You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@activemq.apache.org by huntc <hu...@mac.com> on 2009/03/14 11:29:25 UTC

CertificateLoginModule does not appear to receive certificates

Hi there,

I have a v.5.1.0 client/broker scenario with mutual SSL authentication
occurring. The certificates are exchanged and a connection is established
successfully.

I have subclassed ActiveMQ's CertificateLoginModule class and configured the
broker to use it for authentication. The class is very simple at present and
just logs the subject dn's of each client certificate presented.

Unfortunately despite successful SSL authentication my login module cannot
see any certificates. It reports "No client certificates received". Should
there not be a client certificate?

Here is my login module's source:


public class CertificateLoginJNDIGroupModule extends CertificateLoginModule
{

  Logger logger = Logger.getLogger(CertificateLoginJNDIGroupModule.class);

  @Override
  protected Set&lt;String&gt; getUserGroups(String distinguishedName)
      throws LoginException {
    Set&lt;String&gt; groups = new HashSet&lt;String&gt;(2);
    groups.add("activemq-users");
    groups.add("jms-services");
    return groups;
  }

  @Override
  protected String getUserNameForCertificates(X509Certificate[] certs)
      throws LoginException {
    if (certs == null) {
      logger.warn("No client certificates received");
    } else if (logger.isDebugEnabled()) {
      for (X509Certificate cert : certs) {
        logger.debug("Client cert received: " + cert.toString());
      }
    }
    return getDistinguishedName(certs);
  }
}


Thank you for any help.

Kind regards,
Christopher
-- 
View this message in context: http://www.nabble.com/CertificateLoginModule-does-not-appear-to-receive-certificates-tp22511235p22511235.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: CertificateLoginModule does not appear to receive certificates

Posted by huntc <hu...@mac.com>.

It appears that I have to force AMQ to have its JAAS login module use a
JAASCertificateCallbackHandler; at least that's my inference.

Anyhow when I used the following in my activemq.xml:

<jaasCertificateAuthenticationPlugin configuration="activemq-domain" />

...things worked i.e. I can see the client cert.

Note the difference between "jaasCertificateAuthenticationPlugin" and
"jaasAuthenticationPlugin". Quite subtle.

I think that getting mutual SSL authentication working with AMQ has been a
challenge and lacks the documentation it needs. Once I complete my LDAP
authorisation using certificate authentication project I shall blog about it
all and supply details on how to set it up. I think that this is worth doing
as enterprise scenarios really demand mutual authentication and LDAP
authorisation.
-- 
View this message in context: http://www.nabble.com/CertificateLoginModule-does-not-appear-to-receive-certificates-tp22511235p22529387.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.