ssl client connectivity and the keystore with needClientAuth on the broker

[huntc <hu...@mac.com>]

Hi there,

I'm having great difficulty in get SSL connectivity working with client
certificate verification (needClientAuth = true on the broker's ssl
transport).

I think that I have my certificates all set up correctly. I see the broker
asking the client for its certificate via Wireshark.

I notice that the SSL transport code shows that if it gets a connectionInfo
command then it calls upon the session's getPeerCertificates method.

My questions are:

(i) if my broker's transport is configured with needClientAuth=true then
will my client's transport receive this connectionInfo command?
(ii) will getPeerCertificates return all of the keyEntry objects in my
keystore?
(iii) do I also need to set needClientAuth=true on my client as well as my
broker?

Thanks for your guidance.

Kind regards,
Christopher
-- 
View this message in context: http://www.nabble.com/ssl-client-connectivity-and-the-keystore-with-needClientAuth-on-the-broker-tp22506635p22506635.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: ssl client connectivity and the keystore with needClientAuth on the broker

[huntc <hu...@mac.com>]

I've made some progress. My client now connects to the broker with mutual SSL
authentication. I didn't realise that if my client cert resides jre lib
cacerts keystore then my application wont' have access to it. That makes
sense of course; however because one-way SSL was working using cacerts as a
truststore I thought that it should be fine to use as a keystore.

Anyway... I created my own keystore and provided the credentials to it. The
connection now works. However I now have a problem with the
CertifcateLoginModule and will raise this as a separate topic.
-- 
View this message in context: http://www.nabble.com/ssl-client-connectivity-and-the-keystore-with-needClientAuth-on-the-broker-tp22506635p22511026.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.