Hi, Looks your MQ-instances don't recognize the certs offered by the counterparty - as usual with SSL, the errors are pretty obscure.
client.ts @ hostA should have the cert of hostB, and the other way around. You can check the content of the keystores/truststores with keytool -list -storepass $kspassword -keystore $truststore Importing certs: keytool -import -alias $hostname -keystore $truststore -storepass $kspassword -file $certfile Geurt -----Original Message----- From: David Laube [mailto:d...@stormpath.com] Sent: Monday, February 17, 2014 9:01 PM To: users@activemq.apache.org Subject: networkConnector over SSL results in certificate exception - AMQ 5.9.0 Hi All, We're experiencing some issues trying to get two brokers running on a single host (for simplicity) talking to each other using a networkConnector over SSL. I suspect I'm missing something somewhere, I just haven't found it yet ;) I've packaged two ActiveMQ 5.9.0 installations into a single project available at https://github.com/dlaube/amq-example along with a script (see below) to generate broker and client keyStores and trustStores according to http://activemq.apache.org/how-do-i-use-ssl.html The script to generate the broker/client trustStore and keyStores is amq-example/apache-activemq-5.9.0-b/conf/gen-certs.sh Broker-a = (directory apache-activemq-5.9.0) Default 5.9.0 config with sslContext and a single networkConnector which connects to Broker-b using the SSL protocol/transport via the following; <networkConnector name="NC_toBroker-b_SSL" duplex="true" uri="static:(ssl://localhost:61626)"/> Broker-b = (directory apache-activemq-5.9.0-b) An ActiveMQ 5.9.0 config with sslContext and a single transportConnector using the following; <transportConnector name="ssl" uri="ssl://0.0.0.0:61626?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/> Broker-a logs: 2014-02-17 11:16:20,357 | WARN | Could not start network bridge between: vm://broker-a?async=false&network=true and: ssl://localhost:61626 due to: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed | org.apache.activemq.network.DiscoveryNetworkConnector | ActiveMQ Task-7 Broker-b logs: 2014-02-17 11:15:20,302 | ERROR | Could not accept connection from tcp://127.0.0.1:50663: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown | org.apache.activemq.broker.TransportConnector | ActiveMQ BrokerService[broker-b] Task-9 I have followed http://activemq.apache.org/certificateunknown.html in that the client ts has been copied to broker-a. I have also tried setting the following properties inside the ACTIVEMQ_OPTS variable within bin/activemq; javax.net.ssl.keyStore=/path/to/client.ks javax.net.ssl.keyStorePassword=password javax.net.ssl.trustStore=/path/to/client.ts Does anyone see any problems with my config or keyStore/trustStore setup? Any insight would be greatly appreciated. Thanks in advance! Best regards, -David Laube
