Jim, Good to hear it's working. The closeAsync=false won't be necessary to get the SSL bit working, but helps with socket use if you've got lots of clients connecting for a short time.
James. On 21 May 2010 21:13, Jim Lloyd <jll...@silvertailsystems.com> wrote: > James, > > I seem to have made a break through. I found that the broker1 & broker2 > configuration that you referenced are located > in > activemq-parent-5.3.2/activemq-core/src/test/resources/org/apache/activemq/security, > and after I modified my code to be as close as possible to that > configuration, the Unable to authenticate transport without SSL > certificate error > has gone away. > > I'm suspecting it has to do with this line: > > <transportConnector name="ssl" uri="ssl:// > 0.0.0.0:51000?transport.closeAsync=false&wantClientAuth=true&needClientAuth=true > "/> > > I had not been using transport.closeAsync=false&wantClientAuth=true, > only needClientAuth=true. > > Anyway, I am past a major hurdle here and hopefully the remaining pieces > will be easy. :) > > Thanks again, > Jim > > On Fri, May 21, 2010 at 10:05 AM, Jim Lloyd > <jll...@silvertailsystems.com>wrote: > >> James, >> >> Are you sure this should is fixed in 5.3.1? (You said fix in > 5.3.1, not >> >= 5.3.1). As it turns out I was using 5.3.0 for the client side (i.e. a >> 'spoke') for much of this week, but last night I started working on smaller >> test configuration running on one machine, and my script to start the two >> brokers explicitly runs 5.3.1: >> >> /usr/stlocal/apache-activemq-5.3.1/bin/activemq \ >> >> -Djava.security.auth.login.config=/home/jim/amqexperiment/login.config \ >> xbean:/home/jim/amqexperiment/hub.xml \ >> &> /home/jim/amqexperiment/hub.log & >> >> /usr/stlocal/apache-activemq-5.3.1/bin/activemq \ >> >> -Djava.security.auth.login.config=/home/jim/amqexperiment/login.config \ >> xbean:/home/jim/amqexperiment/spoke.xml \ >> &> /home/jim/amqexperiment/spoke.log & >> >> I had been using the JaasCertificateAuthenticationPlugin only on the hub >> broker, but I just enabled it on the stub broker too and restarted and I >> still get the same error. Below is the log output from the hub broker. Do >> you have any other ideas of what I should try? Can you share with me your >> entire config files for the two brokers activemq.network.broker1 & >> activemq.network.broker2? >> >> [...@flash amqexperiment]$ less hub.log >> Java Runtime: Sun Microsystems Inc. 1.6.0_18 /nas/local/jdk1.6.0_18/jre >> Heap sizes: current=493696k free=488542k max=493696k >> JVM args: -Xmx512M -Dorg.apache.activemq.UseDedicatedTaskRunner=true >> -Djava.util.logging.config.file=logging.prop >> erties -Dcom.sun.management.jmxremote >> -Dactivemq.classpath=/usr/stlocal/apache-activemq-5.3.1/conf; >> -Dactivemq.home=/ >> usr/stlocal/apache-activemq-5.3.1 >> -Dactivemq.base=/usr/stlocal/apache-activemq-5.3.1 >> ACTIVEMQ_HOME: /usr/stlocal/apache-activemq-5.3.1 >> ACTIVEMQ_BASE: /usr/stlocal/apache-activemq-5.3.1 >> Loading message broker from: xbean:/home/jim/amqexperiment/hub.xml >> INFO | Using Persistence Adapter: MemoryPersistenceAdapter >> INFO | ActiveMQ 5.3.1 JMS Message Broker (hub) is starting >> INFO | For help or more information please see: >> http://activemq.apache.org/ >> INFO | Listening for connections at: tcp:// >> flash.silvertailsystems.com:51001 >> INFO | Connector openwire Started >> INFO | Listening for connections at: ssl:// >> flash.silvertailsystems.com:51000?transport.needClientAuth=true >> INFO | Connector ssl Started >> INFO | ActiveMQ JMS Message Broker (hub, >> ID:flash.silvertailsystems.com-50094-1274456418477-0:0) started >> INFO | Logging to org.slf4j.impl.JCLLoggerAdapter(org.mortbay.log) via >> org.mortbay.log.Slf4jLog >> INFO | jetty-6.1.9 >> WARN | Failed to add Connection >> java.lang.SecurityException: Unable to authenticate transport without SSL >> certificate. >> at >> org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticati >> onBroker.java:75) >> at >> org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89) >> at >> org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:676) >> at >> org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection. >> java:83) >> at >> org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134) >> at >> org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:300) >> at >> org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:178) >> at >> org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68) >> at >> org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113) >> at >> org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:216) >> at >> org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84) >> at >> org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:91) >> at >> org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:204) >> at >> org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:186) >> at java.lang.Thread.run(Thread.java:619) >> WARN | Async error occurred: java.lang.SecurityException: Unable to >> authenticate transport without SSL certificate. >> >> On Thu, May 20, 2010 at 11:54 PM, James Casey <jamesc....@gmail.com>wrote: >> >>> Jim, >>> >>> what version of ActiveMQ are you using ? This happened in 5.3 >>> (<https://issues.apache.org/activemq/browse/AMQ-2474>) but should be >>> fixed in > 5.3.1. >>> >>> We have this working in production no problem. I see we express the >>> URL in the NC differently: >>> >>> <networkConnector >>> uri="static://(ssl://${activemq.network.broker2}:62001)" >>> name="network-${activemq.network.broker2}"/> >>> >>> but that doesn't seem to be the problem. We also use simplex >>> connections, with the JaasCertificateAuthenticationPlugin enabled on >>> both brokers. >>> >>> James. >>> >>> >>> On 21 May 2010 06:24, Jim Lloyd <jll...@silvertailsystems.com> wrote: >>> > I'm not able to establish a network connection between two brokers via >>> an >>> > SSL transport when I turn on JAAS certificate authentication. I want to >>> do >>> > this with a hub & spoke architecture, where one broker is the hub, and >>> > passively accepts network connections from spokes that use duplex >>> > connections. I have this working without JAAS certificate >>> authentication, >>> > where the relevant configuration looks like this: >>> > >>> > >>> > Broker "hub" >>> > <broker brokerName="hub" ... > >>> > <sslContext> >>> > <sslContext >>> > keyStore="file:hub.ks" >>> > keyStorePassword="hubpassword" >>> > trustStore="file:hub.ts" >>> > trustStorePassword="hubpassword" >>> > /> >>> > </sslContext> >>> > <transportConnectors> >>> > <transportConnector name="openwire" >>> uri="tcp://localhost:51001" >>> > /> >>> > <transportConnector name="ssl" uri="ssl:// >>> > 0.0.0.0:51000?transport.needClientAuth=true" /> >>> > </transportConnectors> >>> > </broker> >>> > >>> > Broker "spoke" >>> > <broker brokerName="spoke" ...> >>> > <sslContext> >>> > <sslContext >>> > keyStore="file:spoke.ks" >>> > keyStorePassword="spokepassword" >>> > trustStore="file:spoke.ts" >>> > trustStorePassword="spokepassword" >>> > /> >>> > </sslContext> >>> > <networkConnectors> >>> > <networkConnector >>> > name="tohub" >>> > uri="static:(ssl://127.0.0.1:51000)" >>> > duplex="true" >>> > /> >>> > </networkConnectors> >>> > <transportConnectors> >>> > <transportConnector name="openwire" >>> uri="tcp://localhost:51002" >>> > /> >>> > </transportConnectors> >>> > </broker> >>> > >>> > I now want to enable JAAS authentication, so I add this plugins section >>> to >>> > the hub broker (right before the closing </broker> tag): >>> > <plugins> >>> > <jaasCertificateAuthenticationPlugin configuration="CertLogin" >>> /> >>> > </plugins> >>> > >>> > When I do this, I start to get errors like this: >>> > >>> > 2010-05-20 20:32:29,350 WARN | Failed to add Connection >>> > java.lang.SecurityException: Unable to authenticate transport without >>> SSL >>> > certificate. >>> > at >>> > >>> org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:75) >>> > at >>> > >>> org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89) >>> > at >>> > >>> org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:666) >>> > at >>> > >>> org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:83) >>> > at >>> > >>> org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134) >>> > at >>> > >>> org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:297) >>> > at >>> > >>> org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:175) >>> > at >>> > >>> org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68) >>> > at >>> > >>> org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113) >>> > at >>> > >>> org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:210) >>> > at >>> > >>> org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84) >>> > at >>> > >>> org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:104) >>> > at >>> > >>> org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:203) >>> > at >>> > >>> org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:185) >>> > at java.lang.Thread.run(Thread.java:619) >>> > >>> > I suspected that this might have to do with the duplex connection, but I >>> get >>> > the same error when the networkConnection uses duplex="false". >>> > >>> > Can anyone tell me what I might be doing wrong? FYI I have turned on ssl >>> > debug and seen the SSL handshakes in the log. >>> > >>> > Thanks, >>> > Jim Lloyd >>> > >>> >> >> >
