Mac OS X Active MQ SSL

[huntc <hu...@mac.com>]

Hi there,

Has anyone got special advice with regards to configuring ActiveMQ clients
needing to using SSL. I've read and followed the instructions at:

http://activemq.apache.org/how-do-i-use-ssl.html

... but I'm continuing to get:

ERROR TransportConnector             - Could not accept connection :
Received fatal alert: internal_error

which I believe means that the client does not trust the broker. While I
followed the instructions I also tried:

-Djavax.net.ssl.trustStore=file:///{path}/client.ts
-Djavax.net.ssl.trustStorePassword=password

I'm having to use the above file convention because there is a space in my
path. I'm presuming that isn't my issue as I have also located the required
files in the root folder and got the same outcome.

I'm pretty sure that my broker is configured ok given that I can openssl
s_client to it just fine.

Thanks in advance for any help.

Kind regards,
Christopher
-- 
View this message in context: http://www.nabble.com/Mac-OS-X-Active-MQ-SSL-tp22428287p22428287.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Mac OS X Active MQ SSL

[Gary Tully <ga...@gmail.com>]

thanks for the heads up, I added a little info about the dummy key stores.


2009/3/10 huntc <hu...@mac.com>

>
> It appears that my problem was due to the cert and keystores supplied with
> my
> 5.1.0 installation. When I generated my keystore I did not specify a CN.
> However there was a CN in the keystore with the value "localhost" from the
> installation. I guess the broker just used the first cert under the alias
> "broker" which would have been the older, and expired CN of "localhost".
>
> Removing conf/broker.ks and re-generating it along with exporting a cert
> made things work perfectly.
>
> On Mac OS X I also chose to install the cert system wide using the command:
>
> sudo keytool -import -alias broker -keystore
> /Library/Java/Home/lib/security/cacerts -file
> /Applications/apache-activemq-5.1.0/conf/broker.cert
>
> The only downside with this approach is that system upgrades could
> potentially override the certs.
>
> BTW: it'd be nice to have the ActiveMQ wiki updated in respect of SSL -
> perhaps a mention to remove the existing keystore first would be useful.
> :-)
> --
> View this message in context:
> http://www.nabble.com/Mac-OS-X-Active-MQ-SSL-tp22428287p22432178.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
>


-- 
http://blog.garytully.com

Open Source SOA
http://FUSESource.com

Re: Mac OS X Active MQ SSL

[huntc <hu...@mac.com>]

It appears that my problem was due to the cert and keystores supplied with my
5.1.0 installation. When I generated my keystore I did not specify a CN.
However there was a CN in the keystore with the value "localhost" from the
installation. I guess the broker just used the first cert under the alias
"broker" which would have been the older, and expired CN of "localhost".

Removing conf/broker.ks and re-generating it along with exporting a cert
made things work perfectly.

On Mac OS X I also chose to install the cert system wide using the command:

sudo keytool -import -alias broker -keystore
/Library/Java/Home/lib/security/cacerts -file
/Applications/apache-activemq-5.1.0/conf/broker.cert

The only downside with this approach is that system upgrades could
potentially override the certs.

BTW: it'd be nice to have the ActiveMQ wiki updated in respect of SSL -
perhaps a mention to remove the existing keystore first would be useful. :-)
-- 
View this message in context: http://www.nabble.com/Mac-OS-X-Active-MQ-SSL-tp22428287p22432178.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.