You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by soody <at...@gmail.com> on 2009/03/27 14:04:48 UTC

Re: Alternatives for deprecated setKeyAndTrustManagers in ActiveMQSSLConnectionFactory

Thanks Gary for the suggestions.

I was able to get a working code. Sharing the same for review as well as for
others.


ConnectionFactory factory = (ConnectionFactory) ctx.lookup(FACTORY_NAME);
			System.out.println("Lookup succesfull " + factory.toString());
			System.setProperty("javax.net.debug",
			"ssl,handshake,data,trustmanager");
			try {
				TrustManager[] tms=getTrustManagers();
			    
			   
			        KeyManager[] kms=getKeyManagers();

				SSLContext context=SSLContext.getInstance("SSL");
				context.init(kms, tms, null);
				
				SslContext ctxt = new SslContext();
				ctxt.setSSLContext(context);
				
				SslContext.setCurrentSslContext(ctxt);
				
			} catch (NoSuchAlgorithmException e) {
				// TODO Auto-generated catch block
				e.printStackTrace();
			}
			

	 private static TrustManager[] getTrustManagers()
	    throws IOException, GeneralSecurityException
	  {
	    // First, get the default TrustManagerFactory.
	    String alg=TrustManagerFactory.getDefaultAlgorithm();
	    TrustManagerFactory tmFact=TrustManagerFactory.getInstance(alg);
	    
	
	    FileInputStream fis=new FileInputStream("location of trust store");
	    KeyStore ks=KeyStore.getInstance("jks");
	    ks.load(fis, "password".toCharArray());
	    fis.close();


	    tmFact.init(ks);

	    // And now get the TrustManagers
	    TrustManager[] tms=tmFact.getTrustManagers();
	    return tms;
	  }
	 
	 private static KeyManager[] getKeyManagers()
	    throws IOException, GeneralSecurityException
	  {
	    // First, get the default KeyManagerFactory.
	    String alg=KeyManagerFactory.getDefaultAlgorithm();
	    KeyManagerFactory kmFact=KeyManagerFactory.getInstance(alg);
	    
	    
	    FileInputStream fis=new FileInputStream("location of key store");
	    KeyStore ks=KeyStore.getInstance("jks");
	    ks.load(fis, "password".toCharArray());
	    fis.close();

	    // Now we initialise the KeyManagerFactory with this KeyStore
	    kmFact.init(ks, "password".toCharArray());

	    // And now get the KeyManagers
	    KeyManager[] kms=kmFact.getKeyManagers();
	    return kms;
	  }



Thanks again for the help.



Gary Tully wrote:
> 
> Just looked at SslTransportFactory.setKeyAndTrustManagers again,  it makes
> sense to deprecate because this api used to set the sslcontext for the
> factory. It is now changed in line with the use of thread local but the
> api
> for setting the thread local is SSLContext.setCurrentContext.
> 
> So the behavior has changed to keep it in line with the use of a thread
> local but the intention of setting a context on the factory is
> depreciated.
> I added a @see reference to SSLContext.
> 
> 
> 2009/3/26 Gary Tully <ga...@gmail.com>
> 
>> An ActiveMQ ssl client is just like an other java application that wants
>> to
>> use ssl. Configuration is through JSSE.
>> The ActiveMQ SSLContext is just a thread specific holder for a regular
>> SSLContext, if no context is specified the platform default (from JSSE)
>> will
>> be used. The thread specific nature allows different credentials to be
>> used
>> in the same JVM. If individual contexts are not required, then configure
>> JSSE at the JVM level and ActiveMQ will pick up the default socket
>> factory
>> and work with it.
>>
>> So you are on the right track, if you want to programmaticly specify the
>> JSSE credentials and stores, pass the arguments to an instance of
>> SSLContext.
>>
>> If you want to remain JMS agnostic, then you should stick to the raw JSSE
>> apis.
>>
>> What restrictions does: "as our's is an enterprise application." imply?
>>
>> And that deprecated of setKeyAndTrustManagers, I will remove that as it
>> is
>> a handy method and it no longer sets up shared credentials, it just sets
>> a
>> current context using the thread local.
>> The alternative is to construct an ActiveMQ SSLContext wrapper and use
>> its
>> setters and call getSSLContext or just use raw JSSE SSLContext.
>>
>>
>> 2009/3/26 soody <at...@gmail.com>
>>
>>
>>> We want to use SSL in our client that will be sending messages to
>>> ActiveMQ.
>>> But we can't set the trust stores and key stores using
>>> System.setProperty(),
>>> as our's is an enterprise application.
>>>
>>> Are there any ways that I can set the trust and key stores, basically
>>> the
>>> SSLContext. Currently what we are thinking is that we will be using the
>>> SSLContext.setCurrentSslContext(<will create a context using JSSE and
>>> dump
>>> it here>).
>>>
>>> Is there any better approach. Also will be great if we can get anything
>>> more
>>> pluggable, s.th that we can use across multiple JMS providers.
>>>
>>> Also why is the method setKeyAndTrustManagers  marked as deprecated and
>>> what
>>> is the workaround for the same.
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Alternatives-for-deprecated-setKeyAndTrustManagers-in-ActiveMQSSLConnectionFactory-tp22724170p22724170.html
>>> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>>>
>>>
>>
>>
>> --
>> http://blog.garytully.com
>>
>> Open Source SOA
>> http://FUSESource.com
>>
> 
> 
> 
> -- 
> http://blog.garytully.com
> 
> Open Source SOA
> http://FUSESource.com
> 
> 

-- 
View this message in context: http://www.nabble.com/Alternatives-for-deprecated-setKeyAndTrustManagers-in-ActiveMQSSLConnectionFactory-tp22724170p22741202.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.