You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by huntc <hu...@mac.com> on 2009/03/10 06:21:45 UTC
Mac OS X Active MQ SSL
Hi there,
Has anyone got special advice with regards to configuring ActiveMQ clients
needing to using SSL. I've read and followed the instructions at:
http://activemq.apache.org/how-do-i-use-ssl.html
... but I'm continuing to get:
ERROR TransportConnector - Could not accept connection :
Received fatal alert: internal_error
which I believe means that the client does not trust the broker. While I
followed the instructions I also tried:
-Djavax.net.ssl.trustStore=file:///{path}/client.ts
-Djavax.net.ssl.trustStorePassword=password
I'm having to use the above file convention because there is a space in my
path. I'm presuming that isn't my issue as I have also located the required
files in the root folder and got the same outcome.
I'm pretty sure that my broker is configured ok given that I can openssl
s_client to it just fine.
Thanks in advance for any help.
Kind regards,
Christopher
--
View this message in context: http://www.nabble.com/Mac-OS-X-Active-MQ-SSL-tp22428287p22428287.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Mac OS X Active MQ SSL
Posted by Gary Tully <ga...@gmail.com>.
thanks for the heads up, I added a little info about the dummy key stores.
2009/3/10 huntc <hu...@mac.com>
>
> It appears that my problem was due to the cert and keystores supplied with
> my
> 5.1.0 installation. When I generated my keystore I did not specify a CN.
> However there was a CN in the keystore with the value "localhost" from the
> installation. I guess the broker just used the first cert under the alias
> "broker" which would have been the older, and expired CN of "localhost".
>
> Removing conf/broker.ks and re-generating it along with exporting a cert
> made things work perfectly.
>
> On Mac OS X I also chose to install the cert system wide using the command:
>
> sudo keytool -import -alias broker -keystore
> /Library/Java/Home/lib/security/cacerts -file
> /Applications/apache-activemq-5.1.0/conf/broker.cert
>
> The only downside with this approach is that system upgrades could
> potentially override the certs.
>
> BTW: it'd be nice to have the ActiveMQ wiki updated in respect of SSL -
> perhaps a mention to remove the existing keystore first would be useful.
> :-)
> --
> View this message in context:
> http://www.nabble.com/Mac-OS-X-Active-MQ-SSL-tp22428287p22432178.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
>
--
http://blog.garytully.com
Open Source SOA
http://FUSESource.com
Re: Mac OS X Active MQ SSL
Posted by huntc <hu...@mac.com>.
It appears that my problem was due to the cert and keystores supplied with my
5.1.0 installation. When I generated my keystore I did not specify a CN.
However there was a CN in the keystore with the value "localhost" from the
installation. I guess the broker just used the first cert under the alias
"broker" which would have been the older, and expired CN of "localhost".
Removing conf/broker.ks and re-generating it along with exporting a cert
made things work perfectly.
On Mac OS X I also chose to install the cert system wide using the command:
sudo keytool -import -alias broker -keystore
/Library/Java/Home/lib/security/cacerts -file
/Applications/apache-activemq-5.1.0/conf/broker.cert
The only downside with this approach is that system upgrades could
potentially override the certs.
BTW: it'd be nice to have the ActiveMQ wiki updated in respect of SSL -
perhaps a mention to remove the existing keystore first would be useful. :-)
--
View this message in context: http://www.nabble.com/Mac-OS-X-Active-MQ-SSL-tp22428287p22432178.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.