You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by igge47 <ig...@hotmail.com> on 2017/06/13 11:47:33 UTC
How to configure a symmetric cluster with SSL acceptors/connectors
Hello,
I am using AMQ7, with Java version "1.8.0_111".
I want to configure a symmetric cluster of static connectors, and I want to
enable SSL connection between them. The connection is done between /server1/
and /server2/
I have successfully set this configuration with TCP connectors: the bridges
are correctly set and I can see the different nodes in the Management
Console. The problem comes when trying to enable SSL inside the
connectors/acceptors. I receive this error:
AMQ222186: unable to authorize cluster control.
The acceptors/connectors & cluster definition on */server1/*:
…
<acceptors>
<acceptor
name="ssl-pulheim1m">tcp://0.0.0.0:10611?sslEnabled=true;keyStorePath=../etc/pulheim1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd;needClientAuth=true</acceptor>
</acceptors>
<connectors>
<connector
name="ssl-pulheim1m">tcp://0.0.0.0:10611?sslEnabled=true;keyStorePath=../etc/pulheim1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd</connector>
<connector
name="ssl-roki1m">tcp://server2:10711?sslEnabled=true;keyStorePath=../etc/roki1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd</connector>
</connectors>
<ha-policy>
<shared-store>
<master>
<failover-on-shutdown>true</failover-on-shutdown>
</master>
</shared-store>
</ha-policy>
<cluster-user>username</cluster-user>
<cluster-password>pwd</cluster-password>
<cluster-connections>
<cluster-connection name="pulheim-roki">
<connector-ref>ssl-pulheim1m</connector-ref>
<retry-interval>500</retry-interval>
<use-duplicate-detection>true</use-duplicate-detection>
<message-load-balancing>STRICT</message-load-balancing>
<max-hops>1</max-hops>
<static-connectors>
<connector-ref>ssl-roki1m</connector-ref>
</static-connectors>
</cluster-connection>
</cluster-connections>
<security-settings>
<security-setting match="#">
<permission type="createNonDurableQueue" roles="amq, admin"/>
<permission type="deleteNonDurableQueue" roles="amq, admin"/>
<permission type="createDurableQueue" roles="amq, admin"/>
<permission type="deleteDurableQueue" roles="amq, admin"/>
<permission type="createAddress" roles="amq, admin"/>
<permission type="deleteAddress" roles="amq, admin"/>
<permission type="consume" roles="amq, admin"/>
<permission type="browse" roles="amq, admin"/>
<permission type="send" roles="amq, admin"/>
<permission type="manage" roles="amq, admin"/>
<permission roles="consumers, admin" type="consume"/>
<permission roles="producers, admin" type="manage"/>
</security-setting>
</security-settings>
…
The acceptors/connectors & cluster definition on */server2/*:
…
<acceptors>
<acceptor
name="ssl-roki1m">tcp://0.0.0.0:10711?sslEnabled=true;keyStorePath=../etc/roki1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd;needClientAuth=true</acceptor>
</acceptors>
<connectors>
<connector
name="ssl-pulheim1m">tcp://server1:10611?sslEnabled=true;keyStorePath=../etc/roki1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd</connector>
<connector
name="ssl-roki1m">tcp://0.0.0.0:10711?sslEnabled=true;keyStorePath=../etc/roki1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd</connector>
</connectors>
<ha-policy>
<shared-store>
<master>
<failover-on-shutdown>true</failover-on-shutdown>
</master>
</shared-store>
</ha-policy>
<cluster-user>username</cluster-user>
<cluster-password>pwd</cluster-password>
<cluster-connections>
<cluster-connection name="pulheim-roki">
<connector-ref>ssl-roki1m</connector-ref>
<retry-interval>500</retry-interval>
<use-duplicate-detection>true</use-duplicate-detection>
<message-load-balancing>STRICT</message-load-balancing>
<max-hops>1</max-hops>
<static-connectors>
<connector-ref>ssl-pulheim1m</connector-ref>
</static-connectors>
</cluster-connection>
</cluster-connections>
<security-settings>
<security-setting match="#">
<permission type="createNonDurableQueue" roles="amq, admin"/>
<permission type="deleteNonDurableQueue" roles="amq, admin"/>
<permission type="createDurableQueue" roles="amq, admin"/>
<permission type="deleteDurableQueue" roles="amq, admin"/>
<permission type="createAddress" roles="amq, admin"/>
<permission type="deleteAddress" roles="amq, admin"/>
<permission type="consume" roles="amq, admin"/>
<permission type="browse" roles="amq, admin"/>
<permission type="send" roles="amq, admin"/>
<permission type="manage" roles="amq, admin"/>
<permission roles="consumers, admin" type="consume"/>
<permission roles="producers, admin" type="manage"/>
</security-setting>
</security-settings>
…
I use self-signed certificates inside the trust-/keystores. The
trust-/keystores are local directories on each server, and they have both
Server A’s and Server B’s certificates included. The SSL Handshake doesn’t
cast any error.
*/login.conf/*:
activemq {
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule
sufficient
debug=false
reload=true
org.apache.activemq.jaas.properties.user="artemis-users.properties"
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule
sufficient
debug=false
org.apache.activemq.jaas.guest.user="admin011"
org.apache.activemq.jaas.guest.role="amq";
};
activemq-cert {
org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule
optional
debug=true
org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
};
*/cert-users.properties/* - I use the DN from the certificates:
producer=EMAILADDRESS=xxxx@xxx.xxx,CN=SecZone_2,OU=XXX,O=XXX,ST=XXX,C=XX
*/cert-roles.properties/*
Producers=producer
*/bootstrap.xml/*
<broker xmlns="http://activemq.org/schema">
<jaas-security domain="activemq" certificate-domain="activemq-cert"/>
<server configuration="${artemis.URI.instance}/etc/broker.xml"/>
<web bind="https://zs03ne:8164" path="web"
keyStorePath="/opt/amq/jboss-amq-7.0.0.redhat-1/roki1/etc/keystore_zs03ne_https.jks"
keyStorePassword="admin011" clientAuth="false"
trustStorePath="/opt/amq/jboss-amq-7.0.0.redhat-1/roki1/etc/truststore_https.jks"
trustStorePassword="admin011">
<app url="redhat-branding" war="redhat-branding.war"/>
<app url="jolokia" war="jolokia.war"/>
<app url="hawtio" war="hawtio-no-slf4j.war"/>
<app url="artemis-plugin" war="artemis-plugin.war"/>
<app url="dispatch-hawtio-console"
war="dispatch-hawtio-console.war"/>
</web>
</broker>
Looking forward to receiving a further guidance,
Ignacio
--
View this message in context: http://activemq.2283324.n4.nabble.com/How-to-configure-a-symmetric-cluster-with-SSL-acceptors-connectors-tp4727351.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: How to configure a symmetric cluster with SSL
acceptors/connectors
Posted by igge47 <ig...@hotmail.com>.
Hello Justin,
you were right! I changed the "0.0.0.0" for the IP addresses, and the SSL
connection was finally established.
Then, I hope this config can be useful for other people with problems when
setting an SSL connection.
Thanks,
igge47
--
View this message in context: http://activemq.2283324.n4.nabble.com/AMQ7-symmetric-cluster-with-SSL-acceptors-connectors-tp4727351p4727380.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: How to configure a symmetric cluster with SSL
acceptors/connectors
Posted by igge47 <ig...@hotmail.com>.
Hello Justin,
you were right! I changed the "0.0.0.0" for the IP addresses, and the SSL
connection was finally established.
I hope then this config I have done here can be fix other people's doubts.
Thanks,
igge47
--
View this message in context: http://activemq.2283324.n4.nabble.com/AMQ7-symmetric-cluster-with-SSL-acceptors-connectors-tp4727351p4727379.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: How to configure a symmetric cluster with SSL
acceptors/connectors
Posted by Justin Bertram <jb...@apache.org>.
I wouldn't expect a connector using "0.0.0.0" to actually work unless the thing using that connector was on the same machine as the server where it's configured. Can you configure all your connectors to use actual IP addresses?
If you still have problems after this could you work up a reproducible test-case using e.g. one of the clustered examples shipped with the broker?
Justin
----- Original Message -----
From: "igge47" <ig...@hotmail.com>
To: users@activemq.apache.org
Sent: Tuesday, June 13, 2017 6:47:33 AM
Subject: How to configure a symmetric cluster with SSL acceptors/connectors
Hello,
I am using AMQ7, with Java version "1.8.0_111".
I want to configure a symmetric cluster of static connectors, and I want to
enable SSL connection between them. The connection is done between /server1/
and /server2/
I have successfully set this configuration with TCP connectors: the bridges
are correctly set and I can see the different nodes in the Management
Console. The problem comes when trying to enable SSL inside the
connectors/acceptors. I receive this error:
AMQ222186: unable to authorize cluster control.
The acceptors/connectors & cluster definition on */server1/*:
…
<acceptors>
<acceptor
name="ssl-pulheim1m">tcp://0.0.0.0:10611?sslEnabled=true;keyStorePath=../etc/pulheim1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd;needClientAuth=true</acceptor>
</acceptors>
<connectors>
<connector
name="ssl-pulheim1m">tcp://0.0.0.0:10611?sslEnabled=true;keyStorePath=../etc/pulheim1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd</connector>
<connector
name="ssl-roki1m">tcp://server2:10711?sslEnabled=true;keyStorePath=../etc/roki1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd</connector>
</connectors>
<ha-policy>
<shared-store>
<master>
<failover-on-shutdown>true</failover-on-shutdown>
</master>
</shared-store>
</ha-policy>
<cluster-user>username</cluster-user>
<cluster-password>pwd</cluster-password>
<cluster-connections>
<cluster-connection name="pulheim-roki">
<connector-ref>ssl-pulheim1m</connector-ref>
<retry-interval>500</retry-interval>
<use-duplicate-detection>true</use-duplicate-detection>
<message-load-balancing>STRICT</message-load-balancing>
<max-hops>1</max-hops>
<static-connectors>
<connector-ref>ssl-roki1m</connector-ref>
</static-connectors>
</cluster-connection>
</cluster-connections>
<security-settings>
<security-setting match="#">
<permission type="createNonDurableQueue" roles="amq, admin"/>
<permission type="deleteNonDurableQueue" roles="amq, admin"/>
<permission type="createDurableQueue" roles="amq, admin"/>
<permission type="deleteDurableQueue" roles="amq, admin"/>
<permission type="createAddress" roles="amq, admin"/>
<permission type="deleteAddress" roles="amq, admin"/>
<permission type="consume" roles="amq, admin"/>
<permission type="browse" roles="amq, admin"/>
<permission type="send" roles="amq, admin"/>
<permission type="manage" roles="amq, admin"/>
<permission roles="consumers, admin" type="consume"/>
<permission roles="producers, admin" type="manage"/>
</security-setting>
</security-settings>
…
The acceptors/connectors & cluster definition on */server2/*:
…
<acceptors>
<acceptor
name="ssl-roki1m">tcp://0.0.0.0:10711?sslEnabled=true;keyStorePath=../etc/roki1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd;needClientAuth=true</acceptor>
</acceptors>
<connectors>
<connector
name="ssl-pulheim1m">tcp://server1:10611?sslEnabled=true;keyStorePath=../etc/roki1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd</connector>
<connector
name="ssl-roki1m">tcp://0.0.0.0:10711?sslEnabled=true;keyStorePath=../etc/roki1-certificate.jks;keyStorePassword=pwd;trustStorePath=../etc/truststore.jks;trustStorePassword=pwd</connector>
</connectors>
<ha-policy>
<shared-store>
<master>
<failover-on-shutdown>true</failover-on-shutdown>
</master>
</shared-store>
</ha-policy>
<cluster-user>username</cluster-user>
<cluster-password>pwd</cluster-password>
<cluster-connections>
<cluster-connection name="pulheim-roki">
<connector-ref>ssl-roki1m</connector-ref>
<retry-interval>500</retry-interval>
<use-duplicate-detection>true</use-duplicate-detection>
<message-load-balancing>STRICT</message-load-balancing>
<max-hops>1</max-hops>
<static-connectors>
<connector-ref>ssl-pulheim1m</connector-ref>
</static-connectors>
</cluster-connection>
</cluster-connections>
<security-settings>
<security-setting match="#">
<permission type="createNonDurableQueue" roles="amq, admin"/>
<permission type="deleteNonDurableQueue" roles="amq, admin"/>
<permission type="createDurableQueue" roles="amq, admin"/>
<permission type="deleteDurableQueue" roles="amq, admin"/>
<permission type="createAddress" roles="amq, admin"/>
<permission type="deleteAddress" roles="amq, admin"/>
<permission type="consume" roles="amq, admin"/>
<permission type="browse" roles="amq, admin"/>
<permission type="send" roles="amq, admin"/>
<permission type="manage" roles="amq, admin"/>
<permission roles="consumers, admin" type="consume"/>
<permission roles="producers, admin" type="manage"/>
</security-setting>
</security-settings>
…
I use self-signed certificates inside the trust-/keystores. The
trust-/keystores are local directories on each server, and they have both
Server A’s and Server B’s certificates included. The SSL Handshake doesn’t
cast any error.
*/login.conf/*:
activemq {
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule
sufficient
debug=false
reload=true
org.apache.activemq.jaas.properties.user="artemis-users.properties"
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule
sufficient
debug=false
org.apache.activemq.jaas.guest.user="admin011"
org.apache.activemq.jaas.guest.role="amq";
};
activemq-cert {
org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule
optional
debug=true
org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
};
*/cert-users.properties/* - I use the DN from the certificates:
producer=EMAILADDRESS=xxxx@xxx.xxx,CN=SecZone_2,OU=XXX,O=XXX,ST=XXX,C=XX
*/cert-roles.properties/*
Producers=producer
*/bootstrap.xml/*
<broker xmlns="http://activemq.org/schema">
<jaas-security domain="activemq" certificate-domain="activemq-cert"/>
<server configuration="${artemis.URI.instance}/etc/broker.xml"/>
<web bind="https://zs03ne:8164" path="web"
keyStorePath="/opt/amq/jboss-amq-7.0.0.redhat-1/roki1/etc/keystore_zs03ne_https.jks"
keyStorePassword="admin011" clientAuth="false"
trustStorePath="/opt/amq/jboss-amq-7.0.0.redhat-1/roki1/etc/truststore_https.jks"
trustStorePassword="admin011">
<app url="redhat-branding" war="redhat-branding.war"/>
<app url="jolokia" war="jolokia.war"/>
<app url="hawtio" war="hawtio-no-slf4j.war"/>
<app url="artemis-plugin" war="artemis-plugin.war"/>
<app url="dispatch-hawtio-console"
war="dispatch-hawtio-console.war"/>
</web>
</broker>
Looking forward to receiving a further guidance,
Ignacio
--
View this message in context: http://activemq.2283324.n4.nabble.com/How-to-configure-a-symmetric-cluster-with-SSL-acceptors-connectors-tp4727351.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.