tests/security-resources/client-ca-truststore.p12 b/tests/security-resources/client-ca-truststore.p12
new file mode 100644
index 0000000..706407d
Binary files /dev/null and b/tests/security-resources/client-ca-truststore.p12 differ
diff --git a/tests/security-resources/client-ca.pem b/tests/security-resources/client-ca.pem
new file mode 100644
index 0000000..6eab31a
--- /dev/null
+++ b/tests/security-resources/client-ca.pem
@@ -0,0 +1,32 @@
+Bag Attributes
+ friendlyName: client-ca
+ localKeyID: 54 69 6D 65 20 31 36 32 37 39 39 35 37 37 38 32 30 33
+Key Attributes: <No Attributes>
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCteE6eFAkH+r0S
+3xmAZW5j+sqa8RGh+/KQJ6BgQQpsDeS3RkxnN2e8tSF27eBwFZcnhUKLBFGbarjj
+sHRZ5HwDPty/C8RVhvbPWi2AvW8uEvh65G+fjyf5JT8jAfvP12EFv1u9sQjI1hXH
+6CjX7lOCRjxriwz86NTsgiPVO3Q89pmhgmQjO0JBtolsxCZvV0DDS7xvGpmHudlf
+UHR1ydjA0+s6YDQ4UIOBwUu/CcHdIgAk1yiWQE4OA72cXTfR/Mybfpoqh6TegnSk
+ONJY1/iNgmujU5nOwDKlEG5BzSd0ueE1RSoFg2OGVPuo73lS2iouCXFvFU90yDGA
+bdKlRIHlAgMBAAECggEAdbXYay4fPrnnSQH4tQafFNreVqtUkr17SFSLYCViZBY9
+aBwcxkFzdDrY3XHnRUdxTVEA6YJhuft+QIrBOSpw+GbUthLPBFZT7jo7/EsPQY1/
+7SxLjlM/BbI/mIrFC7ET1imWoC6cTmPvXbps1LGVGyZ742H0yz1XFrHsjMoOQzrW
+itL29T09CYfZrB+/uo2ozfAjTDKVUALhrd4qN/uiJsHTfZPOwIv/qgZTSUHDsfZP
+SbUjJjWoEWJBhIewosCeyFaGOYN4JmHUQG597Xp8PS+cAvfLWMpBcSsX1ULClY2Q
+PSv0PKVprZdIfeOtQHmRk56lwhW2QV7PhwstKdqjNQKBgQDvbfFlYkCq6HwMcPQJ
+h2hBIUFHm7rBVflw72LKEYE5oiouSflMVRujujPUWIHkF9TRBZ0f4B+J9sUXTyPY
+wAlbRTAaG5JGLjF6JxLjkw5MiPooJk8YcHPaadpOgT/vLall3mhdQG+hEshtysHP
+jdagK93joWVc0aTdj2NFkJUFFwKBgQC5ebxmnkb2PyzH2oatZNfMLWnLjs8GFoWe
+NHbJTzLAadl/sVTVhaWHYDjvbtZPq+0ynzLGnNQ7HPtuSqNiG2bY3/eedWdruPIO
+Dcztr05YUzDX5pItoUucu19V0k0sWSOeKBD5mTVdUHgCLxd0GyZ4ODkS63ItjiBM
+78m5q8MGYwKBgCed7X91DnY5Ga2FUxvwh9OfCQosPm6XJzsEoTgGRXef2ZLnMpTq
+0DP7L3BHZNa1CsW7RBBuKUnOxzXgJnJK9EFh5V+siDuMkStBI+L8BjWrxJi4HgZR
+NRpCwZiT0lxlFc6BSouDifUBAqEIF6GcOpMuLvznS7pcBgeTHj34em/pAoGAW8kS
+ovXQyCubTYum+kfdQv12TXXunWSn2xK7dgPraaz4JWjsQn5Q3B2SD2saQ3Mhftup
+lQAnRtmg04O8NuC4lLrBH3maJITxxGKv9y+55ZvFoBJKZKpdcMKI+z+HUVsLdUj+
+nYZkEjmwKeSEBsEo2HV6SRKa/lBHS8ueWHPXn2ECgYBn/WeTob0JMmoF5dIhISpP
+bA/j/gj2r7aTR7/o9bpmJjj0f71zuPvJRIo5L1qs/UvsZIoU8DuZwSx8KyzS6g+J
+VB5gE3JBKUhshy8TnMNIR+ZzJBFYtYc1TbB2OSsWP6sIilFN8KQKU9RMpmo6yiZZ
+us6gZcNh399Hz894wYKyog==
+-----END PRIVATE KEY-----
diff --git a/tests/security-resources/client-keystore.jceks b/tests/security-resources/client-keystore.jceks
new file mode 100644
index 0000000..a0ac1a3
Binary files /dev/null and b/tests/security-resources/client-keystore.jceks differ
diff --git a/tests/security-resources/client-keystore.jks b/tests/security-resources/client-keystore.jks
new file mode 100644
index 0000000..b968a0c
Binary files /dev/null and b/tests/security-resources/client-keystore.jks differ
diff --git a/tests/security-resources/client-keystore.p12 b/tests/security-resources/client-keystore.p12
new file mode 100644
index 0000000..13b2468
Binary files /dev/null and b/tests/security-resources/client-keystore.p12 differ
diff --git a/examples/features/standard/ssl-enabled/src/main/resources/jndi.properties b/tests/security-resources/openssl.conf
similarity index 72%
copy from examples/features/standard/ssl-enabled/src/main/resources/jndi.properties
copy to tests/security-resources/openssl.conf
index 7929c7c..efe2ffb 100644
--- a/examples/features/standard/ssl-enabled/src/main/resources/jndi.properties
+++ b/tests/security-resources/openssl.conf
@@ -15,6 +15,12 @@
# specific language governing permissions and limitations
# under the License.
-java.naming.factory.initial=org.apache.activemq.artemis.jndi.ActiveMQInitialContextFactory
-connectionFactory.ConnectionFactory=tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/activemq.example.truststore&trustStorePassword=activemqexample
-queue.queue/exampleQueue=exampleQueue
+# OpenSSL configuration for CRL generation
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir = ./
+database = $dir/openssl-database
+crlnumber = $dir/openssl-crlnumber
+default_md = default
diff --git a/tests/security-resources/other-client-crl.pem b/tests/security-resources/other-client-crl.pem
new file mode 100644
index 0000000..45f51ab
--- /dev/null
+++ b/tests/security-resources/other-client-crl.pem
@@ -0,0 +1,12 @@
+-----BEGIN X509 CRL-----
+MIIB0zCBvAIBATANBgkqhkiG9w0BAQsFADBfMREwDwYDVQQKEwhBY3RpdmVNUTEQ
+MA4GA1UECxMHQXJ0ZW1pczE4MDYGA1UEAxMvQWN0aXZlTVEgQXJ0ZW1pcyBDbGll
+bnQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkXDTIxMDgwMzEzMDMwN1oYDzIxMjEw
+NzEwMTMwMzA3WjAXMBUCBH493qkXDTIxMDgwMzEzMDMwN1qgDjAMMAoGA1UdFAQD
+AgEAMA0GCSqGSIb3DQEBCwUAA4IBAQBzM0YCos5sHRAN4pPzNWCAonqezX6FfcY+
+SuufVcxD583O2Vnuwmz9i9PhGJJbWxGuCtXwS1JNldm7/rXhpZOd539W1BJQprGb
+nwooQWTBBU8qTaXmUVWiPsMlL/IcMUTB/DVgWsRuwjA7wtVAseIoa2Z/geZZAOwO
+vgp7RAtWW9M1Vr7/XWNsJqIOoPnPqGhg8Nve2sFfySQmJQZP8LnnDgC6pv51TnRa
+VrOmHtralj2d0U3z78nRZW26S1XMxA0wb5yTc4T8lxCZ969vwtiWOQRCoKL/EFWe
+Yy2oBbRjTHEZWYyhYHCMcGP2JSGcDnSZmc+d7ydgx4Gq7nHy3FCM
+-----END X509 CRL-----
diff --git a/tests/security-resources/other-client-keystore.jceks b/tests/security-resources/other-client-keystore.jceks
new file mode 100644
index 0000000..0cf978c
Binary files /dev/null and b/tests/security-resources/other-client-keystore.jceks differ
diff --git a/tests/security-resources/other-client-keystore.jks b/tests/security-resources/other-client-keystore.jks
new file mode 100644
index 0000000..f2061bd
Binary files /dev/null and b/tests/security-resources/other-client-keystore.jks differ
diff --git a/tests/security-resources/other-client-keystore.p12 b/tests/security-resources/other-client-keystore.p12
new file mode 100644
index 0000000..2c6d590
Binary files /dev/null and b/tests/security-resources/other-client-keystore.p12 differ
diff --git a/tests/security-resources/other-server-crl.pem b/tests/security-resources/other-server-crl.pem
new file mode 100644
index 0000000..05ea5ae
--- /dev/null
+++ b/tests/security-resources/other-server-crl.pem
@@ -0,0 +1,12 @@
+-----BEGIN X509 CRL-----
+MIIB0zCBvAIBATANBgkqhkiG9w0BAQsFADBfMREwDwYDVQQKEwhBY3RpdmVNUTEQ
+MA4GA1UECxMHQXJ0ZW1pczE4MDYGA1UEAxMvQWN0aXZlTVEgQXJ0ZW1pcyBTZXJ2
+ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkXDTIxMDgwMzEzMDI1NFoYDzIxMjEw
+NzEwMTMwMjU0WjAXMBUCBFu18ooXDTIxMDgwMzEzMDI1NFqgDjAMMAoGA1UdFAQD
+AgEAMA0GCSqGSIb3DQEBCwUAA4IBAQA8+qy2sN70qrXKuAwdIk1gF6mj+3ikFIhj
+LP9hU8PBxolCzcz9SJv3xvcuGsrZtp30EU0JYQBIadfpsm6Fe6iCpXxD62n99vry
+OpRF9Nt2qjkQpGVrAl4LeM53Z3CFiC9Ghg7rZftB+Glxte3+mSyxWRB3drj1xiqg
+Rt6y43ipQh4F9bxMANhgEUSvC7SrGGKke2z0nHj7gpzseSYbZucfagRk9LzSFFC6
+HWXmFdWFYhEV6Gh7XFKRKVi7DNXp1jWDTAt+g4bif/N2aIES+gqJFsufnqOYNiiL
+J70UOUc9D7l2GHbPaVOOHuqo+zhjTy3IJv1329uYbvMHuGJUIjVV
+-----END X509 CRL-----
diff --git a/tests/security-resources/other-server-keystore.jceks b/tests/security-resources/other-server-keystore.jceks
new file mode 100644
index 0000000..5e3a133
Binary files /dev/null and b/tests/security-resources/other-server-keystore.jceks differ
diff --git a/tests/security-resources/other-server-keystore.jks b/tests/security-resources/other-server-keystore.jks
new file mode 100644
index 0000000..4661445
Binary files /dev/null and b/tests/security-resources/other-server-keystore.jks differ
diff --git a/tests/security-resources/other-server-keystore.p12 b/tests/security-resources/other-server-keystore.p12
new file mode 100644
index 0000000..e21a4e1
Binary files /dev/null and b/tests/security-resources/other-server-keystore.p12 differ
diff --git a/tests/security-resources/other-server-truststore.jceks b/tests/security-resources/other-server-truststore.jceks
new file mode 100644
index 0000000..58d5e0a
Binary files /dev/null and b/tests/security-resources/other-server-truststore.jceks differ
diff --git a/tests/security-resources/other-server-truststore.jks b/tests/security-resources/other-server-truststore.jks
new file mode 100644
index 0000000..ad4a0f2
Binary files /dev/null and b/tests/security-resources/other-server-truststore.jks differ
diff --git a/tests/security-resources/other-server-truststore.p12 b/tests/security-resources/other-server-truststore.p12
new file mode 100644
index 0000000..93b1d0b
Binary files /dev/null and b/tests/security-resources/other-server-truststore.p12 differ
diff --git a/tests/security-resources/server-ca-keystore.p12 b/tests/security-resources/server-ca-keystore.p12
new file mode 100644
index 0000000..fb54141
Binary files /dev/null and b/tests/security-resources/server-ca-keystore.p12 differ
diff --git a/tests/security-resources/server-ca-truststore.jceks b/tests/security-resources/server-ca-truststore.jceks
new file mode 100644
index 0000000..5c2cc80
Binary files /dev/null and b/tests/security-resources/server-ca-truststore.jceks differ
diff --git a/tests/security-resources/server-ca-truststore.jks b/tests/security-resources/server-ca-truststore.jks
new file mode 100644
index 0000000..3fe0f29
Binary files /dev/null and b/tests/security-resources/server-ca-truststore.jks differ
diff --git a/tests/security-resources/server-ca-truststore.p12 b/tests/security-resources/server-ca-truststore.p12
new file mode 100644
index 0000000..1fa9c61
Binary files /dev/null and b/tests/security-resources/server-ca-truststore.p12 differ
diff --git a/tests/security-resources/server-ca.pem b/tests/security-resources/server-ca.pem
new file mode 100644
index 0000000..7327a77
--- /dev/null
+++ b/tests/security-resources/server-ca.pem
@@ -0,0 +1,32 @@
+Bag Attributes
+ friendlyName: server-ca
+ localKeyID: 54 69 6D 65 20 31 36 32 37 39 39 35 37 36 34 38 34 34
+Key Attributes: <No Attributes>
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCNcCgfsx99PDN6
++cK7pt1Z6i+6JVNVt5j2D8XsOOo2RzSZwOxPfQU7WlD2SBKF/tqRSo/qiT4Tf1UJ
+nEt3HLP+CEvLWj+AVNF9V+DpzRl7PnADeZsgaPOtUnLn+4bRSnwGwsUrCeJaJCQN
+drNt3sREpaQ8WizxR1nicLyN3H6RtoEV2bE+NGt+hdek/iFWtIm6L3QXbeMnBhl3
+DkXdKTnEk2zqmwtCgxHnHXKMxPB3utwKBloulHxsvUI4s+twH9cJYvFokyBVIBwJ
+/Xa1IlrPdiEyv1qk7Uul3a7grR1ljEabbn9V6HS6KG8KEPLE5Kk97PNKU5LFkwPr
+PC/QY8tBAgMBAAECggEARQlqvFZdV26sHimNMLU5NCtIEo8nhx5vriNy02PQhp/o
+/+eYMRBwHlFuVVhGmlsUani/mJZW04OCiYddmo1LGgMIpACwID7GZm0fnl97QZnv
+aPLRkldIIeCtr6gpXT0DHvWw8doIP0GGy3+WA1oJ6QwFB2RorXjLWej3UDNBIHP/
+UN/DuMvvl82ZVVpgLSAxWWDQxZpDE7Mvwcpd+yms9qhzaH6Sf3/TPxkn6tPrGSN/
+E3O7ez+ixqATQ5L+N4ZsBUWfrX2fPplZB3Zmt8QUSYDZ9IeO0Oga4N6g0PRxQILG
+QxJ7MCwu0DAGx3KgKWsQg5f8tLSeHzwEHnz63+1xlQKBgQDO/cm2bJ8bqyIxERTD
+s8FekrL2vlzTd+uChZEIX74nCjnG6jWK7TExqq/56khGORz5OFSRXqKR6CkEs5o8
+SzUHduc34OtFsQovyxFSxIY7O8qcbIcpav1CA5S7BtU9zleUr5Av3DsG8hZwyIhk
+zDk6Vf/tLTH6PVGPfPe3E5mAxwKBgQCu7Qn7HkjLXcVzgzpp1CXYoBQTmKHZf2fF
+wnTASFrRjQTwVN+p0afueTqzn4TutSosKiymtGgVonZoLWmBWSuKbEHLECHXlQcY
+wjRAccB6u0Q5NZLcVmFLVjLiKw+kljSNgpQI6vYgPWp4zF6x/9ioRbz0+3wuKzsI
+pUkcPg5btwKBgEyWeOFH1aNOMeuHz3AN/dl5XECR9RTFxV1ZAG3hxyD41qH0HPWX
+h+FBr7U/65gYH9FS92+GXY6xISQ9NC9lAG0PoMP7M/JobEV81J8UWjpmiDRSr7wy
+exzG6Gw/Pf2NcLhyMV6UFT8fqg/3EwiAzBf6pCRk2Z4mvBvkeF/EH8MXAoGAIuzm
+6kGQrTIKw1Z3KjwWVlsXxxXZctCSSpTZtK59m4s5aja39XMLwXxo8QYvh22afvjo
+s1wfz/oBBCnU/+Nq4xdcR4vwBdgWc6YKwrczhA2xwG5m5SFGCcGrJScN14G5+msQ
+3Xr0K1m30WiUm5uGiYprAMrZb2poPgCqST5GpZ8CgYA7dc8QWQWUzaP1gjA6hspC
+4qcHecNaYxaNPjhR9kBlzx9VXtVpqk0IyDkHIdJ7nz+GPa9WJTSmkgpYwz7hSWw7
+O8PbsxZ1qY4j9/yNUGcIodjgwUckwj8ULkl8mDGQCZByImZzjqHUfWuezWmhjW43
+sfD8CrHOirVMRbu49FEAVw==
+-----END PRIVATE KEY-----
diff --git a/tests/security-resources/server-keystore.jceks b/tests/security-resources/server-keystore.jceks
new file mode 100644
index 0000000..57cc472
Binary files /dev/null and b/tests/security-resources/server-keystore.jceks differ
diff --git a/tests/security-resources/server-keystore.jks b/tests/security-resources/server-keystore.jks
new file mode 100644
index 0000000..5a7e2c0
Binary files /dev/null and b/tests/security-resources/server-keystore.jks differ
diff --git a/tests/security-resources/server-keystore.p12 b/tests/security-resources/server-keystore.p12
new file mode 100644
index 0000000..fe5eab7
Binary files /dev/null and b/tests/security-resources/server-keystore.p12 differ
diff --git a/tests/security-resources/unknown-client-keystore.jceks b/tests/security-resources/unknown-client-keystore.jceks
new file mode 100644
index 0000000..dde7336
Binary files /dev/null and b/tests/security-resources/unknown-client-keystore.jceks differ
diff --git a/tests/security-resources/unknown-client-keystore.jks b/tests/security-resources/unknown-client-keystore.jks
new file mode 100644
index 0000000..10c7c43
Binary files /dev/null and b/tests/security-resources/unknown-client-keystore.jks differ
diff --git a/tests/security-resources/unknown-client-keystore.p12 b/tests/security-resources/unknown-client-keystore.p12
new file mode 100644
index 0000000..bb53b8c
Binary files /dev/null and b/tests/security-resources/unknown-client-keystore.p12 differ
diff --git a/tests/security-resources/unknown-server-keystore.jceks b/tests/security-resources/unknown-server-keystore.jceks
new file mode 100644
index 0000000..ef2b078
Binary files /dev/null and b/tests/security-resources/unknown-server-keystore.jceks differ
diff --git a/tests/security-resources/unknown-server-keystore.jks b/tests/security-resources/unknown-server-keystore.jks
new file mode 100644
index 0000000..039a581
Binary files /dev/null and b/tests/security-resources/unknown-server-keystore.jks differ
diff --git a/tests/security-resources/unknown-server-keystore.p12 b/tests/security-resources/unknown-server-keystore.p12
new file mode 100644
index 0000000..8fbec3e
Binary files /dev/null and b/tests/security-resources/unknown-server-keystore.p12 differ
diff --git a/tests/smoke-tests/pom.xml b/tests/smoke-tests/pom.xml
index 61e3d0c..cc5a141 100644
--- a/tests/smoke-tests/pom.xml
+++ b/tests/smoke-tests/pom.xml
@@ -170,6 +170,11 @@
</dependencies>
<build>
+ <testResources>
+ <testResource>
+ <directory>../security-resources</directory>
+ </testResource>
+ </testResources>
<plugins>
<plugin>
<groupId>org.apache.activemq</groupId>
diff --git a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/broker.xml b/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/broker.xml
index 0166df4..e3bf435 100644
--- a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/broker.xml
+++ b/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/broker.xml
@@ -30,7 +30,7 @@ under the License.
<acceptors>
<acceptor name="artemis">tcp://localhost:61616?securityDomain=guest</acceptor> <!-- this is only for the smoke test health-check -->
- <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=server-side-keystore.jks;keyStorePassword=secureexample;trustStorePath=server-side-truststore.jks;trustStorePassword=secureexample</acceptor>
+ <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=../../test-classes/server-keystore.jks;keyStorePassword=securepass;trustStorePath=../../test-classes/client-ca-truststore.jks;trustStorePassword=securepass</acceptor>
</acceptors>
<security-settings>
diff --git a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/client-side-keystore.jks b/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/client-side-keystore.jks
deleted file mode 100644
index 654d691..0000000
Binary files a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/client-side-keystore.jks and /dev/null differ
diff --git a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/client-side-truststore.jks b/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/client-side-truststore.jks
deleted file mode 100644
index 95e451a..0000000
Binary files a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/client-side-truststore.jks and /dev/null differ
diff --git a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/server-side-keystore.jks b/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/server-side-keystore.jks
deleted file mode 100644
index b7624b9..0000000
Binary files a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/server-side-keystore.jks and /dev/null differ
diff --git a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/server-side-truststore.jks b/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/server-side-truststore.jks
deleted file mode 100644
index e039222..0000000
Binary files a/tests/smoke-tests/src/main/resources/servers/audit-logging-amqp-mutual-ssl/server-side-truststore.jks and /dev/null differ
diff --git a/tests/smoke-tests/src/test/java/org/apache/activemq/artemis/tests/smoke/logging/AuditLoggerAMQPMutualSSLTest.java b/tests/smoke-tests/src/test/java/org/apache/activemq/artemis/tests/smoke/logging/AuditLoggerAMQPMutualSSLTest.java
index f21680a..efabe44 100644
--- a/tests/smoke-tests/src/test/java/org/apache/activemq/artemis/tests/smoke/logging/AuditLoggerAMQPMutualSSLTest.java
+++ b/tests/smoke-tests/src/test/java/org/apache/activemq/artemis/tests/smoke/logging/AuditLoggerAMQPMutualSSLTest.java
@@ -29,14 +29,7 @@ import org.apache.qpid.jms.JmsConnectionFactory;
import org.junit.Test;
/**
- * The various keystore files used for this test were generated using the following commands:
- *
- * keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
- * keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample
- * keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
- * keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
- * keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample
- * keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
+ * See the tests/security-resources/build.sh script for details on the security resources used.
*/
public class AuditLoggerAMQPMutualSSLTest extends AuditLoggerTestBase {
@@ -52,10 +45,10 @@ public class AuditLoggerAMQPMutualSSLTest extends AuditLoggerTestBase {
int maxInactivityDurationInitialDelay = 30000;
int idleTimeout = 120000;
boolean verifyHost = false;
- String keyStoreLocation = "target/" + getServerName() + "/etc/client-side-keystore.jks";
- String keyStorePassword = "secureexample";
- String trustStoreLocation = "target/" + getServerName() + "/etc/client-side-truststore.jks";
- String trustStorePassword = "secureexample";
+ String keyStoreLocation = getClass().getClassLoader().getResource("client-keystore.jks").getFile();
+ String keyStorePassword = "securepass";
+ String trustStoreLocation = getClass().getClassLoader().getResource("server-ca-truststore.jks").getFile();
+ String trustStorePassword = "securepass";
String remoteUri = sslhost +
"?maxInactivityDurationInitialDelay=" + maxInactivityDurationInitialDelay +
diff --git a/tests/unit-tests/pom.xml b/tests/unit-tests/pom.xml
index 3282727..51e2582 100644
--- a/tests/unit-tests/pom.xml
+++ b/tests/unit-tests/pom.xml
@@ -178,6 +178,11 @@
</dependencies>
<build>
+ <testResources>
+ <testResource>
+ <directory>../security-resources</directory>
+ </testResource>
+ </testResources>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
diff --git a/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/netty/NettyConnectorTest.java b/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/netty/NettyConnectorTest.java
index 12667c2..8c9476b 100644
--- a/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/netty/NettyConnectorTest.java
+++ b/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/netty/NettyConnectorTest.java
@@ -42,6 +42,9 @@ import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
public class NettyConnectorTest extends ActiveMQTestBase {
private ActiveMQServer server;
@@ -56,10 +59,10 @@ public class NettyConnectorTest extends ActiveMQTestBase {
Map<String, Object> params = new HashMap<>();
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
params.put(TransportConstants.SSL_PROVIDER, TransportConstants.OPENSSL_PROVIDER);
- params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "openssl-server-side-keystore.jks");
- params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
- params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "openssl-server-side-truststore.jks");
- params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+ params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+ params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+ params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
ConfigurationImpl config = createBasicConfig().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params, "nettySSL"));
server = createServer(false, config);
@@ -148,10 +151,10 @@ public class NettyConnectorTest extends ActiveMQTestBase {
}
};
- System.setProperty(NettyConnector.JAVAX_KEYSTORE_PATH_PROP_NAME, "openssl-client-side-keystore.jks");
- System.setProperty(NettyConnector.JAVAX_KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
- System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PATH_PROP_NAME, "openssl-client-side-truststore.jks");
- System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+ System.setProperty(NettyConnector.JAVAX_KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+ System.setProperty(NettyConnector.JAVAX_KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+ System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
Map<String, Object> params = new HashMap<>();
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
@@ -184,10 +187,10 @@ public class NettyConnectorTest extends ActiveMQTestBase {
Map<String, Object> params = new HashMap<>();
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
- params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "openssl-client-side-keystore.jks");
- params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
- params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME,"openssl-client-side-truststore.jks");
- params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+ params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+ params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME,"server-ca-truststore.jks");
+ params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
NettyConnector connector = new NettyConnector(params, handler, listener, executorService, Executors.newCachedThreadPool(ActiveMQThreadFactory.defaultThreadFactory()), Executors.newScheduledThreadPool(5, ActiveMQThreadFactory.defaultThreadFactory()));
@@ -210,10 +213,10 @@ public class NettyConnectorTest extends ActiveMQTestBase {
};
//system properties will override the bad transport constants
- System.setProperty(NettyConnector.JAVAX_KEYSTORE_PATH_PROP_NAME, "openssl-client-side-keystore.jks");
- System.setProperty(NettyConnector.JAVAX_KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
- System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PATH_PROP_NAME, "openssl-client-side-truststore.jks");
- System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+ System.setProperty(NettyConnector.JAVAX_KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+ System.setProperty(NettyConnector.JAVAX_KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+ System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
Map<String, Object> params = new HashMap<>();
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
@@ -252,10 +255,10 @@ public class NettyConnectorTest extends ActiveMQTestBase {
Map<String, Object> params = new HashMap<>();
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
params.put(TransportConstants.FORCE_SSL_PARAMETERS, true);
- params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "openssl-client-side-keystore.jks");
- params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
- params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME,"openssl-client-side-truststore.jks");
- params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+ params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+ params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME,"server-ca-truststore.jks");
+ params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
NettyConnector connector = new NettyConnector(params, handler, listener, executorService, Executors.newCachedThreadPool(ActiveMQThreadFactory.defaultThreadFactory()), Executors.newScheduledThreadPool(5, ActiveMQThreadFactory.defaultThreadFactory()));
@@ -279,10 +282,10 @@ public class NettyConnectorTest extends ActiveMQTestBase {
};
//bad system properties will override the transport constants
- System.setProperty(NettyConnector.JAVAX_KEYSTORE_PATH_PROP_NAME, "openssl-client-side-keystore.jks");
- System.setProperty(NettyConnector.JAVAX_KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
- System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PATH_PROP_NAME, "openssl-client-side-truststore.jks");
- System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+ System.setProperty(NettyConnector.JAVAX_KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+ System.setProperty(NettyConnector.JAVAX_KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+ System.setProperty(NettyConnector.JAVAX_TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
Map<String, Object> params = new HashMap<>();
params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
@@ -318,10 +321,10 @@ public class NettyConnectorTest extends ActiveMQTestBase {
NettyConnector connector = new NettyConnector(params, handler, listener, executorService, Executors.newCachedThreadPool(ActiveMQThreadFactory.defaultThreadFactory()), Executors.newScheduledThreadPool(5, ActiveMQThreadFactory.defaultThreadFactory()));
- System.setProperty(NettyConnector.ACTIVEMQ_KEYSTORE_PATH_PROP_NAME, "openssl-client-side-keystore.jks");
- System.setProperty(NettyConnector.ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
- System.setProperty(NettyConnector.ACTIVEMQ_TRUSTSTORE_PATH_PROP_NAME, "openssl-client-side-truststore.jks");
- System.setProperty(NettyConnector.ACTIVEMQ_TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+ System.setProperty(NettyConnector.ACTIVEMQ_KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+ System.setProperty(NettyConnector.ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ System.setProperty(NettyConnector.ACTIVEMQ_TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+ System.setProperty(NettyConnector.ACTIVEMQ_TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
connector.start();
Assert.assertTrue(connector.isStarted());
@@ -343,10 +346,10 @@ public class NettyConnectorTest extends ActiveMQTestBase {
NettyConnector connector = new NettyConnector(params, handler, listener, executorService, Executors.newCachedThreadPool(ActiveMQThreadFactory.defaultThreadFactory()), Executors.newScheduledThreadPool(5, ActiveMQThreadFactory.defaultThreadFactory()));
- System.setProperty(NettyConnector.ACTIVEMQ_KEYSTORE_PATH_PROP_NAME, "openssl-client-side-keystore.jks");
- System.setProperty(NettyConnector.ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
- System.setProperty(NettyConnector.ACTIVEMQ_TRUSTSTORE_PATH_PROP_NAME, "openssl-client-side-truststore.jks");
- System.setProperty(NettyConnector.ACTIVEMQ_TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+ System.setProperty(NettyConnector.ACTIVEMQ_KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+ System.setProperty(NettyConnector.ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ System.setProperty(NettyConnector.ACTIVEMQ_TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+ System.setProperty(NettyConnector.ACTIVEMQ_TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
System.setProperty(NettyConnector.JAVAX_KEYSTORE_PATH_PROP_NAME, "bad path");
System.setProperty(NettyConnector.JAVAX_KEYSTORE_PASSWORD_PROP_NAME, "bad password");
diff --git a/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/ssl/SSLSupportTest.java b/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/ssl/SSLSupportTest.java
index 7539b55..45d0aa0 100644
--- a/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/ssl/SSLSupportTest.java
+++ b/tests/unit-tests/src/test/java/org/apache/activemq/artemis/tests/unit/core/remoting/impl/ssl/SSLSupportTest.java
@@ -30,6 +30,9 @@ import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
+/**
+ * See the tests/security-resources/build.sh script for details on the security resources used.
+ */
@RunWith(value = Parameterized.class)
public class SSLSupportTest extends ActiveMQTestBase {
@@ -57,8 +60,8 @@ public class SSLSupportTest extends ActiveMQTestBase {
if (storeType.equals("PKCS12")) {
suffix = "p12";
}
- keyStorePath = "server-side-keystore." + suffix;
- trustStorePath = "server-side-truststore." + suffix;
+ keyStorePath = "server-keystore." + suffix;
+ trustStorePath = "client-ca-truststore." + suffix;
}
private String storeProvider;
@@ -87,7 +90,7 @@ public class SSLSupportTest extends ActiveMQTestBase {
@Before
public void setUp() throws Exception {
super.setUp();
- keyStorePassword = "secureexample";
+ keyStorePassword = "securepass";
trustStorePassword = keyStorePassword;
}
@@ -190,7 +193,7 @@ public class SSLSupportTest extends ActiveMQTestBase {
new SSLSupport()
.setKeystoreProvider(storeProvider)
.setKeystoreType(storeType)
- .setKeystorePath("src/test/resources/" + keyStorePath)
+ .setKeystorePath("../security-resources/" + keyStorePath)
.setKeystorePassword(keyStorePassword)
.setTruststoreProvider(storeProvider)
.setTruststoreType(storeType)
diff --git a/tests/unit-tests/src/test/resources/bad-client-side-keystore.jks b/tests/unit-tests/src/test/resources/bad-client-side-keystore.jks
deleted file mode 100644
index ee0de7b..0000000
Binary files a/tests/unit-tests/src/test/resources/bad-client-side-keystore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/beans1.xml b/tests/unit-tests/src/test/resources/beans1.xml
deleted file mode 100644
index b7ef164..0000000
--- a/tests/unit-tests/src/test/resources/beans1.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<deployment xmlns="urn:jboss:bean-deployer:2.0">
- <bean name="bean" class="org.apache.activemq.artemis.tests.unit.microcontainer.DummyBean"/>
-</deployment>
\ No newline at end of file
diff --git a/tests/unit-tests/src/test/resources/client-side-keystore.jceks b/tests/unit-tests/src/test/resources/client-side-keystore.jceks
deleted file mode 100644
index 3bebbf4..0000000
Binary files a/tests/unit-tests/src/test/resources/client-side-keystore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/client-side-keystore.jks b/tests/unit-tests/src/test/resources/client-side-keystore.jks
deleted file mode 100644
index 0949d20..0000000
Binary files a/tests/unit-tests/src/test/resources/client-side-keystore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/client-side-keystore.p12 b/tests/unit-tests/src/test/resources/client-side-keystore.p12
deleted file mode 100644
index fd4055f..0000000
Binary files a/tests/unit-tests/src/test/resources/client-side-keystore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/client-side-truststore.jceks b/tests/unit-tests/src/test/resources/client-side-truststore.jceks
deleted file mode 100644
index 20884de..0000000
Binary files a/tests/unit-tests/src/test/resources/client-side-truststore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/client-side-truststore.jks b/tests/unit-tests/src/test/resources/client-side-truststore.jks
deleted file mode 100644
index 3218d73..0000000
Binary files a/tests/unit-tests/src/test/resources/client-side-truststore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/client-side-truststore.p12 b/tests/unit-tests/src/test/resources/client-side-truststore.p12
deleted file mode 100644
index 229e6ec..0000000
Binary files a/tests/unit-tests/src/test/resources/client-side-truststore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jceks b/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jceks
deleted file mode 100644
index f69d19f..0000000
Binary files a/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jks b/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jks
deleted file mode 100644
index 674681d..0000000
Binary files a/tests/unit-tests/src/test/resources/openssl-client-side-keystore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-client-side-keystore.p12 b/tests/unit-tests/src/test/resources/openssl-client-side-keystore.p12
deleted file mode 100644
index 098abe7..0000000
Binary files a/tests/unit-tests/src/test/resources/openssl-client-side-keystore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jceks b/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jceks
deleted file mode 100644
index 83685c6..0000000
Binary files a/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jks b/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jks
deleted file mode 100644
index 30c92b4..0000000
Binary files a/tests/unit-tests/src/test/resources/openssl-client-side-truststore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-client-side-truststore.p12 b/tests/unit-tests/src/test/resources/openssl-client-side-truststore.p12
deleted file mode 100644
index ce77bd6..0000000
Binary files a/tests/unit-tests/src/test/resources/openssl-client-side-truststore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jceks b/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jceks
deleted file mode 100644
index 7e86947..0000000
Binary files a/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jks b/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jks
deleted file mode 100644
index 85a560a..0000000
Binary files a/tests/unit-tests/src/test/resources/openssl-server-side-keystore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-server-side-keystore.p12 b/tests/unit-tests/src/test/resources/openssl-server-side-keystore.p12
deleted file mode 100644
index 8aa49b6..0000000
Binary files a/tests/unit-tests/src/test/resources/openssl-server-side-keystore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jceks b/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jceks
deleted file mode 100644
index d09d0a0..0000000
Binary files a/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jks b/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jks
deleted file mode 100644
index 54cc5a4..0000000
Binary files a/tests/unit-tests/src/test/resources/openssl-server-side-truststore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/openssl-server-side-truststore.p12 b/tests/unit-tests/src/test/resources/openssl-server-side-truststore.p12
deleted file mode 100644
index 2937f28..0000000
Binary files a/tests/unit-tests/src/test/resources/openssl-server-side-truststore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/other-client-side-truststore.jceks b/tests/unit-tests/src/test/resources/other-client-side-truststore.jceks
deleted file mode 100644
index c1d1a5b..0000000
Binary files a/tests/unit-tests/src/test/resources/other-client-side-truststore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/other-client-side-truststore.jks b/tests/unit-tests/src/test/resources/other-client-side-truststore.jks
deleted file mode 100644
index b3c907b..0000000
Binary files a/tests/unit-tests/src/test/resources/other-client-side-truststore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/other-client-side-truststore.p12 b/tests/unit-tests/src/test/resources/other-client-side-truststore.p12
deleted file mode 100644
index f573785..0000000
Binary files a/tests/unit-tests/src/test/resources/other-client-side-truststore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/other-server-side-keystore.jceks b/tests/unit-tests/src/test/resources/other-server-side-keystore.jceks
deleted file mode 100644
index acf1603..0000000
Binary files a/tests/unit-tests/src/test/resources/other-server-side-keystore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/other-server-side-keystore.jks b/tests/unit-tests/src/test/resources/other-server-side-keystore.jks
deleted file mode 100644
index 98276fd..0000000
Binary files a/tests/unit-tests/src/test/resources/other-server-side-keystore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/other-server-side-keystore.p12 b/tests/unit-tests/src/test/resources/other-server-side-keystore.p12
deleted file mode 100644
index 7c6eb65..0000000
Binary files a/tests/unit-tests/src/test/resources/other-server-side-keystore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/server-side-keystore.jceks b/tests/unit-tests/src/test/resources/server-side-keystore.jceks
deleted file mode 100644
index 9d8c27c..0000000
Binary files a/tests/unit-tests/src/test/resources/server-side-keystore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/server-side-keystore.jks b/tests/unit-tests/src/test/resources/server-side-keystore.jks
deleted file mode 100644
index f1fd537..0000000
Binary files a/tests/unit-tests/src/test/resources/server-side-keystore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/server-side-keystore.p12 b/tests/unit-tests/src/test/resources/server-side-keystore.p12
deleted file mode 100644
index 3cb6d28..0000000
Binary files a/tests/unit-tests/src/test/resources/server-side-keystore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/server-side-truststore.jceks b/tests/unit-tests/src/test/resources/server-side-truststore.jceks
deleted file mode 100644
index 1387739..0000000
Binary files a/tests/unit-tests/src/test/resources/server-side-truststore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/server-side-truststore.jks b/tests/unit-tests/src/test/resources/server-side-truststore.jks
deleted file mode 100644
index e8e8311..0000000
Binary files a/tests/unit-tests/src/test/resources/server-side-truststore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/server-side-truststore.p12 b/tests/unit-tests/src/test/resources/server-side-truststore.p12
deleted file mode 100644
index fcdafdb..0000000
Binary files a/tests/unit-tests/src/test/resources/server-side-truststore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jceks b/tests/unit-tests/src/test/resources/verified-client-side-keystore.jceks
deleted file mode 100644
index f8b23be..0000000
Binary files a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jks b/tests/unit-tests/src/test/resources/verified-client-side-keystore.jks
deleted file mode 100644
index 492aee8..0000000
Binary files a/tests/unit-tests/src/test/resources/verified-client-side-keystore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-client-side-keystore.p12 b/tests/unit-tests/src/test/resources/verified-client-side-keystore.p12
deleted file mode 100644
index 5b88b94..0000000
Binary files a/tests/unit-tests/src/test/resources/verified-client-side-keystore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-client-side-truststore.jceks b/tests/unit-tests/src/test/resources/verified-client-side-truststore.jceks
deleted file mode 100644
index 4d53b3e..0000000
Binary files a/tests/unit-tests/src/test/resources/verified-client-side-truststore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-client-side-truststore.jks b/tests/unit-tests/src/test/resources/verified-client-side-truststore.jks
deleted file mode 100644
index 0adc640..0000000
Binary files a/tests/unit-tests/src/test/resources/verified-client-side-truststore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-client-side-truststore.p12 b/tests/unit-tests/src/test/resources/verified-client-side-truststore.p12
deleted file mode 100644
index 7e2c6f0..0000000
Binary files a/tests/unit-tests/src/test/resources/verified-client-side-truststore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jceks b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jceks
deleted file mode 100644
index 12682df..0000000
Binary files a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jks b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jks
deleted file mode 100644
index 8a7b077..0000000
Binary files a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.p12 b/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.p12
deleted file mode 100644
index 3d07421..0000000
Binary files a/tests/unit-tests/src/test/resources/verified-openssl-client-side-keystore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jceks b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jceks
deleted file mode 100644
index 63c03c2..0000000
Binary files a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jks b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jks
deleted file mode 100644
index af8a987..0000000
Binary files a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.p12 b/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.p12
deleted file mode 100644
index be0c8f0..0000000
Binary files a/tests/unit-tests/src/test/resources/verified-openssl-server-side-truststore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-server-side-keystore.jceks b/tests/unit-tests/src/test/resources/verified-server-side-keystore.jceks
deleted file mode 100644
index ee7992f..0000000
Binary files a/tests/unit-tests/src/test/resources/verified-server-side-keystore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-server-side-keystore.jks b/tests/unit-tests/src/test/resources/verified-server-side-keystore.jks
deleted file mode 100644
index 79b7cff..0000000
Binary files a/tests/unit-tests/src/test/resources/verified-server-side-keystore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-server-side-keystore.p12 b/tests/unit-tests/src/test/resources/verified-server-side-keystore.p12
deleted file mode 100644
index b218430..0000000
Binary files a/tests/unit-tests/src/test/resources/verified-server-side-keystore.p12 and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jceks b/tests/unit-tests/src/test/resources/verified-server-side-truststore.jceks
deleted file mode 100644
index 671c21e..0000000
Binary files a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jceks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jks b/tests/unit-tests/src/test/resources/verified-server-side-truststore.jks
deleted file mode 100644
index a861b27..0000000
Binary files a/tests/unit-tests/src/test/resources/verified-server-side-truststore.jks and /dev/null differ
diff --git a/tests/unit-tests/src/test/resources/verified-server-side-truststore.p12 b/tests/unit-tests/src/test/resources/verified-server-side-truststore.p12
deleted file mode 100644
index eef6db5..0000000
Binary files a/tests/unit-tests/src/test/resources/verified-server-side-truststore.p12 and /dev/null differ