Which side is complaining about the bad certificate? Client or server? I assume the server is complaining about the client's cert, since it works when NeedClientAuth=false. Is that right?
Also, does the client's cert's CN match its hostname? Also, this StackOverflow page ( http://stackoverflow.com/questions/11799733/received-fatal-alert-bad-certificate) suggests you need the root CA in the truststores as well; I wouldn't have expected that (if the cert itself is trusted, I don't know why the root CA has to be as well), but you might give that a shot to see if it resolves your issue. Tim On Wed, Apr 15, 2015 at 1:41 AM, RTactivemq <what2...@yahoo.com> wrote: > Hello, I've searched the forums, google sites, and of course ActiveMQ's > website for an answer but I am unable to find one. > > I will start off by giving some basic information about my setup. > > First, my activemq broker is running out of a JBoss AM-Q system with > versions: > > server version: Apache activemq 5.9.0.redhat-611416 running on java 1.7 > > My client is Windows 7 java project running out of Eclipse Luna using java > jdk 1.7. > > My api I'm using is the org.apache.qpid.amqp_1_0.jms and some of the > javax.jms libraries. > > My objective is fairly simple, take the examples given in the activemq > release running out of an eclipse project and add 2 way authentication > functionality. > > Actions Taken: > > I will start off by saying I fully read the How do I use SSL page on > apache's website. Getting 1 way authentication worked and I can send and > receive messages just fine. Two way authentication is proving most > difficult. > > On the broker, I have a keystore and truststore already provided. Also, I > have been provided with a certificate for that machine that matches the md5 > found in the keystore.jks. So I know that the certificate matches the > keystore. > > On the client machine I created a keystore first. I ran the command in > Cygwin, "$JAVA_HOME/bin/keytool" -genkey -alias client -keyalg RSA > -keystore > client.ks. This created the ks file, to which I exported from that > client.ks file, a certificate. > > I took the broker's certificate and imported it into a truststore on the > client machine. Like above, I used my Java keytool, with options -import > -alias eap6 -keystore client.ts -file <provided broker cert>. On the > broker > machine, I did the same thing. I went into the truststore and imported the > client_cert, using the alias client. > > Development: > > As stated I started off with the examples provided by ActiveMQ in the > examples directory for establishing a connection between client and broker > using the amqp protocol. > > So my send message looks like this: > > I set host, port, and clientid and pass those to a constructor that uses > the > code below. I then attempt to create a connection . One way ssl works > without the authentication so leaving the user and password blank I assume > is fine? > > try{ > ConnectionFactoryImpl factory = new ConnectionFactoryImpl(uri, > port, "", "", client, true); > connection=factory.createConnection("",""); > connection.start(); > session = connection.createSession(false, > Session.AUTO_ACKNOWLEDGE); > } catch (Exception e){ > LOGGER.log(Level.SEVERE, "Exception caught:", e); > } > > I then have a send method. Destination looks like this: private Destination > destination=new QueueImpl("queue://amqp-ssl-q"); > > try{ > MessageProducer producer=session.createProducer(destination); > LOGGER.info( " [x] Creating message" ); > > TextMessage msg = session.createTextMessage("Hello World!"); > producer.send(msg); > LOGGER.info( " [x] Sent Message"); > } catch (JMSException e){ > LOGGER.log(Level.SEVERE, "[X] Send Failed:", e); > } > > Configuration: > > I know the server and client need ways of getting the keystore and client. > On the broker, I use the activemq.xml to set this: > > <sslContext> > <sslContext > keyStore="/security/ssl/keystore/keystore.jks" > keyStorePassword="%{keystore.password}" > trustStore="/security/ssl/truststore/truststore.jks" > trustStorePassword="%{truststore.password}" > /> > </sslContext> > > I setup the transport connector as such: > > <transportConnector name="amqp+ssl" > uri="amqp+ssl://0.0.0.0:5671?transport.needClientAuth=true"/> > > > In eclipse I went into the Run Configurations and under arguments -> vm > arguments, I set the path to my truststore and keystore like so: > > -Djavax.net.ssl.keyStore=C:/<path>/<to>/<keystore>/client.ks > -Djavax.net.ssl.keyStorePassword="<password>" > -Djavax.net.ssl.trustStore=C:/<path>/<to>/<truststore>/client.ts > -Djavax.net.ssl.trustStorePassword="<password>" > -Djavax.net.debug=ssl > > The following parameters I added because the debugger in eclipse had null > for these values. Before I used them I was just using the ones above. It > didn't seem to add a difference. But I was desperate so I added these to > the vm arguments. I should also note that I also tried adding just the path > to the property but not including the file, like the keystore below. So I > tried running the send with parameters below missing the file at the end > and > then with the file. > -Djavax.net.ssl.trustStorePath=C:/<path>/<to>/<trustStore>/client.ts > -Djavax.net.ssl.keyStorePath=C:/<path>/<to>/<keystore> > > Error: > > When I run this, it complains about a bad certificate. > main, WRITE: TLSv1 Handshake, length = 48 > main, READ: TLSv1 Alert, length = 2 > main, RECV TLSv1 ALERT: fatal, bad_certificate > %% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] > main, called closeSocket() > main, handling exception: javax.net.ssl.SSLHandshakeException: Received > fatal alert: bad_certificate > > javax.jms.JMSException: javax.net.ssl.SSLHandshakeException: Received fatal > alert: bad_certificate > at > > org.apache.qpid.amqp_1_0.jms.impl.ConnectionImpl.connect(ConnectionImpl.java:193) > at > > org.apache.qpid.amqp_1_0.jms.impl.ConnectionImpl.start(ConnectionImpl.java:365) > > Caused by: org.apache.qpid.amqp_1_0.client.ConnectionException: > javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate > at > > org.apache.qpid.amqp_1_0.client.TCPTransportProvider.connect(TCPTransportProvider.java:203) > at > org.apache.qpid.amqp_1_0.client.Connection.<init>(Connection.java:278) > at > org.apache.qpid.amqp_1_0.client.Connection.<init>(Connection.java:167) > at > > org.apache.qpid.amqp_1_0.jms.impl.ConnectionImpl.connect(ConnectionImpl.java:173) > ... 3 more > > Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: > bad_certificate > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) > at > sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1979) > at > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1086) > at > > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359) > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343) > at > > org.apache.qpid.amqp_1_0.client.TCPTransportProvider.connect(TCPTransportProvider.java:106) > ... 6 more > > Questions: > > Does this seem like I am doing something incorrectly? I really don't > understand where I have made a mistake. The instructions are fairly > straightforward in setting up the keystore and truststore in the How do I > use SSL page. Also, I don't think I'm doing anything radical here with the > client side code, as I am basing it off the provided activemq release > examples. One way also works fine, so it is pulling the broker's > certificate just fine when I set the NeedClientAuth=false. > > If anyone has ideas, I would be happy to try them. Also, if more > information is needed I will do what I can to provide it. > > > > -- > View this message in context: > http://activemq.2283324.n4.nabble.com/ActiveMQ-2-Way-Authentication-tp4694960.html > Sent from the ActiveMQ - User mailing list archive at Nabble.com. >
