You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by yuanbatou <ch...@gmail.com> on 2013/08/23 15:41:48 UTC
Re: setting up c++ client app using CMS using SSL client
certificate auth
Hi, mikmela,
I am also developing a client app using CMS. But I am new to activeMQ and
ssl.
So could you explain to me how do you produce the following things?
ClientTrustStoreInPemFormat
ClientKeyStoreInPemFormat
Thank you in advance.
Best Regards,
Yuan
--
View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4670612.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: setting up c++ client app using CMS using SSL client
certificate auth
Posted by yuanbatou <ch...@gmail.com>.
Hi Tim,
Here is the message I got after I set "-Djava.net.debg=ssl".
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
ActiveMQ BrokerService[localhost] Task-1, setSoTimeout(0) called
ActiveMQ Transport: ssl:///192.168.209.1:8111, READ: TLSv1 Handshake, length
= 313
*** ClientHello, Unknown-3.3
RandomCookie: GMT: 1378660337 bytes = { 163, 110, 155, 37, 22, 114, 230,
253, 182, 199, 3, 53, 54, 148, 241, 94, 233, 246, 128, 212, 169, 90, 240,
106, 115, 37, 246, 86 }
Session ID: {}
Cipher Suites: [Unknown 0xc0:0x30, Unknown 0xc0:0x2c, Unknown 0xc0:0x28,
Unknown 0xc0:0x24, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, Unknown 0xc0:0x22, Unknown 0xc0:0x21,
Unknown 0x0:0xa3, Unknown 0x0:0x9f, Unknown 0x0:0x6b, Unknown 0x0:0x6a,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, Unknown
0x0:0x88, Unknown 0x0:0x87, TLS_ECDH_anon_WITH_AES_256_CBC_SHA, Unknown
0xc0:0x20, Unknown 0xc0:0x32, Unknown 0xc0:0x2e, Unknown 0xc0:0x2a, Unknown
0xc0:0x26, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, Unknown 0x0:0x9d, Unknown 0x0:0x3d,
TLS_RSA_WITH_AES_256_CBC_SHA, Unknown 0x0:0x84,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
Unknown 0xc0:0x1c, Unknown 0xc0:0x1b, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,
Unknown 0xc0:0x1a, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, Unknown
0xc0:0x2f, Unknown 0xc0:0x2b, Unknown 0xc0:0x27, Unknown 0xc0:0x23,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
Unknown 0xc0:0x1f, Unknown 0xc0:0x1e, Unknown 0x0:0xa2, Unknown 0x0:0x9e,
Unknown 0x0:0x67, Unknown 0x0:0x40, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, Unknown 0x0:0x9a, Unknown 0x0:0x99,
Unknown 0x0:0x45, Unknown 0x0:0x44, TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
Unknown 0xc0:0x1d, Unknown 0xc0:0x31, Unknown 0xc0:0x2d, Unknown 0xc0:0x29,
Unknown 0xc0:0x25, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, Unknown 0x0:0x9c, Unknown 0x0:0x3c,
TLS_RSA_WITH_AES_128_CBC_SHA, Unknown 0x0:0x96, Unknown 0x0:0x41,
SSL_RSA_WITH_IDEA_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 1, 0 }
Extension ec_point_formats, formats: [uncompressed,
ansiX962_compressed_prime, ansiX962_compressed_char2]
Extension elliptic_curves, curve names: {sect571r1, sect571k1, secp521r1,
sect409k1, sect409r1, secp384r1, sect283k1, sect283r1, secp256k1, secp256r1,
sect239k1, sect233k1, sect233r1, secp224k1, secp224r1, sect193r1, sect193r2,
secp192k1, secp192r1, sect163k1, sect163r1, sect163r2, secp160k1, secp160r1,
secp160r2}
Unsupported extension type_35, data:
Unsupported extension signature_algorithms, data:
00:20:06:01:06:02:06:03:05:01:05:02:05:03:04:01:04:02:04:03:03:01:03:02:03:03:02:01:02:02:02:03:01:01
Unsupported extension type_15, data: 01
***
ActiveMQ Transport: ssl:///192.168.209.1:8111, handling exception:
java.security.ProviderException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
ActiveMQ Transport: ssl:///192.168.209.1:8111, SEND TLSv1 ALERT: fatal,
description = internal_error
ActiveMQ Transport: ssl:///192.168.209.1:8111, WRITE: TLSv1 Alert, length =
2
ActiveMQ Transport: ssl:///192.168.209.1:8111, called closeSocket()
WARN | Transport Connection to: tcp://192.168.209.1:8111 failed:
javax.net.ssl.SSLException: java.security.ProviderException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
ActiveMQ Task-1, called close()
ActiveMQ Task-1, called closeInternal(true)
ERROR | Could not accept connection from tcp://192.168.209.1:8111:
javax.net.ssl.SSLException: Connection has been shutdown:
javax.net.ssl.SSLException: java.security.ProviderException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
--
View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4671293.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: setting up c++ client app using CMS using SSL client
certificate auth
Posted by darkrwe <em...@gmail.com>.
I export the below environment parameter.
export ACTIVEMQ_OPTS="-Djava.net.debug=ssl"
But i have not seen any ssl handshake between client and broker in the
activeMQBase/data/activemq.log file.
is there another log file that i trace the result?
Thanks.
--
View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4674028.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: setting up c++ client app using CMS using SSL client
certificate auth
Posted by mikmela <mi...@yahoo.com>.
It is definitely not an ActiveMQ issue... You can look into PKI software from various vendors or try to implement something yourself for example using web services...
Sent from my HTC One on the Verizon Wireless 4G LTE network
----- Reply message -----
From: "darkrwe [via ActiveMQ]" <ml...@n4.nabble.com>
To: "mikmela" <mi...@yahoo.com>
Subject: setting up c++ client app using CMS using SSL client certificate auth
Date: Tue, Nov 26, 2013 4:12 AM
Thank you very much,
What I want to do is I want to create an ActiveMQ cluster.
This cluster will use mutual authentication.(client and broker)
And each activeMQ client should generate own certificate and this certificate should be signed by an private CA authority that I set it up. This new client certificate should also be added to broker truststore to provide mutual authentication.
But the problem is I do not know how to automate this process.
Actually that is the my question.
If you give me a clue that will be gorgeous.
Thank you again.
If you reply to this email, your message will be added to the discussion below:
http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4674842.html
To unsubscribe from setting up c++ client app using CMS using SSL client certificate auth, click here.
NAML
--
View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4674958.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: setting up c++ client app using CMS using SSL client
certificate auth
Posted by darkrwe <em...@gmail.com>.
Thank you very much,
What I want to do is I want to create an ActiveMQ cluster.
This cluster will use mutual authentication.(client and broker)
And each activeMQ client should generate own certificate and this
certificate should be signed by an private CA authority that I set it up.
This new client certificate should also be added to broker truststore to
provide mutual authentication.
But the problem is I do not know how to automate this process.
Actually that is the my question.
If you give me a clue that will be gorgeous.
Thank you again.
--
View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4674842.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: setting up c++ client app using CMS using SSL client certificate
auth
Posted by Timothy Bish <ta...@gmail.com>.
On 11/25/2013 12:26 PM, darkrwe wrote:
> Hi guys;
>
> I wonder something about SSL/TLS authentication of ActiveMQ
>
> is there any way to authenticate activemq-cpp clients to add these clients
> public keys to broker truststore automatically?
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4674827.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
No, you need to add the trusted client keys or the Root CA to your
broker's truststore manually.
--
Tim Bish
Sr Software Engineer | RedHat Inc.
tim.bish@redhat.com | www.fusesource.com | www.redhat.com
skype: tabish121 | twitter: @tabish121
blog: http://timbish.blogspot.com/
Re: setting up c++ client app using CMS using SSL client
certificate auth
Posted by darkrwe <em...@gmail.com>.
Hi guys;
I wonder something about SSL/TLS authentication of ActiveMQ
is there any way to authenticate activemq-cpp clients to add these clients
public keys to broker truststore automatically?
--
View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4674827.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: setting up c++ client app using CMS using SSL client
certificate auth
Posted by darkrwe <em...@gmail.com>.
Hello Mikmela,
i have solved the issue. thank you for reply.
My mistake is here i didnot add the -nokeys argument the truststore
openssl.exe pkcs12 -in %broker%.p12 -out %client%_ts.pem -nokeys
Thank you guys.
Have a nice day.
--
View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4674061.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: setting up c++ client app using CMS using SSL client
certificate auth
Posted by mikmela <mi...@yahoo.com>.
*error:0906D06C:PEM routines:PEM_read_bio:no start line
error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
*
appears if a private key is not found during SSL handshake
Overall, looks like you're on a right path...
You enabled client auth... Therefore for successful handshake you need to
configure keystore (jks file) with broker private key and truststore (jks)
with public keys of the clients your broker should trust...
On client side, you need the same thing a) keystore (pem file due to CMS
requirement) to store client's private key and b)trustore (pem) format to
store public key of the broker you trust...
So, make sure:
a) you use
openssl.exe pkcs12 -in *%client%.p12* -out *%client%_ks.pem *
to create client keystore
b)you use
openssl.exe pkcs12 -in %broker%.p12 -out %client%_ts.pem -nokeys
And of course, make sure you don't mix it up references to these files when
you set it as properties in your CMS-based c++ code.
--
View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4674033.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: setting up c++ client app using CMS using SSL client certificate
auth
Posted by Timothy Bish <ta...@gmail.com>.
On 11/07/2013 12:12 PM, darkrwe wrote:
> Hi Tim,
> thank you for answer.
> I installed oracle JDK7 and now i don't get below problems.
> Now I just want to summarize what i do.. Because my pem file is problematic
> in client side.
> Maybe another configuration i could miss.
>
>> I'm getting below error on the client side (ubuntu 13.04 -same machine
>> with
>> the client)
>> Error occurred while accessing an OpenSSL library method:
>> error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal
>> error
>>
>> I'm also getting below error from broker side (ubuntu 13.04 -same machine
>> with the client)
>> 2013-11-07 12:04:22,244 | ERROR | Could not accept connection from
>> tcp://127.0.0.1:55751: javax.net.ssl.SSLException:
>> java.security.ProviderException:
>> sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID |
>> org.apache.activemq.broker.TransportConnector | ActiveMQ
>> BrokerService[localhost] Task-3
> *But now I have got the these error from client:*
> *Error occurred while accessing an OpenSSL library method:
> error:0906D06C:PEM routines:PEM_read_bio:no start line
> error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib*
>
>
> *I use below configuration in my cms client:*
> I also enabled SSL in activeMQ.(installed openSSL and added proper prefix to
> activeMQ installation)
> activemq::library::ActiveMQCPP::initializeLibrary();
> decaf::lang::System::setProperty(
> "decaf.net.ssl.keyStore","/pathToPem/Client.pem");
> decaf::lang::System::setProperty("decaf.net.ssl.keyStorePassword",
> "123456");
> decaf::lang::System::setProperty( "decaf.net.ssl.trustStore",
> "/pathToPem/Broker.pem" );
> url ="ssl://localhost:61617";
>
> in broker side i have done below configurations:
> *in activemq.xml:*
>
> <sslContext>
> <sslContext
> keyStore="broker.ks" keyStorePassword="123456"
> trustStore="client.ks" trustStorePassword="123456"/>
> </sslContext>
> <transportConnectors>
> <transportConnector name="ssl"
> uri="ssl://localhost:61617?needClientAuth=true" />
> <transportConnector name="openwire" uri="tcp://0.0.0.0:61616?
> maximumConnections=1000&wireformat.maxFrameSize=104857600"/>
> <transportConnector name="amqp"
> uri="amqp://0.0.0.0:5672?maximumConnections=1000&wireformat.maxFrameSize=104857600"/>
> </transportConnectors>
>
> *I also export the SSL_OPTS environment parameter before starting the
> broker:*
> $ export SSL_OPTS="-Djavax.net.ssl.keyStore=/pathTobrokerks/broker.ks
> -Djavax.net.ssl.keyStorePassword=123456
> -Djavax.net.ssl.trustStore=/pathTobrokerts/broker.ts"
>
> Below commands for generating keystores and certificates:
> $ keytool -genkey -alias broker -keyalg RSA -keystore broker.ks
> $ keytool -export -alias broker -keystore broker.ks -file broker_cert
> $ keytool -genkey -alias client -keyalg RSA -keystore client.ks
> $ keytool -import -alias broker -keystore client.ts -file broker_cert
> $ keytool -export -alias client -keystore client.ks -file client_cert
> $ keytool -import -alias client -keystore broker.ts -file client_cert
>
> *I have converted to cert files to pem files using below commands:*
> $ keytool -importkeystore -srckeystore broker.ks -destkeystore
> broker_cert.p12 -srcstoretype jks -deststoretype pkcs12
> $ openssl pkcs12 -in broker_cert.p12 -out Broker.pem
> $ keytool -importkeystore -srckeystore client.ks -destkeystore
> client_cert.p12 -srcstoretype jks -deststoretype pkcs12
> $ openssl pkcs12 -in client_cert.p12 -out Client.pem
>
> is there any thing that i miss? or wrong configuration in client or broker
> side ?
>
> Thanks a lot.
>
>
>
>
>
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4674024.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
You need to debug the SSL handshake and see what is going on. You may
need to enable other cipher suites etc to allow the broker and client to
communicate.
--
Tim Bish
Sr Software Engineer | RedHat Inc.
tim.bish@redhat.com | www.fusesource.com | www.redhat.com
skype: tabish121 | twitter: @tabish121
blog: http://timbish.blogspot.com/
Re: setting up c++ client app using CMS using SSL client
certificate auth
Posted by darkrwe <em...@gmail.com>.
Hi Tim,
thank you for answer.
I installed oracle JDK7 and now i don't get below problems.
Now I just want to summarize what i do.. Because my pem file is problematic
in client side.
Maybe another configuration i could miss.
> I'm getting below error on the client side (ubuntu 13.04 -same machine
> with
> the client)
> Error occurred while accessing an OpenSSL library method:
> error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal
> error
>
> I'm also getting below error from broker side (ubuntu 13.04 -same machine
> with the client)
> 2013-11-07 12:04:22,244 | ERROR | Could not accept connection from
> tcp://127.0.0.1:55751: javax.net.ssl.SSLException:
> java.security.ProviderException:
> sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID |
> org.apache.activemq.broker.TransportConnector | ActiveMQ
> BrokerService[localhost] Task-3
*But now I have got the these error from client:*
*Error occurred while accessing an OpenSSL library method:
error:0906D06C:PEM routines:PEM_read_bio:no start line
error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib*
*I use below configuration in my cms client:*
I also enabled SSL in activeMQ.(installed openSSL and added proper prefix to
activeMQ installation)
activemq::library::ActiveMQCPP::initializeLibrary();
decaf::lang::System::setProperty(
"decaf.net.ssl.keyStore","/pathToPem/Client.pem");
decaf::lang::System::setProperty("decaf.net.ssl.keyStorePassword",
"123456");
decaf::lang::System::setProperty( "decaf.net.ssl.trustStore",
"/pathToPem/Broker.pem" );
url ="ssl://localhost:61617";
in broker side i have done below configurations:
*in activemq.xml:*
<sslContext>
<sslContext
keyStore="broker.ks" keyStorePassword="123456"
trustStore="client.ks" trustStorePassword="123456"/>
</sslContext>
<transportConnectors>
<transportConnector name="ssl"
uri="ssl://localhost:61617?needClientAuth=true" />
<transportConnector name="openwire" uri="tcp://0.0.0.0:61616?
maximumConnections=1000&wireformat.maxFrameSize=104857600"/>
<transportConnector name="amqp"
uri="amqp://0.0.0.0:5672?maximumConnections=1000&wireformat.maxFrameSize=104857600"/>
</transportConnectors>
*I also export the SSL_OPTS environment parameter before starting the
broker:*
$ export SSL_OPTS="-Djavax.net.ssl.keyStore=/pathTobrokerks/broker.ks
-Djavax.net.ssl.keyStorePassword=123456
-Djavax.net.ssl.trustStore=/pathTobrokerts/broker.ts"
Below commands for generating keystores and certificates:
$ keytool -genkey -alias broker -keyalg RSA -keystore broker.ks
$ keytool -export -alias broker -keystore broker.ks -file broker_cert
$ keytool -genkey -alias client -keyalg RSA -keystore client.ks
$ keytool -import -alias broker -keystore client.ts -file broker_cert
$ keytool -export -alias client -keystore client.ks -file client_cert
$ keytool -import -alias client -keystore broker.ts -file client_cert
*I have converted to cert files to pem files using below commands:*
$ keytool -importkeystore -srckeystore broker.ks -destkeystore
broker_cert.p12 -srcstoretype jks -deststoretype pkcs12
$ openssl pkcs12 -in broker_cert.p12 -out Broker.pem
$ keytool -importkeystore -srckeystore client.ks -destkeystore
client_cert.p12 -srcstoretype jks -deststoretype pkcs12
$ openssl pkcs12 -in client_cert.p12 -out Client.pem
is there any thing that i miss? or wrong configuration in client or broker
side ?
Thanks a lot.
--
View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4674024.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: setting up c++ client app using CMS using SSL client certificate
auth
Posted by Timothy Bish <ta...@gmail.com>.
On 11/07/2013 05:13 AM, darkrwe wrote:
> Hello guys,
>
> I have same problem too.
>
> I'm getting below error on the client side (ubuntu 13.04 -same machine with
> the client)
> Error occurred while accessing an OpenSSL library method:
> error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal
> error
>
> I'm also getting below error from broker side (ubuntu 13.04 -same machine
> with the client)
> 2013-11-07 12:04:22,244 | ERROR | Could not accept connection from
> tcp://127.0.0.1:55751: javax.net.ssl.SSLException:
> java.security.ProviderException:
> sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID |
> org.apache.activemq.broker.TransportConnector | ActiveMQ
> BrokerService[localhost] Task-3
>
> I could not figure out how to enabled ssl debug mode ? Can you help me about
> execution below command?
> -Djava.net.debug=ssl
You need to add this to the ACTIVEMQ_OPTS env var or modify your script
that starts the broker to add this to the command line.
>
> and how you solve this problem guys ?
>
> Thank you.
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4673995.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
--
Tim Bish
Sr Software Engineer | RedHat Inc.
tim.bish@redhat.com | www.fusesource.com | www.redhat.com
skype: tabish121 | twitter: @tabish121
blog: http://timbish.blogspot.com/
Re: setting up c++ client app using CMS using SSL client
certificate auth
Posted by darkrwe <em...@gmail.com>.
Hello guys,
I have same problem too.
I'm getting below error on the client side (ubuntu 13.04 -same machine with
the client)
Error occurred while accessing an OpenSSL library method:
error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal
error
I'm also getting below error from broker side (ubuntu 13.04 -same machine
with the client)
2013-11-07 12:04:22,244 | ERROR | Could not accept connection from
tcp://127.0.0.1:55751: javax.net.ssl.SSLException:
java.security.ProviderException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID |
org.apache.activemq.broker.TransportConnector | ActiveMQ
BrokerService[localhost] Task-3
I could not figure out how to enabled ssl debug mode ? Can you help me about
execution below command?
-Djava.net.debug=ssl
and how you solve this problem guys ?
Thank you.
--
View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4673995.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: setting up c++ client app using CMS using SSL client
certificate auth
Posted by yuanbatou <ch...@gmail.com>.
Thank you for your help.
Yes, the problem should be the broker does not support the cipher that my
client is using.
My ubuntu's Java is OpenJDK running Java 1.6. I installed Oracle JDK7 which
have Java 1.7.
After this, activeMQ with ssl works.
--
View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4671325.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: setting up c++ client app using CMS using SSL client certificate
auth
Posted by Timothy Bish <ta...@gmail.com>.
On 09/09/2013 11:03 AM, yuanbatou wrote:
> Yes, I made that mistake before. I received a message like:
> "Server Certificate Name doesn't match the URI Host Name value."
> But I corrected this, and still get the error mentioned in the previous
> post:
>
> client side:
>
> Error: Error occurred while accessing an OpenSSL library method:
> error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal
> error
>
> and, server side (with "-Djava.net.debug=ssl"):
>
> Allow unsafe renegotiation: false
> Allow legacy hello messages: true
> Is initial handshake: true
> Is secure renegotiation: false
> ActiveMQ BrokerService[localhost] Task-1, setSoTimeout(0) called
> ActiveMQ Transport: ssl:///192.168.209.1:8111, READ: TLSv1 Handshake, length
> = 313
> *** ClientHello, Unknown-3.3
> RandomCookie: GMT: 1378660337 bytes = { 163, 110, 155, 37, 22, 114, 230,
> 253, 182, 199, 3, 53, 54, 148, 241, 94, 233, 246, 128, 212, 169, 90, 240,
> 106, 115, 37, 246, 86 }
> Session ID: {}
> Cipher Suites: [Unknown 0xc0:0x30, Unknown 0xc0:0x2c, Unknown 0xc0:0x28,
> Unknown 0xc0:0x24, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, Unknown 0xc0:0x22, Unknown 0xc0:0x21,
> Unknown 0x0:0xa3, Unknown 0x0:0x9f, Unknown 0x0:0x6b, Unknown 0x0:0x6a,
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, Unknown
> 0x0:0x88, Unknown 0x0:0x87, TLS_ECDH_anon_WITH_AES_256_CBC_SHA, Unknown
> 0xc0:0x20, Unknown 0xc0:0x32, Unknown 0xc0:0x2e, Unknown 0xc0:0x2a, Unknown
> 0xc0:0x26, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, Unknown 0x0:0x9d, Unknown 0x0:0x3d,
> TLS_RSA_WITH_AES_256_CBC_SHA, Unknown 0x0:0x84,
> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
> Unknown 0xc0:0x1c, Unknown 0xc0:0x1b, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,
> Unknown 0xc0:0x1a, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, Unknown
> 0xc0:0x2f, Unknown 0xc0:0x2b, Unknown 0xc0:0x27, Unknown 0xc0:0x23,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> Unknown 0xc0:0x1f, Unknown 0xc0:0x1e, Unknown 0x0:0xa2, Unknown 0x0:0x9e,
> Unknown 0x0:0x67, Unknown 0x0:0x40, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA, Unknown 0x0:0x9a, Unknown 0x0:0x99,
> Unknown 0x0:0x45, Unknown 0x0:0x44, TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
> Unknown 0xc0:0x1d, Unknown 0xc0:0x31, Unknown 0xc0:0x2d, Unknown 0xc0:0x29,
> Unknown 0xc0:0x25, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, Unknown 0x0:0x9c, Unknown 0x0:0x3c,
> TLS_RSA_WITH_AES_128_CBC_SHA, Unknown 0x0:0x96, Unknown 0x0:0x41,
> SSL_RSA_WITH_IDEA_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
> TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA,
> TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
> SSL_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
> Compression Methods: { 1, 0 }
> Extension ec_point_formats, formats: [uncompressed,
> ansiX962_compressed_prime, ansiX962_compressed_char2]
> Extension elliptic_curves, curve names: {sect571r1, sect571k1, secp521r1,
> sect409k1, sect409r1, secp384r1, sect283k1, sect283r1, secp256k1, secp256r1,
> sect239k1, sect233k1, sect233r1, secp224k1, secp224r1, sect193r1, sect193r2,
> secp192k1, secp192r1, sect163k1, sect163r1, sect163r2, secp160k1, secp160r1,
> secp160r2}
> Unsupported extension type_35, data:
> Unsupported extension signature_algorithms, data:
> 00:20:06:01:06:02:06:03:05:01:05:02:05:03:04:01:04:02:04:03:03:01:03:02:03:03:02:01:02:02:02:03:01:01
> Unsupported extension type_15, data: 01
> ***
> ActiveMQ Transport: ssl:///192.168.209.1:8111, handling exception:
> java.security.ProviderException:
> sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
> ActiveMQ Transport: ssl:///192.168.209.1:8111, SEND TLSv1 ALERT: fatal,
> description = internal_error
> ActiveMQ Transport: ssl:///192.168.209.1:8111, WRITE: TLSv1 Alert, length =
> 2
> ActiveMQ Transport: ssl:///192.168.209.1:8111, called closeSocket()
> WARN | Transport Connection to: tcp://192.168.209.1:8111 failed:
> javax.net.ssl.SSLException: java.security.ProviderException:
> sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
> ActiveMQ Task-1, called close()
> ActiveMQ Task-1, called closeInternal(true)
> ERROR | Could not accept connection from tcp://192.168.209.1:8111:
> javax.net.ssl.SSLException: Connection has been shutdown:
> javax.net.ssl.SSLException: java.security.ProviderException:
> sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
>
> Is it because of that ssl protoype or implementation in activeMQ are
> different for Windows and Ubuntu? As can be seen from the error log, it
> seems that server cannot recognise the hand shake message send from client.
>
>
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4671303.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
Probably need to ensure that the cipher suites enabled on the VM match
those on your Ubuntu machine, could be one is using a different JVM.
There are some changes in 1.7 that cause some troubles.
--
Tim Bish
Sr Software Engineer | RedHat Inc.
tim.bish@redhat.com | www.fusesource.com | www.redhat.com
skype: tabish121 | twitter: @tabish121
blog: http://timbish.blogspot.com/
Re: setting up c++ client app using CMS using SSL client
certificate auth
Posted by yuanbatou <ch...@gmail.com>.
Yes, I made that mistake before. I received a message like:
"Server Certificate Name doesn't match the URI Host Name value."
But I corrected this, and still get the error mentioned in the previous
post:
client side:
Error: Error occurred while accessing an OpenSSL library method:
error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal
error
and, server side (with "-Djava.net.debug=ssl"):
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
ActiveMQ BrokerService[localhost] Task-1, setSoTimeout(0) called
ActiveMQ Transport: ssl:///192.168.209.1:8111, READ: TLSv1 Handshake, length
= 313
*** ClientHello, Unknown-3.3
RandomCookie: GMT: 1378660337 bytes = { 163, 110, 155, 37, 22, 114, 230,
253, 182, 199, 3, 53, 54, 148, 241, 94, 233, 246, 128, 212, 169, 90, 240,
106, 115, 37, 246, 86 }
Session ID: {}
Cipher Suites: [Unknown 0xc0:0x30, Unknown 0xc0:0x2c, Unknown 0xc0:0x28,
Unknown 0xc0:0x24, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, Unknown 0xc0:0x22, Unknown 0xc0:0x21,
Unknown 0x0:0xa3, Unknown 0x0:0x9f, Unknown 0x0:0x6b, Unknown 0x0:0x6a,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, Unknown
0x0:0x88, Unknown 0x0:0x87, TLS_ECDH_anon_WITH_AES_256_CBC_SHA, Unknown
0xc0:0x20, Unknown 0xc0:0x32, Unknown 0xc0:0x2e, Unknown 0xc0:0x2a, Unknown
0xc0:0x26, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, Unknown 0x0:0x9d, Unknown 0x0:0x3d,
TLS_RSA_WITH_AES_256_CBC_SHA, Unknown 0x0:0x84,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
Unknown 0xc0:0x1c, Unknown 0xc0:0x1b, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,
Unknown 0xc0:0x1a, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, Unknown
0xc0:0x2f, Unknown 0xc0:0x2b, Unknown 0xc0:0x27, Unknown 0xc0:0x23,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
Unknown 0xc0:0x1f, Unknown 0xc0:0x1e, Unknown 0x0:0xa2, Unknown 0x0:0x9e,
Unknown 0x0:0x67, Unknown 0x0:0x40, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, Unknown 0x0:0x9a, Unknown 0x0:0x99,
Unknown 0x0:0x45, Unknown 0x0:0x44, TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
Unknown 0xc0:0x1d, Unknown 0xc0:0x31, Unknown 0xc0:0x2d, Unknown 0xc0:0x29,
Unknown 0xc0:0x25, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, Unknown 0x0:0x9c, Unknown 0x0:0x3c,
TLS_RSA_WITH_AES_128_CBC_SHA, Unknown 0x0:0x96, Unknown 0x0:0x41,
SSL_RSA_WITH_IDEA_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 1, 0 }
Extension ec_point_formats, formats: [uncompressed,
ansiX962_compressed_prime, ansiX962_compressed_char2]
Extension elliptic_curves, curve names: {sect571r1, sect571k1, secp521r1,
sect409k1, sect409r1, secp384r1, sect283k1, sect283r1, secp256k1, secp256r1,
sect239k1, sect233k1, sect233r1, secp224k1, secp224r1, sect193r1, sect193r2,
secp192k1, secp192r1, sect163k1, sect163r1, sect163r2, secp160k1, secp160r1,
secp160r2}
Unsupported extension type_35, data:
Unsupported extension signature_algorithms, data:
00:20:06:01:06:02:06:03:05:01:05:02:05:03:04:01:04:02:04:03:03:01:03:02:03:03:02:01:02:02:02:03:01:01
Unsupported extension type_15, data: 01
***
ActiveMQ Transport: ssl:///192.168.209.1:8111, handling exception:
java.security.ProviderException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
ActiveMQ Transport: ssl:///192.168.209.1:8111, SEND TLSv1 ALERT: fatal,
description = internal_error
ActiveMQ Transport: ssl:///192.168.209.1:8111, WRITE: TLSv1 Alert, length =
2
ActiveMQ Transport: ssl:///192.168.209.1:8111, called closeSocket()
WARN | Transport Connection to: tcp://192.168.209.1:8111 failed:
javax.net.ssl.SSLException: java.security.ProviderException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
ActiveMQ Task-1, called close()
ActiveMQ Task-1, called closeInternal(true)
ERROR | Could not accept connection from tcp://192.168.209.1:8111:
javax.net.ssl.SSLException: Connection has been shutdown:
javax.net.ssl.SSLException: java.security.ProviderException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
Is it because of that ssl protoype or implementation in activeMQ are
different for Windows and Ubuntu? As can be seen from the error log, it
seems that server cannot recognise the hand shake message send from client.
--
View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4671303.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: setting up c++ client app using CMS using SSL client certificate
auth
Posted by Timothy Bish <ta...@gmail.com>.
On 09/09/2013 07:37 AM, yuanbatou wrote:
> Now, it pass test when both my activeMQ broker and client are on the same
> windows PC.
> But it fails if I put the broker at my ubuntu virtual machine.
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4671294.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
One thing that could be happening is that you are using a different host
name in the URI when connecting to the Broker on the VM which doesn't
match the common name field in the Certificate you have created.
--
Tim Bish
Sr Software Engineer | RedHat Inc.
tim.bish@redhat.com | www.fusesource.com | www.redhat.com
skype: tabish121 | twitter: @tabish121
blog: http://timbish.blogspot.com/
Re: setting up c++ client app using CMS using SSL client
certificate auth
Posted by yuanbatou <ch...@gmail.com>.
Now, it pass test when both my activeMQ broker and client are on the same
windows PC.
But it fails if I put the broker at my ubuntu virtual machine.
--
View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4671294.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: setting up c++ client app using CMS using SSL client certificate
auth
Posted by Timothy Bish <ta...@gmail.com>.
On 09/07/2013 08:00 AM, yuanbatou wrote:
> Thank you very much for your reply.
>
> I exported a certificate from broker's keystore and converted it to pem
> format using the following command:
>
> $ keytool -importkeystore -srckeystore broker.ks -destkeystore
> broker_cert.p12 -srcstoretype jks -deststoretype pkcs12
> $ openssl pkcs12 -in broker_cert.p12 -out client_ts.pem
>
> and used client_ts.pem on the client side as trust store, the code is
> something like:
>
> decaf::lang::System::setProperty( "decaf.net.ssl.trustStore",
> "client_ts.pem" );
>
> but when I tried to connect to broker, I received this error from the client
> side:
>
> Error: Error occurred while accessing an OpenSSL library method:
> error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal
> error
>
> The following message showed in the activeMQ broker's log:
>
> 2013-09-07 04:43:43,080 | ERROR | Could not accept connection from
> tcp://192.168.209.1:22616: javax.net.ssl.SSLException: Connection has been
> shutdown: javax.net.ssl.SSLException: java.security.ProviderException:
> sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID |
> org.apache.activemq.broker.TransportConnector | ActiveMQ
> BrokerService[test_all_interface] Task-3
>
> Does this mean that my pem file is still wrong?
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4671281.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
One of the first things to do is to enable the Java SSL debug mode on
the broker side and see what is going on.
-Djavax.net.debug=ssl
--
Tim Bish
Sr Software Engineer | RedHat Inc.
tim.bish@redhat.com | www.fusesource.com | www.redhat.com
skype: tabish121 | twitter: @tabish121
blog: http://timbish.blogspot.com/
Re: setting up c++ client app using CMS using SSL client
certificate auth
Posted by yuanbatou <ch...@gmail.com>.
Thank you very much for your reply.
I exported a certificate from broker's keystore and converted it to pem
format using the following command:
$ keytool -importkeystore -srckeystore broker.ks -destkeystore
broker_cert.p12 -srcstoretype jks -deststoretype pkcs12
$ openssl pkcs12 -in broker_cert.p12 -out client_ts.pem
and used client_ts.pem on the client side as trust store, the code is
something like:
decaf::lang::System::setProperty( "decaf.net.ssl.trustStore",
"client_ts.pem" );
but when I tried to connect to broker, I received this error from the client
side:
Error: Error occurred while accessing an OpenSSL library method:
error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal
error
The following message showed in the activeMQ broker's log:
2013-09-07 04:43:43,080 | ERROR | Could not accept connection from
tcp://192.168.209.1:22616: javax.net.ssl.SSLException: Connection has been
shutdown: javax.net.ssl.SSLException: java.security.ProviderException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID |
org.apache.activemq.broker.TransportConnector | ActiveMQ
BrokerService[test_all_interface] Task-3
Does this mean that my pem file is still wrong?
--
View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4671281.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: setting up c++ client app using CMS using SSL client certificate
auth
Posted by Timothy Bish <ta...@gmail.com>.
On 09/05/2013 04:21 AM, yuanbatou wrote:
> Hi Tabish,
>
> Thank you for your reply. I know very little about ssl and security.
>
> I have followed the instructions on this page
> http://activemq.apache.org/how-do-i-use-ssl.html.
>
> And now I have: the broker.ks, broker_cert, client.ts, client.ks
>
> Is there a step by step guide on how to use XCA to produce
> ClientTrustStoreInPemFormat and ClientKeyStoreInPemFormat?
>
> Best Regards,
>
> Cheng Yuan
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4671213.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
Once you have a Certificate in your XCA database you simply export it in
PEM format.
--
Tim Bish
Sr Software Engineer | RedHat Inc.
tim.bish@redhat.com | www.fusesource.com | www.redhat.com
skype: tabish121 | twitter: @tabish121
blog: http://timbish.blogspot.com/
Re: setting up c++ client app using CMS using SSL client
certificate auth
Posted by yuanbatou <ch...@gmail.com>.
Hi Tabish,
Thank you for your reply. I know very little about ssl and security.
I have followed the instructions on this page
http://activemq.apache.org/how-do-i-use-ssl.html.
And now I have: the broker.ks, broker_cert, client.ts, client.ks
Is there a step by step guide on how to use XCA to produce
ClientTrustStoreInPemFormat and ClientKeyStoreInPemFormat?
Best Regards,
Cheng Yuan
--
View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4671213.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: setting up c++ client app using CMS using SSL client certificate
auth
Posted by Timothy Bish <ta...@gmail.com>.
On 08/23/2013 09:41 AM, yuanbatou wrote:
> Hi, mikmela,
>
> I am also developing a client app using CMS. But I am new to activeMQ and
> ssl.
>
> So could you explain to me how do you produce the following things?
>
> ClientTrustStoreInPemFormat
> ClientKeyStoreInPemFormat
>
> Thank you in advance.
>
> Best Regards,
>
> Yuan
>
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4670612.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
Use a tool like XCA to manage your key stores and export the keys in
various formats.
http://sourceforge.net/projects/xca/
--
Tim Bish
Sr Software Engineer | RedHat Inc.
tim.bish@redhat.com | www.fusesource.com | www.redhat.com
skype: tabish121 | twitter: @tabish121
blog: http://timbish.blogspot.com/