You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Gary Tully (JIRA)" <ji...@apache.org> on 2016/05/04 22:10:12 UTC
[jira] [Commented] (AMQ-5100) PKCS11 (NSS-FIPS) support in
A-MQ/ActiveMQ
[ https://issues.apache.org/jira/browse/AMQ-5100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15271525#comment-15271525 ]
Gary Tully commented on AMQ-5100:
---------------------------------
for the record - I think "suppressMBean" would allow just the transportConnector mbean to be dropped so that the rest of jmx could work. see: http://activemq.apache.org/jmx.html
> PKCS11 (NSS-FIPS) support in A-MQ/ActiveMQ
> ------------------------------------------
>
> Key: AMQ-5100
> URL: https://issues.apache.org/jira/browse/AMQ-5100
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Reporter: Jesse Sightler
>
> I have attempted to configure PKCS11/NSS support in ActiveMQ, however, I am receiving the following exception:
> Caused by: java.io.FileNotFoundException: class path resource [NONE] cannot be opened because it does not exist
> at org.springframework.core.io.ClassPathResource.getInputStream(ClassPathResource.java:157)
> at org.apache.activemq.spring.SpringSslContext.createKeyManagerKeyStore(SpringSslContext.java:119)
> at org.apache.activemq.spring.SpringSslContext.createKeyManagers(SpringSslContext.java:88)
> at org.apache.activemq.spring.SpringSslContext.afterPropertiesSet(SpringSslContext.java:65)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:622)
> at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1581)
> at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1522)
> at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452)
> ... 40 more
> My configured sslContext for the broker looks like this:
> <sslContext>
> <sslContext
> keyStore="NONE" keyStoreType="PKCS11" keyStorePassword="password"
> trustStore="/etc/activemqssl/truststore.jks" trustStorePassword="password"
> />
> </sslContext>
> AFAIK, setting keyStore to "NONE" is the generally accepted way to do with with PKCS11. The code should generate a warning at most for this, but instead I receive the above exception and a failure to load the keystore.
> The activemq code looks like this (in org.apache.activemq.spring.SpringSslContext):
> private KeyStore createKeyManagerKeyStore() throws Exception {
> if( keyStore ==null ) {
> return null;
> }
> KeyStore ks = KeyStore.getInstance(keyStoreType);
> InputStream is=Utils.resourceFromString(keyStore).getInputStream();
> try {
> ks.load(is, keyStorePassword==null? null : keyStorePassword.toCharArray());
> } finally {
> is.close();
> }
> return ks;
> }
> It looks like this should just be setting "is" to null, generating a warning, and then calling ks.load with the null inputstream (the nss library will load the nss files based upon the nss.cfg file).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)