Jim,
what version of ActiveMQ are you using ? This happened in 5.3
(<https://issues.apache.org/activemq/browse/AMQ-2474>) but should be
fixed in > 5.3.1.
We have this working in production no problem. I see we express the
URL in the NC differently:
<networkConnector uri="static://(ssl://${activemq.network.broker2}:62001)"
name="network-${activemq.network.broker2}"/>
but that doesn't seem to be the problem. We also use simplex
connections, with the JaasCertificateAuthenticationPlugin enabled on
both brokers.
James.
On 21 May 2010 06:24, Jim Lloyd <jll...@silvertailsystems.com> wrote:
> I'm not able to establish a network connection between two brokers via an
> SSL transport when I turn on JAAS certificate authentication. I want to do
> this with a hub & spoke architecture, where one broker is the hub, and
> passively accepts network connections from spokes that use duplex
> connections. I have this working without JAAS certificate authentication,
> where the relevant configuration looks like this:
>
>
> Broker "hub"
> <broker brokerName="hub" ... >
> <sslContext>
> <sslContext
> keyStore="file:hub.ks"
> keyStorePassword="hubpassword"
> trustStore="file:hub.ts"
> trustStorePassword="hubpassword"
> />
> </sslContext>
> <transportConnectors>
> <transportConnector name="openwire" uri="tcp://localhost:51001"
> />
> <transportConnector name="ssl" uri="ssl://
> 0.0.0.0:51000?transport.needClientAuth=true" />
> </transportConnectors>
> </broker>
>
> Broker "spoke"
> <broker brokerName="spoke" ...>
> <sslContext>
> <sslContext
> keyStore="file:spoke.ks"
> keyStorePassword="spokepassword"
> trustStore="file:spoke.ts"
> trustStorePassword="spokepassword"
> />
> </sslContext>
> <networkConnectors>
> <networkConnector
> name="tohub"
> uri="static:(ssl://127.0.0.1:51000)"
> duplex="true"
> />
> </networkConnectors>
> <transportConnectors>
> <transportConnector name="openwire" uri="tcp://localhost:51002"
> />
> </transportConnectors>
> </broker>
>
> I now want to enable JAAS authentication, so I add this plugins section to
> the hub broker (right before the closing </broker> tag):
> <plugins>
> <jaasCertificateAuthenticationPlugin configuration="CertLogin" />
> </plugins>
>
> When I do this, I start to get errors like this:
>
> 2010-05-20 20:32:29,350 WARN | Failed to add Connection
> java.lang.SecurityException: Unable to authenticate transport without SSL
> certificate.
> at
> org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:75)
> at
> org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89)
> at
> org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:666)
> at
> org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:83)
> at
> org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134)
> at
> org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:297)
> at
> org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:175)
> at
> org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
> at
> org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113)
> at
> org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:210)
> at
> org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
> at
> org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:104)
> at
> org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:203)
> at
> org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:185)
> at java.lang.Thread.run(Thread.java:619)
>
> I suspected that this might have to do with the duplex connection, but I get
> the same error when the networkConnection uses duplex="false".
>
> Can anyone tell me what I might be doing wrong? FYI I have turned on ssl
> debug and seen the SSL handshakes in the log.
>
> Thanks,
> Jim Lloyd
>
