You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by Cyril Micoud <CM...@vitechnology.com> on 2019/03/27 17:26:46 UTC
[Broker-J] How to configure HTTPS
Hi all,
I would like to enable HTTPS on my broker, but I don't know how!?
I have add new dedicated port, authentication provider, key store and trust store but without any success!
One of you can help me or give me the best way to configure my Broker-J 7.1.1?
Thank you by advance,
Best regards,
Cyril
[cid:image005.png@01D4E4CA.A22C83A0]
Cyril MICOUD
Software Development Engineer
σLink Team
Office: +33 (0)4 76 33 59 88
email: cmicoud@vitechnology.com<ma...@vitechnology.com>
Skype: cyril.micoud_vitech
[cid:image012.png@01D395F8.9761BF70]
Vi TECHNOLOGY
Rue de Rochepleine - 38120 SAINT EGREVE - France
Further information at www.vitechnology.com<http://www.vitechnology.com/>
You are hereby formally notified that all information contained in tis communication and any attachments shall be deemed strictly confidential and privileged unless explicitly stated otherwise. Please note that your use of confidential information may be governed, and restricted, by a non-disclosure agreement. The information contained in this communication and any attachments is disclosed for the sole use of the intended recipient(s). If you are not the intended recipient, you are hereby formally notified that any unauthorized review, use, disclosure or distribution of this message is prohibited. Please notify the sender immediately by replying to this message and destroy all copies of this message and any attachments. Mycronic is neither liable for the proper and complete transmission of the information contained in this communication, nor for any delay in its receipt. Please note that email correspondence generally includes processing of personal data. For information on Mycronic's processing of your personal data, please see our Privacy Policy: http://www.mycronic.com/fr/about-us/privacy-policy/
Re: [Broker-J] How to configure HTTPS
Posted by Oleksandr Rudyy <or...@gmail.com>.
Hi Cyril,
When establishing a TLS connection the client application needs to confirm
the validity of the certificate provided by the server.
The JVMs, browsers come with a set of trusted third-party certificate
authorities, like Verisign, Semantic, etc. Thus, the certificate signed by
these authorities are automatically trusted. However, in case of
self-signed certificate you need to provide a trust store containing
client certificate(s), otherwise, no trust can be established between
client and server. For example, you can specify a path to the trust store
using JVM setting javax.net.ssl.trustStoreType, For example
-Djavax.net.ssl.trustStoreType=/path/to/trust-store.jks. The web browsers
can ask whether to trust server certificate or not but in case of
non-interactive application you have to vonfigure your application to trust
server in advance.
Thus, you needs either to download the trust store or sign your server
certificate with standard CA which are already trusted by JVM.
Kind Regards,
Alex
On Fri, 29 Mar 2019 at 08:50, Cyril Micoud <CM...@vitechnology.com> wrote:
> HI Alex,
>
> When a browser access a SSL site, the certificate is downloaded by the
> browser and after that the page is opened in the browser.
> Can I do the same thing with my SSL REST request (request REST API in SSL
> and download certificate in the same time)? Or I must download the
> certificate and java trust store with the certificate before?
>
> Thanks by advance,
> Best regards,
>
> Cyril MICOUD
> Software Development Engineer
> σLink Team
>
>
> Office: +33 (0)4 76 33 59 88
> email: cmicoud@vitechnology.com
> Skype: cyril.micoud_vitech
>
>
>
> Vi TECHNOLOGY
> Rue de Rochepleine - 38120 SAINT EGREVE - France
> Further information at www.vitechnology.com
>
> You are hereby formally notified that all information contained in tis
> communication and any attachments shall be deemed strictly confidential and
> privileged unless explicitly stated otherwise. Please note that your use of
> confidential information may be governed, and restricted, by a
> non-disclosure agreement. The information contained in this communication
> and any attachments is disclosed for the sole use of the intended
> recipient(s). If you are not the intended recipient, you are hereby
> formally notified that any unauthorized review, use, disclosure or
> distribution of this message is prohibited. Please notify the sender
> immediately by replying to this message and destroy all copies of this
> message and any attachments. Mycronic is neither liable for the proper and
> complete transmission of the information contained in this communication,
> nor for any delay in its receipt. Please note that email correspondence
> generally includes processing of personal data. For information on
> Mycronic’s processing of your personal data, please see our Privacy Policy:
> http://www.mycronic.com/fr/about-us/privacy-policy/
>
> -----Message d'origine-----
> De : Oleksandr Rudyy <or...@gmail.com>
> Envoyé : vendredi 29 mars 2019 09:14
> À : users@qpid.apache.org
> Objet : Re: [Broker-J] How to configure HTTPS
>
> Hi Cyril,
> The exception message "Caused by:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target" indicates that SSL handshake
> failed due to not being able to find the certificate.
> Did you download and specify the self-signed certificate with your request?
>
> Please note that you can download the certificate and java trust store
> with the certificate from broker Web Management Console tab for
> AutoGeneratedSelfSigned.
>
> Kind Regards,
> Alex
>
> On Thu, 28 Mar 2019 at 15:33, Cyril Micoud <CM...@vitechnology.com>
> wrote:
>
> > Hi Keith,
> >
> > Thanks a lot for your response.
> >
> > I restart my configuration from scratch to be sure and did it like
> > that 1. create an AutoGeneratedSelfSigned keystore 2. create 2 new
> > port AMQPS (port 5671) and HTTPS (port 8089, because my HTTP port is
> > 8090 and I would like to keep the same thing as AMQP port)
> >
> > After restart my broker httpManagement access via HTTPS url works fine
> > (except normal warning when access from chrome due to autosigned).
> > But now the HTTP access give me an HTTP 417!
> > However, HTTP port is always defined... I don't understand why!?
> >
> > And when I try to use REST api via HTTPS, I got an Exception :
> >
> > javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path building failed:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to
> > find valid certification path to requested target
> > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
> > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
> > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
> > at
> >
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
> > at
> >
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
> > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
> > at
> sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
> > at
> > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
> > at
> >
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
> > at
> > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
> > at
> > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
> > at
> >
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
> > at
> >
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
> > at
> >
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
> > at
> >
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
> > at
> >
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
> > at
> >
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
> > at
> >
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
> > at
> > org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
> > at
> >
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> > at
> >
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
> > at
> >
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> > at
> >
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
> > at
> >
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
> > at
> >
> com.mashape.unirest.http.HttpClientHelper.request(HttpClientHelper.java:138)
> > ... 27 more
> > Caused by: sun.security.validator.ValidatorException: PKIX path
> > building
> > failed: sun.security.provider.certpath.SunCertPathBuilderException:
> > unable to find valid certification path to requested target
> > at
> > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> > at
> >
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> > at sun.security.validator.Validator.validate(Validator.java:262)
> > at
> >
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> > at
> >
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> > at
> >
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> > at
> >
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
> > ... 48 more
> > Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> > unable to find valid certification path to requested target
> > at
> >
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> > at
> >
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> > at
> > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> > at
> > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> > ... 54 more
> >
> > I just would like to know if it is normal or not (due to autosigned
> > for
> > example) or if I must add some configuration to my httpclient?
> >
> > Thank a lot by advance,
> > Best regards,
> >
> > Cyril
> >
> >
> >
> > Cyril MICOUD
> > Software Development Engineer
> > σLink Team
> >
> >
> > Office: +33 (0)4 76 33 59 88
> > email: cmicoud@vitechnology.com
> > Skype: cyril.micoud_vitech
> >
> >
> >
> > Vi TECHNOLOGY
> > Rue de Rochepleine - 38120 SAINT EGREVE - France Further information
> > at www.vitechnology.com
> >
> > You are hereby formally notified that all information contained in tis
> > communication and any attachments shall be deemed strictly
> > confidential and privileged unless explicitly stated otherwise. Please
> > note that your use of confidential information may be governed, and
> > restricted, by a non-disclosure agreement. The information contained
> > in this communication and any attachments is disclosed for the sole
> > use of the intended recipient(s). If you are not the intended
> > recipient, you are hereby formally notified that any unauthorized
> > review, use, disclosure or distribution of this message is prohibited.
> > Please notify the sender immediately by replying to this message and
> > destroy all copies of this message and any attachments. Mycronic is
> > neither liable for the proper and complete transmission of the
> > information contained in this communication, nor for any delay in its
> > receipt. Please note that email correspondence generally includes
> > processing of personal data. For information on Mycronic’s processing of
> your personal data, please see our Privacy Policy:
> > http://www.mycronic.com/fr/about-us/privacy-policy/
> >
> > -----Message d'origine-----
> > De : Keith W <ke...@gmail.com>
> > Envoyé : jeudi 28 mars 2019 10:19
> > À : users@qpid.apache.org
> > Objet : Re: [Broker-J] How to configure HTTPS
> >
> > Cyril
> >
> > What exactly are you seeing? Are you seeing error messages when you
> > try and connect a browser?
> >
> > To set up TLS for the Broker, you create a keystore containing your key
> > material, then assign this to the port(s) you desire. You need to cause
> > the Broker to restart after changing an existing port. This can be done
> > through the console or you can bounce the whole process. You don’t
> need a
> > trust store on the Broker unless you want to use client certs. The
> > Broker reports the ports it listens to and the transports assign as it
> > comes up. Check the qpid.log.
> >
> > The broker’s documentation covers the concepts (see the sections on
> > ports and key stores), but unfortunately does provide a step by step
> recipe.
> >
> > Hope this helps
> >
> > Keith.
> >
> >
> >
> > On Wed, 27 Mar 2019 at 17:27, Cyril Micoud <CM...@vitechnology.com>
> > wrote:
> >
> > > Hi all,
> > >
> > >
> > >
> > > I would like to enable HTTPS on my broker, but I don’t know how!?
> > >
> > > I have add new dedicated port, authentication provider, key store
> > > and trust store but without any success!
> > >
> > >
> > >
> > > One of you can help me or give me the best way to configure my
> > > Broker-J 7.1.1?
> > >
> > >
> > >
> > > Thank you by advance,
> > >
> > > Best regards,
> > >
> > >
> > >
> > > Cyril
> > >
> > >
> > >
> > >
> > >
> > > *Cyril MICOUD*
> > >
> > > Software Development Engineer
> > >
> > > σLink Team
> > >
> > >
> > >
> > >
> > >
> > > Office: +33 (0)4 76 33 59 88
> > >
> > > email: cmicoud@vitechnology.com
> > >
> > > Skype: cyril.micoud_vitech
> > >
> > >
> > >
> > > [image: cid:image012.png@01D395F8.9761BF70]
> > >
> > >
> > >
> > > *Vi TECHNOLOGY*
> > >
> > > Rue de Rochepleine - 38120 SAINT EGREVE - France
> > >
> > > Further information at www.vitechnology.com
> > >
> > >
> > >
> > > You are hereby formally notified that all information contained in
> > > tis communication and any attachments shall be deemed strictly
> > > confidential and privileged unless explicitly stated otherwise.
> > > Please note that your use of confidential information may be
> > > governed, and restricted, by a non-disclosure agreement. The
> > > information contained in this communication and any attachments is
> > > disclosed for the sole use of the intended recipient(s). If you are
> > > not the intended recipient, you are hereby formally notified that
> > > any unauthorized review, use, disclosure or distribution of this
> message is prohibited.
> > > Please notify the sender immediately by replying to this message and
> > > destroy all copies of this message and any attachments. Mycronic is
> > > neither liable for the proper and complete transmission of the
> > > information contained in this communication, nor for any delay in
> > > its receipt. Please note that email correspondence generally
> > > includes processing of personal data. For information on Mycronic’s
> > > processing of
> > your personal data, please see our Privacy Policy:
> > > http://www.mycronic.com/fr/about-us/privacy-policy/
> > >
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
> > additional commands, e-mail: users-help@qpid.apache.org
> >
> >
>
RE: [Broker-J] How to configure HTTPS
Posted by Cyril Micoud <CM...@vitechnology.com>.
HI Alex,
When a browser access a SSL site, the certificate is downloaded by the browser and after that the page is opened in the browser.
Can I do the same thing with my SSL REST request (request REST API in SSL and download certificate in the same time)? Or I must download the certificate and java trust store with the certificate before?
Thanks by advance,
Best regards,
Cyril MICOUD
Software Development Engineer
σLink Team
Office: +33 (0)4 76 33 59 88
email: cmicoud@vitechnology.com
Skype: cyril.micoud_vitech
Vi TECHNOLOGY
Rue de Rochepleine - 38120 SAINT EGREVE - France
Further information at www.vitechnology.com
You are hereby formally notified that all information contained in tis communication and any attachments shall be deemed strictly confidential and privileged unless explicitly stated otherwise. Please note that your use of confidential information may be governed, and restricted, by a non-disclosure agreement. The information contained in this communication and any attachments is disclosed for the sole use of the intended recipient(s). If you are not the intended recipient, you are hereby formally notified that any unauthorized review, use, disclosure or distribution of this message is prohibited. Please notify the sender immediately by replying to this message and destroy all copies of this message and any attachments. Mycronic is neither liable for the proper and complete transmission of the information contained in this communication, nor for any delay in its receipt. Please note that email correspondence generally includes processing of personal data. For information on Mycronic’s processing of your personal data, please see our Privacy Policy: http://www.mycronic.com/fr/about-us/privacy-policy/
-----Message d'origine-----
De : Oleksandr Rudyy <or...@gmail.com>
Envoyé : vendredi 29 mars 2019 09:14
À : users@qpid.apache.org
Objet : Re: [Broker-J] How to configure HTTPS
Hi Cyril,
The exception message "Caused by:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" indicates that SSL handshake failed due to not being able to find the certificate.
Did you download and specify the self-signed certificate with your request?
Please note that you can download the certificate and java trust store with the certificate from broker Web Management Console tab for AutoGeneratedSelfSigned.
Kind Regards,
Alex
On Thu, 28 Mar 2019 at 15:33, Cyril Micoud <CM...@vitechnology.com> wrote:
> Hi Keith,
>
> Thanks a lot for your response.
>
> I restart my configuration from scratch to be sure and did it like
> that 1. create an AutoGeneratedSelfSigned keystore 2. create 2 new
> port AMQPS (port 5671) and HTTPS (port 8089, because my HTTP port is
> 8090 and I would like to keep the same thing as AMQP port)
>
> After restart my broker httpManagement access via HTTPS url works fine
> (except normal warning when access from chrome due to autosigned).
> But now the HTTP access give me an HTTP 417!
> However, HTTP port is always defined... I don't understand why!?
>
> And when I try to use REST api via HTTPS, I got an Exception :
>
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
> at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
> at
> org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
> at
> com.mashape.unirest.http.HttpClientHelper.request(HttpClientHelper.java:138)
> ... 27 more
> Caused by: sun.security.validator.ValidatorException: PKIX path
> building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> at sun.security.validator.Validator.validate(Validator.java:262)
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
> ... 48 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> ... 54 more
>
> I just would like to know if it is normal or not (due to autosigned
> for
> example) or if I must add some configuration to my httpclient?
>
> Thank a lot by advance,
> Best regards,
>
> Cyril
>
>
>
> Cyril MICOUD
> Software Development Engineer
> σLink Team
>
>
> Office: +33 (0)4 76 33 59 88
> email: cmicoud@vitechnology.com
> Skype: cyril.micoud_vitech
>
>
>
> Vi TECHNOLOGY
> Rue de Rochepleine - 38120 SAINT EGREVE - France Further information
> at www.vitechnology.com
>
> You are hereby formally notified that all information contained in tis
> communication and any attachments shall be deemed strictly
> confidential and privileged unless explicitly stated otherwise. Please
> note that your use of confidential information may be governed, and
> restricted, by a non-disclosure agreement. The information contained
> in this communication and any attachments is disclosed for the sole
> use of the intended recipient(s). If you are not the intended
> recipient, you are hereby formally notified that any unauthorized
> review, use, disclosure or distribution of this message is prohibited.
> Please notify the sender immediately by replying to this message and
> destroy all copies of this message and any attachments. Mycronic is
> neither liable for the proper and complete transmission of the
> information contained in this communication, nor for any delay in its
> receipt. Please note that email correspondence generally includes
> processing of personal data. For information on Mycronic’s processing of your personal data, please see our Privacy Policy:
> http://www.mycronic.com/fr/about-us/privacy-policy/
>
> -----Message d'origine-----
> De : Keith W <ke...@gmail.com>
> Envoyé : jeudi 28 mars 2019 10:19
> À : users@qpid.apache.org
> Objet : Re: [Broker-J] How to configure HTTPS
>
> Cyril
>
> What exactly are you seeing? Are you seeing error messages when you
> try and connect a browser?
>
> To set up TLS for the Broker, you create a keystore containing your key
> material, then assign this to the port(s) you desire. You need to cause
> the Broker to restart after changing an existing port. This can be done
> through the console or you can bounce the whole process. You don’t need a
> trust store on the Broker unless you want to use client certs. The
> Broker reports the ports it listens to and the transports assign as it
> comes up. Check the qpid.log.
>
> The broker’s documentation covers the concepts (see the sections on
> ports and key stores), but unfortunately does provide a step by step recipe.
>
> Hope this helps
>
> Keith.
>
>
>
> On Wed, 27 Mar 2019 at 17:27, Cyril Micoud <CM...@vitechnology.com>
> wrote:
>
> > Hi all,
> >
> >
> >
> > I would like to enable HTTPS on my broker, but I don’t know how!?
> >
> > I have add new dedicated port, authentication provider, key store
> > and trust store but without any success!
> >
> >
> >
> > One of you can help me or give me the best way to configure my
> > Broker-J 7.1.1?
> >
> >
> >
> > Thank you by advance,
> >
> > Best regards,
> >
> >
> >
> > Cyril
> >
> >
> >
> >
> >
> > *Cyril MICOUD*
> >
> > Software Development Engineer
> >
> > σLink Team
> >
> >
> >
> >
> >
> > Office: +33 (0)4 76 33 59 88
> >
> > email: cmicoud@vitechnology.com
> >
> > Skype: cyril.micoud_vitech
> >
> >
> >
> > [image: cid:image012.png@01D395F8.9761BF70]
> >
> >
> >
> > *Vi TECHNOLOGY*
> >
> > Rue de Rochepleine - 38120 SAINT EGREVE - France
> >
> > Further information at www.vitechnology.com
> >
> >
> >
> > You are hereby formally notified that all information contained in
> > tis communication and any attachments shall be deemed strictly
> > confidential and privileged unless explicitly stated otherwise.
> > Please note that your use of confidential information may be
> > governed, and restricted, by a non-disclosure agreement. The
> > information contained in this communication and any attachments is
> > disclosed for the sole use of the intended recipient(s). If you are
> > not the intended recipient, you are hereby formally notified that
> > any unauthorized review, use, disclosure or distribution of this message is prohibited.
> > Please notify the sender immediately by replying to this message and
> > destroy all copies of this message and any attachments. Mycronic is
> > neither liable for the proper and complete transmission of the
> > information contained in this communication, nor for any delay in
> > its receipt. Please note that email correspondence generally
> > includes processing of personal data. For information on Mycronic’s
> > processing of
> your personal data, please see our Privacy Policy:
> > http://www.mycronic.com/fr/about-us/privacy-policy/
> >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
> additional commands, e-mail: users-help@qpid.apache.org
>
>
Re: [Broker-J] How to configure HTTPS
Posted by Oleksandr Rudyy <or...@gmail.com>.
Hi Cyril,
The exception message "Caused by:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target" indicates that SSL handshake
failed due to not being able to find the certificate.
Did you download and specify the self-signed certificate with your request?
Please note that you can download the certificate and java trust store with
the certificate from broker Web Management Console tab for
AutoGeneratedSelfSigned.
Kind Regards,
Alex
On Thu, 28 Mar 2019 at 15:33, Cyril Micoud <CM...@vitechnology.com> wrote:
> Hi Keith,
>
> Thanks a lot for your response.
>
> I restart my configuration from scratch to be sure and did it like that
> 1. create an AutoGeneratedSelfSigned keystore
> 2. create 2 new port AMQPS (port 5671) and HTTPS (port 8089, because my
> HTTP port is 8090 and I would like to keep the same thing as AMQP port)
>
> After restart my broker httpManagement access via HTTPS url works fine
> (except normal warning when access from chrome due to autosigned).
> But now the HTTP access give me an HTTP 417!
> However, HTTP port is always defined... I don't understand why!?
>
> And when I try to use REST api via HTTPS, I got an Exception :
>
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
> at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
> at
> org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
> at
> com.mashape.unirest.http.HttpClientHelper.request(HttpClientHelper.java:138)
> ... 27 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> at sun.security.validator.Validator.validate(Validator.java:262)
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
> ... 48 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> ... 54 more
>
> I just would like to know if it is normal or not (due to autosigned for
> example) or if I must add some configuration to my httpclient?
>
> Thank a lot by advance,
> Best regards,
>
> Cyril
>
>
>
> Cyril MICOUD
> Software Development Engineer
> σLink Team
>
>
> Office: +33 (0)4 76 33 59 88
> email: cmicoud@vitechnology.com
> Skype: cyril.micoud_vitech
>
>
>
> Vi TECHNOLOGY
> Rue de Rochepleine - 38120 SAINT EGREVE - France
> Further information at www.vitechnology.com
>
> You are hereby formally notified that all information contained in tis
> communication and any attachments shall be deemed strictly confidential and
> privileged unless explicitly stated otherwise. Please note that your use of
> confidential information may be governed, and restricted, by a
> non-disclosure agreement. The information contained in this communication
> and any attachments is disclosed for the sole use of the intended
> recipient(s). If you are not the intended recipient, you are hereby
> formally notified that any unauthorized review, use, disclosure or
> distribution of this message is prohibited. Please notify the sender
> immediately by replying to this message and destroy all copies of this
> message and any attachments. Mycronic is neither liable for the proper and
> complete transmission of the information contained in this communication,
> nor for any delay in its receipt. Please note that email correspondence
> generally includes processing of personal data. For information on
> Mycronic’s processing of your personal data, please see our Privacy Policy:
> http://www.mycronic.com/fr/about-us/privacy-policy/
>
> -----Message d'origine-----
> De : Keith W <ke...@gmail.com>
> Envoyé : jeudi 28 mars 2019 10:19
> À : users@qpid.apache.org
> Objet : Re: [Broker-J] How to configure HTTPS
>
> Cyril
>
> What exactly are you seeing? Are you seeing error messages when you try
> and connect a browser?
>
> To set up TLS for the Broker, you create a keystore containing your key
> material, then assign this to the port(s) you desire. You need to cause
> the Broker to restart after changing an existing port. This can be done
> through the console or you can bounce the whole process. You don’t need a
> trust store on the Broker unless you want to use client certs. The
> Broker reports the ports it listens to and the transports assign as it
> comes up. Check the qpid.log.
>
> The broker’s documentation covers the concepts (see the sections on ports
> and key stores), but unfortunately does provide a step by step recipe.
>
> Hope this helps
>
> Keith.
>
>
>
> On Wed, 27 Mar 2019 at 17:27, Cyril Micoud <CM...@vitechnology.com>
> wrote:
>
> > Hi all,
> >
> >
> >
> > I would like to enable HTTPS on my broker, but I don’t know how!?
> >
> > I have add new dedicated port, authentication provider, key store and
> > trust store but without any success!
> >
> >
> >
> > One of you can help me or give me the best way to configure my
> > Broker-J 7.1.1?
> >
> >
> >
> > Thank you by advance,
> >
> > Best regards,
> >
> >
> >
> > Cyril
> >
> >
> >
> >
> >
> > *Cyril MICOUD*
> >
> > Software Development Engineer
> >
> > σLink Team
> >
> >
> >
> >
> >
> > Office: +33 (0)4 76 33 59 88
> >
> > email: cmicoud@vitechnology.com
> >
> > Skype: cyril.micoud_vitech
> >
> >
> >
> > [image: cid:image012.png@01D395F8.9761BF70]
> >
> >
> >
> > *Vi TECHNOLOGY*
> >
> > Rue de Rochepleine - 38120 SAINT EGREVE - France
> >
> > Further information at www.vitechnology.com
> >
> >
> >
> > You are hereby formally notified that all information contained in tis
> > communication and any attachments shall be deemed strictly
> > confidential and privileged unless explicitly stated otherwise. Please
> > note that your use of confidential information may be governed, and
> > restricted, by a non-disclosure agreement. The information contained
> > in this communication and any attachments is disclosed for the sole
> > use of the intended recipient(s). If you are not the intended
> > recipient, you are hereby formally notified that any unauthorized
> > review, use, disclosure or distribution of this message is prohibited.
> > Please notify the sender immediately by replying to this message and
> > destroy all copies of this message and any attachments. Mycronic is
> > neither liable for the proper and complete transmission of the
> > information contained in this communication, nor for any delay in its
> > receipt. Please note that email correspondence generally includes
> > processing of personal data. For information on Mycronic’s processing of
> your personal data, please see our Privacy Policy:
> > http://www.mycronic.com/fr/about-us/privacy-policy/
> >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>
RE: [Broker-J] How to configure HTTPS
Posted by Cyril Micoud <CM...@vitechnology.com>.
Hi Keith,
Thanks a lot for your response.
I restart my configuration from scratch to be sure and did it like that
1. create an AutoGeneratedSelfSigned keystore
2. create 2 new port AMQPS (port 5671) and HTTPS (port 8089, because my HTTP port is 8090 and I would like to keep the same thing as AMQP port)
After restart my broker httpManagement access via HTTPS url works fine (except normal warning when access from chrome due to autosigned).
But now the HTTP access give me an HTTP 417!
However, HTTP port is always defined... I don't understand why!?
And when I try to use REST api via HTTPS, I got an Exception :
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at com.mashape.unirest.http.HttpClientHelper.request(HttpClientHelper.java:138)
... 27 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 48 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 54 more
I just would like to know if it is normal or not (due to autosigned for example) or if I must add some configuration to my httpclient?
Thank a lot by advance,
Best regards,
Cyril
Cyril MICOUD
Software Development Engineer
σLink Team
Office: +33 (0)4 76 33 59 88
email: cmicoud@vitechnology.com
Skype: cyril.micoud_vitech
Vi TECHNOLOGY
Rue de Rochepleine - 38120 SAINT EGREVE - France
Further information at www.vitechnology.com
You are hereby formally notified that all information contained in tis communication and any attachments shall be deemed strictly confidential and privileged unless explicitly stated otherwise. Please note that your use of confidential information may be governed, and restricted, by a non-disclosure agreement. The information contained in this communication and any attachments is disclosed for the sole use of the intended recipient(s). If you are not the intended recipient, you are hereby formally notified that any unauthorized review, use, disclosure or distribution of this message is prohibited. Please notify the sender immediately by replying to this message and destroy all copies of this message and any attachments. Mycronic is neither liable for the proper and complete transmission of the information contained in this communication, nor for any delay in its receipt. Please note that email correspondence generally includes processing of personal data. For information on Mycronic’s processing of your personal data, please see our Privacy Policy: http://www.mycronic.com/fr/about-us/privacy-policy/
-----Message d'origine-----
De : Keith W <ke...@gmail.com>
Envoyé : jeudi 28 mars 2019 10:19
À : users@qpid.apache.org
Objet : Re: [Broker-J] How to configure HTTPS
Cyril
What exactly are you seeing? Are you seeing error messages when you try and connect a browser?
To set up TLS for the Broker, you create a keystore containing your key
material, then assign this to the port(s) you desire. You need to cause
the Broker to restart after changing an existing port. This can be done
through the console or you can bounce the whole process. You don’t need a
trust store on the Broker unless you want to use client certs. The
Broker reports the ports it listens to and the transports assign as it comes up. Check the qpid.log.
The broker’s documentation covers the concepts (see the sections on ports and key stores), but unfortunately does provide a step by step recipe.
Hope this helps
Keith.
On Wed, 27 Mar 2019 at 17:27, Cyril Micoud <CM...@vitechnology.com> wrote:
> Hi all,
>
>
>
> I would like to enable HTTPS on my broker, but I don’t know how!?
>
> I have add new dedicated port, authentication provider, key store and
> trust store but without any success!
>
>
>
> One of you can help me or give me the best way to configure my
> Broker-J 7.1.1?
>
>
>
> Thank you by advance,
>
> Best regards,
>
>
>
> Cyril
>
>
>
>
>
> *Cyril MICOUD*
>
> Software Development Engineer
>
> σLink Team
>
>
>
>
>
> Office: +33 (0)4 76 33 59 88
>
> email: cmicoud@vitechnology.com
>
> Skype: cyril.micoud_vitech
>
>
>
> [image: cid:image012.png@01D395F8.9761BF70]
>
>
>
> *Vi TECHNOLOGY*
>
> Rue de Rochepleine - 38120 SAINT EGREVE - France
>
> Further information at www.vitechnology.com
>
>
>
> You are hereby formally notified that all information contained in tis
> communication and any attachments shall be deemed strictly
> confidential and privileged unless explicitly stated otherwise. Please
> note that your use of confidential information may be governed, and
> restricted, by a non-disclosure agreement. The information contained
> in this communication and any attachments is disclosed for the sole
> use of the intended recipient(s). If you are not the intended
> recipient, you are hereby formally notified that any unauthorized
> review, use, disclosure or distribution of this message is prohibited.
> Please notify the sender immediately by replying to this message and
> destroy all copies of this message and any attachments. Mycronic is
> neither liable for the proper and complete transmission of the
> information contained in this communication, nor for any delay in its
> receipt. Please note that email correspondence generally includes
> processing of personal data. For information on Mycronic’s processing of your personal data, please see our Privacy Policy:
> http://www.mycronic.com/fr/about-us/privacy-policy/
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: [Broker-J] How to configure HTTPS
Posted by Keith W <ke...@gmail.com>.
Cyril
What exactly are you seeing? Are you seeing error messages when you try
and connect a browser?
To set up TLS for the Broker, you create a keystore containing your key
material, then assign this to the port(s) you desire. You need to cause
the Broker to restart after changing an existing port. This can be done
through the console or you can bounce the whole process. You don’t need a
trust store on the Broker unless you want to use client certs. The
Broker reports the ports it listens to and the transports assign as it
comes up. Check the qpid.log.
The broker’s documentation covers the concepts (see the sections on ports
and key stores), but unfortunately does provide a step by step recipe.
Hope this helps
Keith.
On Wed, 27 Mar 2019 at 17:27, Cyril Micoud <CM...@vitechnology.com> wrote:
> Hi all,
>
>
>
> I would like to enable HTTPS on my broker, but I don’t know how!?
>
> I have add new dedicated port, authentication provider, key store and
> trust store but without any success!
>
>
>
> One of you can help me or give me the best way to configure my Broker-J
> 7.1.1?
>
>
>
> Thank you by advance,
>
> Best regards,
>
>
>
> Cyril
>
>
>
>
>
> *Cyril MICOUD*
>
> Software Development Engineer
>
> σLink Team
>
>
>
>
>
> Office: +33 (0)4 76 33 59 88
>
> email: cmicoud@vitechnology.com
>
> Skype: cyril.micoud_vitech
>
>
>
> [image: cid:image012.png@01D395F8.9761BF70]
>
>
>
> *Vi TECHNOLOGY*
>
> Rue de Rochepleine - 38120 SAINT EGREVE - France
>
> Further information at www.vitechnology.com
>
>
>
> You are hereby formally notified that all information contained in tis
> communication and any attachments shall be deemed strictly confidential and
> privileged unless explicitly stated otherwise. Please note that your use of
> confidential information may be governed, and restricted, by a
> non-disclosure agreement. The information contained in this communication
> and any attachments is disclosed for the sole use of the intended
> recipient(s). If you are not the intended recipient, you are hereby
> formally notified that any unauthorized review, use, disclosure or
> distribution of this message is prohibited. Please notify the sender
> immediately by replying to this message and destroy all copies of this
> message and any attachments. Mycronic is neither liable for the proper and
> complete transmission of the information contained in this communication,
> nor for any delay in its receipt. Please note that email correspondence
> generally includes processing of personal data. For information on
> Mycronic’s processing of your personal data, please see our Privacy Policy:
> http://www.mycronic.com/fr/about-us/privacy-policy/
>
>
>