You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Jesse Sightler (JIRA)" <ji...@apache.org> on 2014/03/13 20:15:43 UTC
[jira] [Created] (AMQ-5100) PKCS11 (NSS-FIPS) support in
A-MQ/ActiveMQ
Jesse Sightler created AMQ-5100:
-----------------------------------
Summary: PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ
Key: AMQ-5100
URL: https://issues.apache.org/jira/browse/AMQ-5100
Project: ActiveMQ
Issue Type: Bug
Components: Broker
Reporter: Jesse Sightler
I have attempted to configure PKCS11/NSS support in ActiveMQ, however, I am receiving the following exception:
Caused by: java.io.FileNotFoundException: class path resource [NONE] cannot be opened because it does not exist
at org.springframework.core.io.ClassPathResource.getInputStream(ClassPathResource.java:157)
at org.apache.activemq.spring.SpringSslContext.createKeyManagerKeyStore(SpringSslContext.java:119)
at org.apache.activemq.spring.SpringSslContext.createKeyManagers(SpringSslContext.java:88)
at org.apache.activemq.spring.SpringSslContext.afterPropertiesSet(SpringSslContext.java:65)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:622)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1581)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1522)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452)
... 40 more
My configured sslContext for the broker looks like this:
<sslContext>
<sslContext
keyStore="NONE" keyStoreType="PKCS11" keyStorePassword="password"
trustStore="/etc/activemqssl/truststore.jks" trustStorePassword="password"
/>
</sslContext>
AFAIK, setting keyStore to "NONE" is the generally accepted way to do with with PKCS11. The code should generate a warning at most for this, but instead I receive the above exception and a failure to load the keystore.
The activemq code looks like this (in org.apache.activemq.spring.SpringSslContext):
private KeyStore createKeyManagerKeyStore() throws Exception {
if( keyStore ==null ) {
return null;
}
KeyStore ks = KeyStore.getInstance(keyStoreType);
InputStream is=Utils.resourceFromString(keyStore).getInputStream();
try {
ks.load(is, keyStorePassword==null? null : keyStorePassword.toCharArray());
} finally {
is.close();
}
return ks;
}
It looks like this should just be setting "is" to null, generating a warning, and then calling ks.load with the null inputstream (the nss library will load the nss files based upon the nss.cfg file).
--
This message was sent by Atlassian JIRA
(v6.2#6252)