You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@camel.apache.org by huntc <hu...@mac.com> on 2009/03/13 06:46:19 UTC
Mutual SSL authentication with Camel applications
Hi there,
I'm trying to establish a mutual ssl based jms connection with my ActiveMQ
broker via a Camel application. My question is how do I let my Camel
application know about the certificate it must serve up to the broker? Is
there a Camel specific setting or is this some general Java/JAAS setting?
Here is the broker URL my Camel client uses:
failover:(ssl://localhost:61617)?maxReconnectAttempts=-1
Here is the URL that my broker uses to establish the SSL transport:
<transportConnector name="ssl"
uri="ssl://localhost:61617?needClientAuth=true" />
I have generated a certificate on the machine the Camel application is
running on and installed this in my ${JAVA_HOME/}/lib/security/cacerts
keystore. This same cert is installed on my broker's truststore.
The broker's certificate has been generated and installed in the broker's
keystore. In addition the broker's certificate has been installed on my
client's trust store (also ${JAVA_HOME/lib/security/cacerts keystore).
I have managed to get server authentication using SSL working, but not
mutual authentication.
Thank you for your help as this is my first effort with mutual
authentication.
Kind regards,
Christopher
--
View this message in context: http://www.nabble.com/Mutual-SSL-authentication-with-Camel-applications-tp22490614p22490614.html
Sent from the Camel - Users (activemq) mailing list archive at Nabble.com.
Re: Mutual SSL authentication with Camel applications
Posted by Claus Ibsen <cl...@gmail.com>.
On Tue, Mar 17, 2009 at 1:56 PM, huntc <hu...@mac.com> wrote:
>
> Here's the promised blog entry:
>
> http://christopherhunt-software.blogspot.com/2009/03/mutual-ssl-authentication-and-ldap.html
Hi
Thanks a lot for sharing this with us. Its been noticed by the AMQ committers.
>
> --
> View this message in context: http://www.nabble.com/Mutual-SSL-authentication-with-Camel-applications-tp22490614p22558460.html
> Sent from the Camel - Users (activemq) mailing list archive at Nabble.com.
>
>
--
Claus Ibsen
Apache Camel Committer
Open Source Integration: http://fusesource.com
Blog: http://davsclaus.blogspot.com/
Re: Mutual SSL authentication with Camel applications
Posted by huntc <hu...@mac.com>.
Here's the promised blog entry:
http://christopherhunt-software.blogspot.com/2009/03/mutual-ssl-authentication-and-ldap.html
--
View this message in context: http://www.nabble.com/Mutual-SSL-authentication-with-Camel-applications-tp22490614p22558460.html
Sent from the Camel - Users (activemq) mailing list archive at Nabble.com.
Re: Mutual SSL authentication with Camel applications
Posted by Claus Ibsen <cl...@gmail.com>.
On Tue, Mar 17, 2009 at 9:56 AM, huntc <hu...@mac.com> wrote:
>
> Hi Claus,
>
> Thanks for your reply. I forgot that I made this posting otherwise I would
> have sent through an update.
>
> I did post to the AMQ forum and then discovered for myself what the problem
> was - the java client consuming the services needed authenticated access to
> its keystore.
>
> I'm going to write a blog entry on securing AMQ very shortly as it is a
> thinly covered topic which I think I now have experienced quite well.
Cool. Looking forward to read it.
>
> Kind regards,
> Christopher
> --
> View this message in context: http://www.nabble.com/Mutual-SSL-authentication-with-Camel-applications-tp22490614p22554822.html
> Sent from the Camel - Users (activemq) mailing list archive at Nabble.com.
>
>
--
Claus Ibsen
Apache Camel Committer
Open Source Integration: http://fusesource.com
Blog: http://davsclaus.blogspot.com/
Re: Mutual SSL authentication with Camel applications
Posted by huntc <hu...@mac.com>.
Hi Claus,
Thanks for your reply. I forgot that I made this posting otherwise I would
have sent through an update.
I did post to the AMQ forum and then discovered for myself what the problem
was - the java client consuming the services needed authenticated access to
its keystore.
I'm going to write a blog entry on securing AMQ very shortly as it is a
thinly covered topic which I think I now have experienced pretty well.
Kind regards,
Christopher
--
View this message in context: http://www.nabble.com/Mutual-SSL-authentication-with-Camel-applications-tp22490614p22554822.html
Sent from the Camel - Users (activemq) mailing list archive at Nabble.com.
Re: Mutual SSL authentication with Camel applications
Posted by Claus Ibsen <cl...@gmail.com>.
Hi
Have you tried the AMQ forum to see if there is a solution that works
with AMQ only?
Then we know its possible and can see if there is something needed to
be changed in camel-jms or maybe in the activemq-camel component that
is shipped with AMQ itself.
On Fri, Mar 13, 2009 at 7:39 AM, huntc <hu...@mac.com> wrote:
>
> By the way, here are some of the things I'm observing when attempting mutual
> authentication:
>
> 1. Wireshark shows:
> Client Hello
> Server Hello, Certificate, Certificate Request, Server Hello Done
> Certificate, Client Key Exchange
> Alert (Level: Fatal, Description: Bad Certificate)
>
> If I look at the Certificate, Client Key Exchange in detail I see in the
> Handshake Protocol: Certificate that the Certificates Length is 0.
>
> 2. ActiveMQ shows in its log:
> ERROR TransportConnector - Could not accept connection : null
> cert chain
>
> I'm presuming that this is because the client has not passed its
> certificate.
>
> I hope that these are useful observations.
> --
> View this message in context: http://www.nabble.com/Mutual-SSL-authentication-with-Camel-applications-tp22490614p22491057.html
> Sent from the Camel - Users (activemq) mailing list archive at Nabble.com.
>
>
--
Claus Ibsen
Apache Camel Committer
Open Source Integration: http://fusesource.com
Blog: http://davsclaus.blogspot.com/
Re: Mutual SSL authentication with Camel applications
Posted by huntc <hu...@mac.com>.
By the way, here are some of the things I'm observing when attempting mutual
authentication:
1. Wireshark shows:
Client Hello
Server Hello, Certificate, Certificate Request, Server Hello Done
Certificate, Client Key Exchange
Alert (Level: Fatal, Description: Bad Certificate)
If I look at the Certificate, Client Key Exchange in detail I see in the
Handshake Protocol: Certificate that the Certificates Length is 0.
2. ActiveMQ shows in its log:
ERROR TransportConnector - Could not accept connection : null
cert chain
I'm presuming that this is because the client has not passed its
certificate.
I hope that these are useful observations.
--
View this message in context: http://www.nabble.com/Mutual-SSL-authentication-with-Camel-applications-tp22490614p22491057.html
Sent from the Camel - Users (activemq) mailing list archive at Nabble.com.