On 11/07/2013 12:12 PM, darkrwe wrote:
Hi Tim,
thank you for answer.
I installed oracle JDK7 and now i don't get below problems.
Now I just want to summarize what i do.. Because my pem file is problematic
in client side.
Maybe another configuration i could miss.
I'm getting below error on the client side (ubuntu 13.04 -same machine
with
the client)
Error occurred while accessing an OpenSSL library method:
error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal
error
I'm also getting below error from broker side (ubuntu 13.04 -same machine
with the client)
2013-11-07 12:04:22,244 | ERROR | Could not accept connection from
tcp://127.0.0.1:55751: javax.net.ssl.SSLException:
java.security.ProviderException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID |
org.apache.activemq.broker.TransportConnector | ActiveMQ
BrokerService[localhost] Task-3
*But now I have got the these error from client:*
*Error occurred while accessing an OpenSSL library method:
error:0906D06C:PEM routines:PEM_read_bio:no start line
error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib*
*I use below configuration in my cms client:*
I also enabled SSL in activeMQ.(installed openSSL and added proper prefix to
activeMQ installation)
activemq::library::ActiveMQCPP::initializeLibrary();
decaf::lang::System::setProperty(
"decaf.net.ssl.keyStore","/pathToPem/Client.pem");
decaf::lang::System::setProperty("decaf.net.ssl.keyStorePassword",
"123456");
decaf::lang::System::setProperty( "decaf.net.ssl.trustStore",
"/pathToPem/Broker.pem" );
url ="ssl://localhost:61617";
in broker side i have done below configurations:
*in activemq.xml:*
<sslContext>
<sslContext
keyStore="broker.ks" keyStorePassword="123456"
trustStore="client.ks" trustStorePassword="123456"/>
</sslContext>
<transportConnectors>
<transportConnector name="ssl"
uri="ssl://localhost:61617?needClientAuth=true" />
<transportConnector name="openwire" uri="tcp://0.0.0.0:61616?
maximumConnections=1000&wireformat.maxFrameSize=104857600"/>
<transportConnector name="amqp"
uri="amqp://0.0.0.0:5672?maximumConnections=1000&wireformat.maxFrameSize=104857600"/>
</transportConnectors>
*I also export the SSL_OPTS environment parameter before starting the
broker:*
$ export SSL_OPTS="-Djavax.net.ssl.keyStore=/pathTobrokerks/broker.ks
-Djavax.net.ssl.keyStorePassword=123456
-Djavax.net.ssl.trustStore=/pathTobrokerts/broker.ts"
Below commands for generating keystores and certificates:
$ keytool -genkey -alias broker -keyalg RSA -keystore broker.ks
$ keytool -export -alias broker -keystore broker.ks -file broker_cert
$ keytool -genkey -alias client -keyalg RSA -keystore client.ks
$ keytool -import -alias broker -keystore client.ts -file broker_cert
$ keytool -export -alias client -keystore client.ks -file client_cert
$ keytool -import -alias client -keystore broker.ts -file client_cert
*I have converted to cert files to pem files using below commands:*
$ keytool -importkeystore -srckeystore broker.ks -destkeystore
broker_cert.p12 -srcstoretype jks -deststoretype pkcs12
$ openssl pkcs12 -in broker_cert.p12 -out Broker.pem
$ keytool -importkeystore -srckeystore client.ks -destkeystore
client_cert.p12 -srcstoretype jks -deststoretype pkcs12
$ openssl pkcs12 -in client_cert.p12 -out Client.pem
is there any thing that i miss? or wrong configuration in client or broker
side ?
Thanks a lot.
--
View this message in context:
http://activemq.2283324.n4.nabble.com/setting-up-c-client-app-using-CMS-using-SSL-client-certificate-auth-tp4664686p4674024.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
You need to debug the SSL handshake and see what is going on. You may
need to enable other cipher suites etc to allow the broker and client to
communicate.
--
Tim Bish
Sr Software Engineer | RedHat Inc.
tim.b...@redhat.com | www.fusesource.com | www.redhat.com
skype: tabish121 | twitter: @tabish121
blog: http://timbish.blogspot.com/
