You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Tim Bain <tb...@alumni.duke.edu> on 2017/11/20 13:57:15 UTC
Re: jaasAuthenticationPlugin ans sslContext in karaf
1. You referenced a forum post that told you how to do JAAS in this case;
can you please provide a link?
2. If you run a standalone broker without the JAAS plugin, do both
protocols work? How about if you configure the standalone broker to use
JAAS directly rather than through Karaf? This sounds like it might be a
Karaf problem rather than an ActiveMQ problem, so let's try to diagnose
which side of the line it's on.
3. Have you posted this question to the Karaf mailing list and to
StackOverflow? If so, please provide links.
Tim
On Nov 20, 2017 6:28 AM, "MillieretXavier" <xa...@eaton.com>
wrote:
> Hi all,
>
> I use activeMq 5.12.3 embedded in karaf.
> I would like two connectors, one for openwire, and one for amqps
> here my activemq.xml (configuration)
>
> <beans
> xmlns="http://www.springframework.org/schema/beans"
> xmlns:amq="http://activemq.apache.org/schema/core"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> http://activemq.apache.org/schema/core
> http://activemq.apache.org/schema/core/activemq-core.xsd">
>
> <broker xmlns="http://activemq.apache.org/schema/core"
> brokerName="${broker-name}"
> dataDirectory="${data}"
> start="false"
> populateJMSXUserID="true"
> persistent="false">
>
> <destinationPolicy>
> <policyMap>
> <policyEntries>
> <policyEntry topic=">" producerFlowControl="true">
> <pendingMessageLimitStrategy>
> <constantPendingMessageLimitStrategy
> limit="1000"/>
> </pendingMessageLimitStrategy>
> </policyEntry>
> <policyEntry queue=">" producerFlowControl="true"
> memoryLimit="1mb">
> </policyEntry>
> </policyEntries>
> </policyMap>
> </destinationPolicy>
>
> <managementContext>
> <managementContext createConnector="false"/>
> </managementContext>
>
> <persistenceAdapter>
> <kahaDB directory="${data}/kahadb"/>
> </persistenceAdapter>
>
>
> <plugins>
> <jaasAuthenticationPlugin configuration="karaf"/>
> </plugins>
>
> <sslContext>
> <sslContext
> keyStore="file:${amqps.ks}"
> keyStorePassword="${amqps.pwd}"
> trustStore="file:${amqps.ts}"
> trustStorePassword="${amqps.pwd}"/>
> </sslContext>
>
>
> <systemUsage>
> <systemUsage>
> <memoryUsage>
> <memoryUsage limit="64 mb"/>
> </memoryUsage>
> <storeUsage>
> <storeUsage limit="50 gb"/>
> </storeUsage>
> <tempUsage>
> <tempUsage limit="1 gb"/>
> </tempUsage>
> </systemUsage>
> </systemUsage>
>
> <transportConnectors>
> <transportConnector name="openwire"
> uri="tcp://0.0.0.0:61616?maximumConnections=1000"/>
>
> <transportConnector name="amqps"
> uri="amqp+ssl://0.0.0.0:5671?transport.transformer=jms&
> needClientAuth=false"/>
>
> </transportConnectors>
> </broker>
>
> </beans>
>
>
>
> Unfortunately when I remove the jaas plugin, the amqps connector works but
> the openwire not, and when I put jaas plugin it's the reverse!!!
>
>
> I saw on forum, I must use the jaasDualAuthenticationPlugin
>
> I try this
> <jaasDualAuthenticationPlugin configuration="karaf"
> sslConfiguration="karaf-2"/>
>
> But unfortunately it's the same behavior !!!
> I let the ssl context configuration at the same place (activemq.xml)
> and put this inside a xml file
>
> <?xml version="1.0" encoding="UTF-8"?>
> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
> xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
>
> xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
>
>
> <ext:property-placeholder placeholder-prefix="$["
> placeholder-suffix="]"/>
>
> <jaas:config name="karaf-2" rank="1">
> <jaas:module
> className="org.apache.activemq.jaas.TextFileCertificateLoginModule"
> flags="required">
> debug=true
>
> org.apache.activemq.jaas.textfiledn.user="file:C:/Temp/dns.properties"
>
> org.apache.activemq.jaas.textfiledn.group="file:C:/Temp/groups.properties"
> </jaas:module>
> </jaas:config>
>
>
> <jaas:keystore xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.1.0"
> name="ks"
> rank="2"
>
> path="file:C:/xav/eaton/workspace/emc4j/emc4j-ipm/
> packaging/target/emc4j-ipm-1.60.2-SNAPSHOT/emc4j-ipm-1.60.
> 2-SNAPSHOT/etc/emc4j.ks"
> keystorePassword="pwd"/>
>
> <jaas:keystore xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.1.0"
> name="ts"
> rank="2"
>
> path="file:C:/xav/eaton/workspace/emc4j/emc4j-ipm/
> packaging/target/emc4j-ipm-1.60.2-SNAPSHOT/emc4j-ipm-1.60.
> 2-SNAPSHOT/etc/emc4j.ts"
> keystorePassword="pwd"/>
>
> </blueprint>
>
>
> I am lost, so any help will be appreciate.
>
> Regards
>
>
>
>
>
>
>
> --
> Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-
> f2341805.html
>
Re: jaasAuthenticationPlugin ans sslContext in karaf
Posted by MillieretXavier <xa...@eaton.com>.
Hi all,
Anybody have an idea?
--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Re: jaasAuthenticationPlugin ans sslContext in karaf
Posted by MillieretXavier <xa...@eaton.com>.
You right I try to have cert-based authentication for AMQP and password-based
authentication for OpenWire
Here my logs (DEBUG) just before a connection
I would like to clarify that without the plugin jaasAuthenticationPlugin,
it's works for a ssl connection.
Like, if I put the pulgin, the sslcontext in the activemq.xml is not take in
count????
2017-11-21 17:18:46,977 | DEBUG | Transport | 97 -
org.apache.activemq.activemq-osgi - 5.12.3 | Transport
Connection to: tcp://xxx.xx.xxx.xx:51495 failed:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during
handshake
javax.net.ssl.SSLHandshakeException: Remote host closed connection during
handshake
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992)[:1.8.0_131]
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)[:1.8.0_131]
at
sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:928)[:1.8.0_131]
at
sun.security.ssl.AppInputStream.read(AppInputStream.java:105)[:1.8.0_131]
at
org.apache.activemq.transport.tcp.TcpBufferedInputStream.fill(TcpBufferedInputStream.java:50)[97:org.apache.activemq.activemq-osgi:5.12.3]
at
org.apache.activemq.transport.tcp.TcpTransport$2.fill(TcpTransport.java:609)[97:org.apache.activemq.activemq-osgi:5.12.3]
at
org.apache.activemq.transport.tcp.TcpBufferedInputStream.readStream(TcpBufferedInputStream.java:72)[97:org.apache.activemq.activemq-osgi:5.12.3]
at
org.apache.activemq.transport.tcp.TcpBufferedInputStream.read(TcpBufferedInputStream.java:92)[97:org.apache.activemq.activemq-osgi:5.12.3]
at
org.apache.activemq.transport.tcp.TcpTransport$2.read(TcpTransport.java:599)[97:org.apache.activemq.activemq-osgi:5.12.3]
at java.io.DataInputStream.readFully(DataInputStream.java:195)[:1.8.0_131]
at
org.fusesource.hawtbuf.Buffer.readFrom(Buffer.java:412)[97:org.apache.activemq.activemq-osgi:5.12.3]
at
org.apache.activemq.transport.amqp.AmqpWireFormat.unmarshal(AmqpWireFormat.java:102)[97:org.apache.activemq.activemq-osgi:5.12.3]
at
org.apache.activemq.transport.tcp.TcpTransport.readCommand(TcpTransport.java:221)[97:org.apache.activemq.activemq-osgi:5.12.3]
at
org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:213)[97:org.apache.activemq.activemq-osgi:5.12.3]
at
org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:196)[97:org.apache.activemq.activemq-osgi:5.12.3]
at java.lang.Thread.run(Thread.java:748)[:1.8.0_131]
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:505)[:1.8.0_131]
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)[:1.8.0_131]
... 15 more
2017-11-21 17:18:46,981 | DEBUG | ManagementContext | 97 -
org.apache.activemq.activemq-osgi - 5.12.3 | Unregistering
MBean
org.apache.activemq:type=Broker,brokerName=amq-broker,connector=clientConnectors,connectorName=amqps,connectionViewType=remoteAddress,connectionName=tcp_//xxx.xx.xxx.xx_51495
2017-11-21 17:18:46,981 | DEBUG | TransportConnection | 97 -
org.apache.activemq.activemq-osgi - 5.12.3 | Stopping
connection: tcp://xxx.xx.xxx.xx:51495
2017-11-21 17:18:46,981 | DEBUG | TcpTransport | 97 -
org.apache.activemq.activemq-osgi - 5.12.3 | Stopping
transport ssl:///xxx.xx.xxx.xx:51495
2017-11-21 17:18:46,982 | DEBUG | TaskRunnerFactory | 97 -
org.apache.activemq.activemq-osgi - 5.12.3 | Initialized
TaskRunnerFactory[ActiveMQ Task] using ExecutorService:
java.util.concurrent.ThreadPoolExecutor@1e9a61d3[Running, pool size = 0,
active threads = 0, queued tasks = 0, completed tasks = 0]
2017-11-21 17:18:46,983 | DEBUG | TcpTransport | 97 -
org.apache.activemq.activemq-osgi - 5.12.3 | Closed socket
75b3d3e1[SSL_NULL_WITH_NULL_NULL:
Socket[addr=/xxx.xx.xxx.xx,port=51495,localport=5671]]
2017-11-21 17:18:46,983 | DEBUG | ThreadPoolUtils | 97 -
org.apache.activemq.activemq-osgi - 5.12.3 | Forcing shutdown
of ExecutorService:
java.util.concurrent.ThreadPoolExecutor@1e9a61d3[Running, pool size = 1,
active threads = 1, queued tasks = 0, completed tasks = 0]
2017-11-21 17:18:46,983 | DEBUG | TransportConnection | 97 -
org.apache.activemq.activemq-osgi - 5.12.3 | Stopped
transport: tcp://xxx.xx.xxx.xx:51495
2017-11-21 17:18:46,987 | DEBUG | TransportConnection | 97 -
org.apache.activemq.activemq-osgi - 5.12.3 | Connection
Stopped: tcp://xxx.xx.xxx.xx:51495
2017-11-21 17:18:47,180 | DEBUG | AmqpAuthenticator | 97 -
org.apache.activemq.activemq-osgi - 5.12.3 | SASL [ANONYMOUS}
Handshake started.
2017-11-21 17:18:47,322 | DEBUG | AbstractInactivityMonitor | 97 -
org.apache.activemq.activemq-osgi - 5.12.3 | WriteChecker:
10021ms elapsed since last write check.
2017-11-21 17:18:47,322 | DEBUG | AbstractInactivityMonitor | 97 -
org.apache.activemq.activemq-osgi - 5.12.3 | WriteChecker:
10019ms elapsed since last write check.
2017-11-21 17:18:47,322 | DEBUG | AbstractInactivityMonitor | 97 -
org.apache.activemq.activemq-osgi - 5.12.3 | Running
WriteCheck[tcp://127.0.0.1:56742]
2017-11-21 17:18:47,322 | DEBUG | AbstractInactivityMonitor | 97 -
org.apache.activemq.activemq-osgi - 5.12.3 | Running
WriteCheck[tcp://127.0.0.1:61616]
Regards
--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Re: jaasAuthenticationPlugin ans sslContext in karaf
Posted by Tim Bain <tb...@alumni.duke.edu>.
So are you trying to have cert-based authentication for AMQP and
password-based authentication for OpenWire? Or are you trying to have
cert-based
authentication for AMQP and no authentication for OpenWire?
Also, can you please post the error messages you get both with and without
the plugin enabled?
Tim
On Nov 20, 2017 7:37 AM, "MillieretXavier" <xa...@eaton.com>
wrote:
> Thx Tim,
>
> So
> 1. I follow this link
> http://docs.huihoo.com/fuse/esb/4.4/amq_security/Auth-
> JAAS-DualAuthentPlugin.html
> perhaps I am wrong???
> 2. To add precision, I run karaf 3.0.7, and inside activemq 5.12.3.
> My goal is perhaps stupid, having a openwire without ssl (because wait only
> on localhost), and with amqp works with certificates, that all.
> I follow theses links for activemq
> https://access.redhat.com/documentation/en-US/Fuse_MQ_
> Enterprise/7.1/html/Security_Guide/files/SSL-SetSecurityContext.html
> 3. Not yet, but I will do asap.
>
> If you see somethings, I will appreciate any helps
>
> Regards
>
>
>
>
> --
> Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-
> f2341805.html
>
Re: jaasAuthenticationPlugin ans sslContext in karaf
Posted by MillieretXavier <xa...@eaton.com>.
Thx Tim,
So
1. I follow this link
http://docs.huihoo.com/fuse/esb/4.4/amq_security/Auth-JAAS-DualAuthentPlugin.html
perhaps I am wrong???
2. To add precision, I run karaf 3.0.7, and inside activemq 5.12.3.
My goal is perhaps stupid, having a openwire without ssl (because wait only
on localhost), and with amqp works with certificates, that all.
I follow theses links for activemq
https://access.redhat.com/documentation/en-US/Fuse_MQ_Enterprise/7.1/html/Security_Guide/files/SSL-SetSecurityContext.html
3. Not yet, but I will do asap.
If you see somethings, I will appreciate any helps
Regards
--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html