You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by RVlad <vl...@dati.lv> on 2006/11/28 17:12:04 UTC
Cannot get SSL client-to-broker connection
Hi guru,
Excuse, i'm new in ActiveMQ...
Have built certificates/keystores as described in
http://www.activemq.org/site/how-do-i-use-ssl.html how-do-i-use-ssl .
The broker have next configuration:
-------------------------------------------------
<beans xmlns="http://activemq.org/config/1.0">
<bean
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
<broker useJmx="true" persistent="true" brokerName="VladBroker">
<transportConnectors>
<transportConnector name="SSL" uri="ssl://localhost:61613"/>
<transportConnector name="TCP" uri="tcp://localhost:61616"/>
</transportConnectors>
</broker>
</beans>
-------------------------------------------------
and starts normally:
---------console----------------------------------------
ACTIVEMQ_HOME: c:\ActiveMQ\bin\..
Loading message broker from: xbean:activemq.xml
INFO BrokerService - ActiveMQ 4.0.2 JMS Message Broker
(VladBroker) is starting
INFO BrokerService - For help or more information please
see:http://incubator.apache.org/activemq/
INFO ManagementContext - JMX consoles can connect to
service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi
INFO JDBCPersistenceAdapter - Database driver recognized:
[apache_derby_embedded_jdbc_driver]
INFO JournalPersistenceAdapter - Journal Recovery Started from: Active
Journal: using 5 x 20.0 Megs at: C:\ActiveMQ\activemq-data\journal
INFO JournalPersistenceAdapter - Journal Recovered: 0 message(s) in
transactions recovered.
INFO TransportServerThreadSupport - Listening for connections at:
ssl://slavar:61613
INFO TransportConnector - Connector SSL Started
INFO TransportServerThreadSupport - Listening for connections at:
tcp://slavar:61616
INFO TransportConnector - Connector TCP Started
INFO BrokerService - ActiveMQ JMS Message Broker
(VladBroker,ID:slavar-1604-1164726172265-1:0) started
-------------------------------------------------
The client's program fragment is next:
-------------------------------------------------
public class ReceiverClient {
public static void main(String[] args) {
final String MESSAGE_BROKER_URL = "ssl://slavar:61613";
final String CLIENT_ID = "vladReceive";
final String TOPIC = "testtopic2";
// attempt to put system properties
// needed for SSL connection
// as described in http://www.activemq.org/site/how-do-i-use-ssl.html
System.setProperty("javax.net.ssl.keyStore", "C:\\ActiveMQ\\client.ks");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
System.setProperty("javax.net.ssl.trustStore", "C:\\ActiveMQ\\client.ts");
// enabling debug output
System.setProperty("javax.net.debug", "ssl,handshake,data,trustmanager");
// starting communications
JMSManager jm = new JMSManager(MESSAGE_BROKER_URL, CLIENT_ID);
new Thread(new Receiver(jm, TOPIC)).start();
}
}
-------------------------------------------------
After starting of client program i got the next console:
-------------console-------------------------
setting up default SSLSocketFactory
use default SunJSSE impl class:
com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
keyStore is : C:\ActiveMQ\client.ks
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
***
found key for : client
chain [0] = [
[
Version: V1
Subject: CN=Client, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
C=Unknown
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: Sun RSA public key, 1024 bits
modulus:
119125831157180012241622638937390092189160437001853263361203684931436347286138557738177018166153998344463370986916053114448493751892417595464787155221273101941051608309892520802382018408256577151580997906961252558439314550554537620071874869391764812672132384452834035314691770120458734555207178162494413487159
public exponent: 65537
Validity: [From: Tue Nov 28 17:02:13 EET 2006,
To: Mon Feb 26 17:02:13 EET 2007]
Issuer: CN=Client, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
SerialNumber: [ 456c4f75]
]
Algorithm: [MD5withRSA]
Signature:
0000: 3A 90 C6 F1 B8 90 53 77 95 A1 45 CB 18 10 D8 38 :.....Sw..E....8
0010: 3D F1 95 94 E7 A6 4E F7 DC 9C E9 A9 BD 61 BA 4F =.....N......a.O
0020: 76 D8 5B B4 99 43 49 2F 6B A8 F3 69 B3 87 90 F8 v.[..CI/k..i....
0030: 38 1D 5B 0D E1 B5 44 4B 4A 44 88 60 04 83 04 B2 8.[...DKJD.`....
0040: B0 BB A8 0A 82 C7 1D 51 7A 6E 62 31 E0 8C 7B 74 .......Qznb1...t
0050: AB 69 B5 48 64 90 AD 30 63 10 FE B0 3C EE C5 2F .i.Hd..0c...<../
0060: 6A 51 D2 A1 A0 56 B4 CD 59 FF E7 22 78 A8 B7 EA jQ...V..Y.."x...
0070: CF EE EE 14 16 03 F7 7D EF D6 43 4E B4 F4 13 F8 ..........CN....
]
***
trustStore is: C:\ActiveMQ\client.ts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=Broker, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
C=Unknown
Exception in thread "main" java.lang.ExceptionInInitializerError
at corp.sap.pal.le.amqtest.jms.client.JMSManager.init(JMSManager.java:64)
at corp.sap.pal.le.amqtest.jms.client.JMSManager.<init>(JMSManager.java:33)
at
corp.sap.pal.le.amqtest.jms.client.ReceiverClient.main(ReceiverClient.java:37)
Caused by: javax.jms.JMSException: Could not connect to broker URL:
ssl://slavar:61613. Reason: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at
org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:33)
at
org.apache.activemq.ActiveMQConnectionFactory.createActiveMQConnection(ActiveMQConnectionFactory.java:253)
at
org.apache.activemq.ActiveMQConnectionFactory.createActiveMQConnection(ActiveMQConnectionFactory.java:212)
at
org.apache.activemq.ActiveMQConnectionFactory.createConnection(ActiveMQConnectionFactory.java:159)
at corp.sap.pal.le.amqtest.jms.client.JMSManager.init(JMSManager.java:55)
... 2 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown
Source)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)
at
org.apache.activemq.transport.tcp.TcpBufferedInputStream.fill(TcpBufferedInputStream.java:49)
at
org.apache.activemq.transport.tcp.TcpBufferedInputStream.read(TcpBufferedInputStream.java:56)
at java.io.DataInputStream.readInt(Unknown Source)
at
org.apache.activemq.openwire.OpenWireFormat.unmarshal(OpenWireFormat.java:275)
at
org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:136)
at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown
Source)
... 14 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 19 more
2006.28.11 17:03:14 org.apache.activemq.ActiveMQConnection onAsyncException
WARNING: Async exception with no exception listener:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown
Source)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)
at
org.apache.activemq.transport.tcp.TcpBufferedInputStream.fill(TcpBufferedInputStream.java:49)
at
org.apache.activemq.transport.tcp.TcpBufferedInputStream.read(TcpBufferedInputStream.java:56)
at java.io.DataInputStream.readInt(Unknown Source)
at
org.apache.activemq.openwire.OpenWireFormat.unmarshal(OpenWireFormat.java:275)
at
org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:136)
at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown
Source)
... 14 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 19 more
Issuer: CN=Broker, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
C=Unknown
Algorithm: RSA; Serial number: 0x456c4f41
Valid from Tue Nov 28 17:01:21 EET 2006 until Mon Feb 26 17:01:21 EET 2007
init context
trigger seeding of SecureRandom
done seeding SecureRandom
instantiated an instance of class
com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
main, setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1164725938 bytes = { 104, 30, 199, 2, 187, 204, 113,
255, 60, 143, 243, 121, 36, 222, 8, 25, 236, 63, 217, 191, 87, 45, 125, 196,
9, 218, 218, 6 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 73
0000: 01 00 00 45 03 01 45 6C 4F B2 68 1E C7 02 BB CC ...E..ElO.h.....
0010: 71 FF 3C 8F F3 79 24 DE 08 19 EC 3F D9 BF 57 2D q.<..y$....?..W-
0020: 7D C4 09 DA DA 06 00 00 1E 00 04 00 05 00 2F 00 ............../.
0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2.............
0040: 03 00 08 00 14 00 11 01 00 .........
ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, WRITE: TLSv1 Handshake,
length = 73
[write] MD5 and SHA1 hashes: len = 98
0000: 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00 ....9... .......
0010: 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 ..../..3..2.....
0020: C0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15 ............@...
0030: 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00 ................
0040: 00 11 45 6C 4F B2 68 1E C7 02 BB CC 71 FF 3C 8F ..ElO.h.....q.<.
0050: F3 79 24 DE 08 19 EC 3F D9 BF 57 2D 7D C4 09 DA .y$....?..W-....
0060: DA 06 ..
ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, WRITE: SSLv2 client
hello message, length = 98
ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, READ: TLSv1 Handshake,
length = 676
*** ServerHello, TLSv1
RandomCookie: GMT: 1164725938 bytes = { 248, 74, 66, 253, 93, 220, 60, 202,
202, 112, 29, 64, 177, 73, 33, 56, 64, 236, 105, 28, 166, 42, 153, 58, 158,
136, 142, 3 }
Session ID: {69, 108, 79, 178, 39, 232, 39, 146, 139, 217, 183, 46, 34,
162, 86, 158, 115, 6, 202, 100, 101, 39, 38, 68, 143, 237, 247, 245, 189,
242, 138, 240}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
[read] MD5 and SHA1 hashes: len = 74
0000: 02 00 00 46 03 01 45 6C 4F B2 F8 4A 42 FD 5D DC ...F..ElO..JB.].
0010: 3C CA CA 70 1D 40 B1 49 21 38 40 EC 69 1C A6 2A <..p.@.I!8@.i..*
0020: 99 3A 9E 88 8E 03 20 45 6C 4F B2 27 E8 27 92 8B .:.... ElO.'.'..
0030: D9 B7 2E 22 A2 56 9E 73 06 CA 64 65 27 26 44 8F ...".V.s..de'&D.
0040: ED F7 F5 BD F2 8A F0 00 04 00 ..........
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=Client, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
C=Unknown
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: Sun RSA public key, 1024 bits
modulus:
119125831157180012241622638937390092189160437001853263361203684931436347286138557738177018166153998344463370986916053114448493751892417595464787155221273101941051608309892520802382018408256577151580997906961252558439314550554537620071874869391764812672132384452834035314691770120458734555207178162494413487159
public exponent: 65537
Validity: [From: Tue Nov 28 17:02:13 EET 2006,
To: Mon Feb 26 17:02:13 EET 2007]
Issuer: CN=Client, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
SerialNumber: [ 456c4f75]
]
Algorithm: [MD5withRSA]
Signature:
0000: 3A 90 C6 F1 B8 90 53 77 95 A1 45 CB 18 10 D8 38 :.....Sw..E....8
0010: 3D F1 95 94 E7 A6 4E F7 DC 9C E9 A9 BD 61 BA 4F =.....N......a.O
0020: 76 D8 5B B4 99 43 49 2F 6B A8 F3 69 B3 87 90 F8 v.[..CI/k..i....
0030: 38 1D 5B 0D E1 B5 44 4B 4A 44 88 60 04 83 04 B2 8.[...DKJD.`....
0040: B0 BB A8 0A 82 C7 1D 51 7A 6E 62 31 E0 8C 7B 74 .......Qznb1...t
0050: AB 69 B5 48 64 90 AD 30 63 10 FE B0 3C EE C5 2F .i.Hd..0c...<../
0060: 6A 51 D2 A1 A0 56 B4 CD 59 FF E7 22 78 A8 B7 EA jQ...V..Y.."x...
0070: CF EE EE 14 16 03 F7 7D EF D6 43 4E B4 F4 13 F8 ..........CN....
]
***
ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, SEND TLSv1 ALERT:
fatal, description = certificate_unknown
ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, WRITE: TLSv1 Alert,
length = 2
ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, called closeSocket()
ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, handling exception:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, called close()
ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, called
closeInternal(true)
main, handling exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
------------------------------------------------
Seems that program can see keyStore and trustStore...
What i do improperly?
PS
And what to do to establish SSL connection between two brokers?
Thanks in adwance.
And excuse my poor english.
Vlad
--
View this message in context: http://www.nabble.com/Cannot-get-SSL-client-to-broker-connection-tf2719214.html#a7581989
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Cannot get SSL client-to-broker connection
Posted by Adrian Co <ac...@exist.com>.
For network of brokers, I think it should be the same. Haven't tried
though. :)
RVlad wrote:
> Hi Adrian Co,
> Thanks for right direction!
>
> Yes, i've defined a global environment variable
> --------------console---------------
> c:\ActiveMQ>set
> ACTIVEMQ_OPTS=-Djavax.net.ssl.keyStore=c:\activemq\broker.ks
> -Djavax.net.ssl.keyStorePassword=password
> ALLUSERSPROFILE=C:\Documents and Settings\All Users
> ANT_HOME=c:\Program Files\Apache Software Foundation\ant-1.6.5
> ... etc
> ---------------------------------------
> but there was a little my mistake... I just mixed up "broker.ks" and
> "client.ks" in javax.net.ssl.keyStore option...
>
> Now all works fine except an old lovely good known error
> ----------console--------------
> Exception in thread "Thread-1" java.lang.RuntimeException:
> javax.jms.JMSException: Socket is closed
> at corp.sap.pal.le.amqtest.jms.client.JMSManager.close(JMSManager.java:73)
> at corp.sap.pal.le.amqtest.jms.client.Sender.run(Sender.java:90)
> at java.lang.Thread.run(Unknown Source)
> Caused by: javax.jms.JMSException: Socket is closed
> at ...
> ...
> ---------------------------------
> at connection closing.
>
>
> But what about of second question:
>
>> And what to do to establish SSL connection between two brokers?
>>
>
> Is there enough just to add -Djavax.net.ssl.trustStore=path/to/client.ts to
> the same variable ACTIVEMQ_OPTS ?
>
> Thanks again!
>
> Best regards,
> Vlad
>
>
> Adrian Co wrote:
>
>> Did you do the export ACTIVEMQ_OPTS thingy?
>>
>> I wonder if the version you're using does not support this yet.. Try
>> manually adding the properties inside the activemq startup script (e.g.
>> activemq.bat)
>>
>> RVlad wrote:
>>
>>> Hi guru,
>>> ....
>>> ....
>>> Thanks in adwance.
>>> And excuse my poor english.
>>>
>>> Vlad
>>>
>>>
>>
>>
>
>
Re: Cannot get SSL client-to-broker connection
Posted by RVlad <vl...@dati.lv>.
Hi Adrian Co,
Thanks for right direction!
Yes, i've defined a global environment variable
--------------console---------------
c:\ActiveMQ>set
ACTIVEMQ_OPTS=-Djavax.net.ssl.keyStore=c:\activemq\broker.ks
-Djavax.net.ssl.keyStorePassword=password
ALLUSERSPROFILE=C:\Documents and Settings\All Users
ANT_HOME=c:\Program Files\Apache Software Foundation\ant-1.6.5
... etc
---------------------------------------
but there was a little my mistake... I just mixed up "broker.ks" and
"client.ks" in javax.net.ssl.keyStore option...
Now all works fine except an old lovely good known error
----------console--------------
Exception in thread "Thread-1" java.lang.RuntimeException:
javax.jms.JMSException: Socket is closed
at corp.sap.pal.le.amqtest.jms.client.JMSManager.close(JMSManager.java:73)
at corp.sap.pal.le.amqtest.jms.client.Sender.run(Sender.java:90)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.jms.JMSException: Socket is closed
at ...
...
---------------------------------
at connection closing.
But what about of second question:
> And what to do to establish SSL connection between two brokers?
Is there enough just to add -Djavax.net.ssl.trustStore=path/to/client.ts to
the same variable ACTIVEMQ_OPTS ?
Thanks again!
Best regards,
Vlad
Adrian Co wrote:
>
> Did you do the export ACTIVEMQ_OPTS thingy?
>
> I wonder if the version you're using does not support this yet.. Try
> manually adding the properties inside the activemq startup script (e.g.
> activemq.bat)
>
> RVlad wrote:
>> Hi guru,
>> ....
>> ....
>> Thanks in adwance.
>> And excuse my poor english.
>>
>> Vlad
>>
>
>
>
--
View this message in context: http://www.nabble.com/Cannot-get-SSL-client-to-broker-connection-tf2719214.html#a7596178
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Cannot get SSL client-to-broker connection
Posted by Adrian Co <ac...@exist.com>.
Did you do the export ACTIVEMQ_OPTS thingy?
I wonder if the version you're using does not support this yet.. Try
manually adding the properties inside the activemq startup script (e.g.
activemq.bat)
RVlad wrote:
> Hi guru,
> Excuse, i'm new in ActiveMQ...
>
> Have built certificates/keystores as described in
> http://www.activemq.org/site/how-do-i-use-ssl.html how-do-i-use-ssl .
>
> The broker have next configuration:
>
> -------------------------------------------------
> <beans xmlns="http://activemq.org/config/1.0">
>
> <bean
> class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
>
> <broker useJmx="true" persistent="true" brokerName="VladBroker">
>
> <transportConnectors>
> <transportConnector name="SSL" uri="ssl://localhost:61613"/>
> <transportConnector name="TCP" uri="tcp://localhost:61616"/>
> </transportConnectors>
>
> </broker>
> </beans>
> -------------------------------------------------
>
> and starts normally:
>
> ---------console----------------------------------------
> ACTIVEMQ_HOME: c:\ActiveMQ\bin\..
> Loading message broker from: xbean:activemq.xml
> INFO BrokerService - ActiveMQ 4.0.2 JMS Message Broker
> (VladBroker) is starting
> INFO BrokerService - For help or more information please
> see:http://incubator.apache.org/activemq/
> INFO ManagementContext - JMX consoles can connect to
> service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi
> INFO JDBCPersistenceAdapter - Database driver recognized:
> [apache_derby_embedded_jdbc_driver]
> INFO JournalPersistenceAdapter - Journal Recovery Started from: Active
> Journal: using 5 x 20.0 Megs at: C:\ActiveMQ\activemq-data\journal
> INFO JournalPersistenceAdapter - Journal Recovered: 0 message(s) in
> transactions recovered.
> INFO TransportServerThreadSupport - Listening for connections at:
> ssl://slavar:61613
> INFO TransportConnector - Connector SSL Started
> INFO TransportServerThreadSupport - Listening for connections at:
> tcp://slavar:61616
> INFO TransportConnector - Connector TCP Started
> INFO BrokerService - ActiveMQ JMS Message Broker
> (VladBroker,ID:slavar-1604-1164726172265-1:0) started
> -------------------------------------------------
>
> The client's program fragment is next:
>
> -------------------------------------------------
> public class ReceiverClient {
>
> public static void main(String[] args) {
>
> final String MESSAGE_BROKER_URL = "ssl://slavar:61613";
>
> final String CLIENT_ID = "vladReceive";
> final String TOPIC = "testtopic2";
>
> // attempt to put system properties
> // needed for SSL connection
> // as described in http://www.activemq.org/site/how-do-i-use-ssl.html
> System.setProperty("javax.net.ssl.keyStore", "C:\\ActiveMQ\\client.ks");
> System.setProperty("javax.net.ssl.keyStorePassword", "password");
> System.setProperty("javax.net.ssl.trustStore", "C:\\ActiveMQ\\client.ts");
>
> // enabling debug output
> System.setProperty("javax.net.debug", "ssl,handshake,data,trustmanager");
>
> // starting communications
> JMSManager jm = new JMSManager(MESSAGE_BROKER_URL, CLIENT_ID);
> new Thread(new Receiver(jm, TOPIC)).start();
>
> }
> }
> -------------------------------------------------
>
> After starting of client program i got the next console:
>
> -------------console-------------------------
> setting up default SSLSocketFactory
> use default SunJSSE impl class:
> com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
> class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
> keyStore is : C:\ActiveMQ\client.ks
> keyStore type is : jks
> keyStore provider is :
> init keystore
> init keymanager of type SunX509
> ***
> found key for : client
> chain [0] = [
> [
> Version: V1
> Subject: CN=Client, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
> C=Unknown
> Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
>
> Key: Sun RSA public key, 1024 bits
> modulus:
> 119125831157180012241622638937390092189160437001853263361203684931436347286138557738177018166153998344463370986916053114448493751892417595464787155221273101941051608309892520802382018408256577151580997906961252558439314550554537620071874869391764812672132384452834035314691770120458734555207178162494413487159
> public exponent: 65537
> Validity: [From: Tue Nov 28 17:02:13 EET 2006,
> To: Mon Feb 26 17:02:13 EET 2007]
> Issuer: CN=Client, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> SerialNumber: [ 456c4f75]
>
> ]
> Algorithm: [MD5withRSA]
> Signature:
> 0000: 3A 90 C6 F1 B8 90 53 77 95 A1 45 CB 18 10 D8 38 :.....Sw..E....8
> 0010: 3D F1 95 94 E7 A6 4E F7 DC 9C E9 A9 BD 61 BA 4F =.....N......a.O
> 0020: 76 D8 5B B4 99 43 49 2F 6B A8 F3 69 B3 87 90 F8 v.[..CI/k..i....
> 0030: 38 1D 5B 0D E1 B5 44 4B 4A 44 88 60 04 83 04 B2 8.[...DKJD.`....
> 0040: B0 BB A8 0A 82 C7 1D 51 7A 6E 62 31 E0 8C 7B 74 .......Qznb1...t
> 0050: AB 69 B5 48 64 90 AD 30 63 10 FE B0 3C EE C5 2F .i.Hd..0c...<../
> 0060: 6A 51 D2 A1 A0 56 B4 CD 59 FF E7 22 78 A8 B7 EA jQ...V..Y.."x...
> 0070: CF EE EE 14 16 03 F7 7D EF D6 43 4E B4 F4 13 F8 ..........CN....
>
> ]
> ***
> trustStore is: C:\ActiveMQ\client.ts
> trustStore type is : jks
> trustStore provider is :
> init truststore
> adding as trusted cert:
> Subject: CN=Broker, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
> C=Unknown
>
> Exception in thread "main" java.lang.ExceptionInInitializerError
> at corp.sap.pal.le.amqtest.jms.client.JMSManager.init(JMSManager.java:64)
> at corp.sap.pal.le.amqtest.jms.client.JMSManager.<init>(JMSManager.java:33)
> at
> corp.sap.pal.le.amqtest.jms.client.ReceiverClient.main(ReceiverClient.java:37)
> Caused by: javax.jms.JMSException: Could not connect to broker URL:
> ssl://slavar:61613. Reason: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at
> org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:33)
> at
> org.apache.activemq.ActiveMQConnectionFactory.createActiveMQConnection(ActiveMQConnectionFactory.java:253)
> at
> org.apache.activemq.ActiveMQConnectionFactory.createActiveMQConnection(ActiveMQConnectionFactory.java:212)
> at
> org.apache.activemq.ActiveMQConnectionFactory.createConnection(ActiveMQConnectionFactory.java:159)
> at corp.sap.pal.le.amqtest.jms.client.JMSManager.init(JMSManager.java:55)
> ... 2 more
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
> Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
> Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
> Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown
> Source)
> at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)
> at
> org.apache.activemq.transport.tcp.TcpBufferedInputStream.fill(TcpBufferedInputStream.java:49)
> at
> org.apache.activemq.transport.tcp.TcpBufferedInputStream.read(TcpBufferedInputStream.java:56)
> at java.io.DataInputStream.readInt(Unknown Source)
> at
> org.apache.activemq.openwire.OpenWireFormat.unmarshal(OpenWireFormat.java:275)
> at
> org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:136)
> at java.lang.Thread.run(Unknown Source)
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> at sun.security.validator.Validator.validate(Unknown Source)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
> Source)
> at
> com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown
> Source)
> ... 14 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
> Source)
> at java.security.cert.CertPathBuilder.build(Unknown Source)
> ... 19 more
> 2006.28.11 17:03:14 org.apache.activemq.ActiveMQConnection onAsyncException
> WARNING: Async exception with no exception listener:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
> Source)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
> Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
> Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown
> Source)
> at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)
> at
> org.apache.activemq.transport.tcp.TcpBufferedInputStream.fill(TcpBufferedInputStream.java:49)
> at
> org.apache.activemq.transport.tcp.TcpBufferedInputStream.read(TcpBufferedInputStream.java:56)
> at java.io.DataInputStream.readInt(Unknown Source)
> at
> org.apache.activemq.openwire.OpenWireFormat.unmarshal(OpenWireFormat.java:275)
> at
> org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:136)
> at java.lang.Thread.run(Unknown Source)
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> at sun.security.validator.Validator.validate(Unknown Source)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
> Source)
> at
> com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown
> Source)
> ... 14 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
> Source)
> at java.security.cert.CertPathBuilder.build(Unknown Source)
> ... 19 more
>
> Issuer: CN=Broker, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
> C=Unknown
> Algorithm: RSA; Serial number: 0x456c4f41
> Valid from Tue Nov 28 17:01:21 EET 2006 until Mon Feb 26 17:01:21 EET 2007
>
> init context
> trigger seeding of SecureRandom
> done seeding SecureRandom
> instantiated an instance of class
> com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
> main, setSoTimeout(0) called
> %% No cached client session
> *** ClientHello, TLSv1
> RandomCookie: GMT: 1164725938 bytes = { 104, 30, 199, 2, 187, 204, 113,
> 255, 60, 143, 243, 121, 36, 222, 8, 25, 236, 63, 217, 191, 87, 45, 125, 196,
> 9, 218, 218, 6 }
> Session ID: {}
> Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
> SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
> SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
> SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
> Compression Methods: { 0 }
> ***
> [write] MD5 and SHA1 hashes: len = 73
> 0000: 01 00 00 45 03 01 45 6C 4F B2 68 1E C7 02 BB CC ...E..ElO.h.....
> 0010: 71 FF 3C 8F F3 79 24 DE 08 19 EC 3F D9 BF 57 2D q.<..y$....?..W-
> 0020: 7D C4 09 DA DA 06 00 00 1E 00 04 00 05 00 2F 00 ............../.
> 0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2.............
> 0040: 03 00 08 00 14 00 11 01 00 .........
> ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, WRITE: TLSv1 Handshake,
> length = 73
> [write] MD5 and SHA1 hashes: len = 98
> 0000: 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00 ....9... .......
> 0010: 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 ..../..3..2.....
> 0020: C0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15 ............@...
> 0030: 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00 ................
> 0040: 00 11 45 6C 4F B2 68 1E C7 02 BB CC 71 FF 3C 8F ..ElO.h.....q.<.
> 0050: F3 79 24 DE 08 19 EC 3F D9 BF 57 2D 7D C4 09 DA .y$....?..W-....
> 0060: DA 06 ..
> ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, WRITE: SSLv2 client
> hello message, length = 98
> ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, READ: TLSv1 Handshake,
> length = 676
> *** ServerHello, TLSv1
> RandomCookie: GMT: 1164725938 bytes = { 248, 74, 66, 253, 93, 220, 60, 202,
> 202, 112, 29, 64, 177, 73, 33, 56, 64, 236, 105, 28, 166, 42, 153, 58, 158,
> 136, 142, 3 }
> Session ID: {69, 108, 79, 178, 39, 232, 39, 146, 139, 217, 183, 46, 34,
> 162, 86, 158, 115, 6, 202, 100, 101, 39, 38, 68, 143, 237, 247, 245, 189,
> 242, 138, 240}
> Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
> Compression Method: 0
> ***
> %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
> ** SSL_RSA_WITH_RC4_128_MD5
> [read] MD5 and SHA1 hashes: len = 74
> 0000: 02 00 00 46 03 01 45 6C 4F B2 F8 4A 42 FD 5D DC ...F..ElO..JB.].
> 0010: 3C CA CA 70 1D 40 B1 49 21 38 40 EC 69 1C A6 2A <..p.@.I!8@.i..*
> 0020: 99 3A 9E 88 8E 03 20 45 6C 4F B2 27 E8 27 92 8B .:.... ElO.'.'..
> 0030: D9 B7 2E 22 A2 56 9E 73 06 CA 64 65 27 26 44 8F ...".V.s..de'&D.
> 0040: ED F7 F5 BD F2 8A F0 00 04 00 ..........
> *** Certificate chain
> chain [0] = [
> [
> Version: V1
> Subject: CN=Client, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
> C=Unknown
> Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
>
> Key: Sun RSA public key, 1024 bits
> modulus:
> 119125831157180012241622638937390092189160437001853263361203684931436347286138557738177018166153998344463370986916053114448493751892417595464787155221273101941051608309892520802382018408256577151580997906961252558439314550554537620071874869391764812672132384452834035314691770120458734555207178162494413487159
> public exponent: 65537
> Validity: [From: Tue Nov 28 17:02:13 EET 2006,
> To: Mon Feb 26 17:02:13 EET 2007]
> Issuer: CN=Client, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> SerialNumber: [ 456c4f75]
>
> ]
> Algorithm: [MD5withRSA]
> Signature:
> 0000: 3A 90 C6 F1 B8 90 53 77 95 A1 45 CB 18 10 D8 38 :.....Sw..E....8
> 0010: 3D F1 95 94 E7 A6 4E F7 DC 9C E9 A9 BD 61 BA 4F =.....N......a.O
> 0020: 76 D8 5B B4 99 43 49 2F 6B A8 F3 69 B3 87 90 F8 v.[..CI/k..i....
> 0030: 38 1D 5B 0D E1 B5 44 4B 4A 44 88 60 04 83 04 B2 8.[...DKJD.`....
> 0040: B0 BB A8 0A 82 C7 1D 51 7A 6E 62 31 E0 8C 7B 74 .......Qznb1...t
> 0050: AB 69 B5 48 64 90 AD 30 63 10 FE B0 3C EE C5 2F .i.Hd..0c...<../
> 0060: 6A 51 D2 A1 A0 56 B4 CD 59 FF E7 22 78 A8 B7 EA jQ...V..Y.."x...
> 0070: CF EE EE 14 16 03 F7 7D EF D6 43 4E B4 F4 13 F8 ..........CN....
>
> ]
> ***
> ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, SEND TLSv1 ALERT:
> fatal, description = certificate_unknown
> ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, WRITE: TLSv1 Alert,
> length = 2
> ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, called closeSocket()
> ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, handling exception:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, called close()
> ActiveMQ Transport: tcp://localhost/127.0.0.1:61613, called
> closeInternal(true)
> main, handling exception: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> ------------------------------------------------
>
> Seems that program can see keyStore and trustStore...
> What i do improperly?
>
> PS
> And what to do to establish SSL connection between two brokers?
>
>
> Thanks in adwance.
> And excuse my poor english.
>
> Vlad
>