I was able to finally get certificate authentication to work. An issue I was
running in to was using Username/Password along with Certificate authentication.
What I had always used within my activemq.xml file had to change.
<jaasAuthenticationPlugin configuration"queueAuth"/>
This was my original setting and work for all transport connectors; I only use
SSL transports. This allows for a username/password combination when
connecting to the broker and accessing queues.
<jaasCertificateAuthenticationPlugin sslConfiguration="queueAuth"/>
This is the change I made to allow for certificates to perform mTLS but this
also prevented username/password from working.
<jaasDualAuthenticationPlugin sslConfiguration="queueAuth"/>
The above setting is supposed to allow for either username/password or
certificate authentication; this is what I am testing now and running into some
issues.
Here is the setting I used on a test/development broker and it worked correctly.
users.properties
user=CN=MY_CERT, OU=MY_OU, O=MY_O, L=MY_LOCATION, ST=MY_STATE, C=MY_COUNTRY
groups.properties
group=CN=MY_CERT, OU=MY_OU, O=MY_O, L=MY_LOCATION, ST=MY_STATE, C=MY_COUNTRY
admins=admin,user,group
I was able to connect to the broker and queues to perform the actions I needed.
I have since removed the user and group from the admins entry and I am only
assigning the permissions the user actually needed and running into a
permissions error. I can see the user connect, I can see the certificate
authentication succeeds, at this point the end use is prompted with a
permissions error stating they do not have the rights needed/required.
Here are the permissions that I have set for the end user, any suggestions on
what permissions I am missing?
<authorizationEntry queue="QUEUE_GET" read="user,group,admins" write="admins"
admin="admins"/>
<authorizationEntry topic="ActiveMQ.Advisory.Consumer.Queue.QUEUE_GET"
read="user,group,admins" write="user,group,admins" admin="admins"/>
<authorizationEntry topic="ActiveMQ.Advisory.SlowConsumer.Queue.QUEUE_GET"
read="user,group,admins" write="user,group,admins" admin="admins"/>
<authorizationEntry topic="ActiveMQ.Advisory.TempQueue.Queue.QUEUE_GET"
read="user,group,admins" write="user,group,admins" admin="admins"/>
<authorizationEntry topic="ActiveMQ.Advisory.TempTopic.Topic.QUEUE_GET"
read="user,group,admins" write="user,group,admins" admin="admins"/>
<authorizationEntry queue="QUEUE_PUT" read="admins" write="user,group,admins"
admin="admins"/>
<authorizationEntry topic="ActiveMQ.Advisory.Producer.Queue.QUEUE_PUT"
read="user,group,admins" write="user,group,admins" admin="admins"/>
<authorizationEntry topic="ActiveMQ.Advisory.TempQueue.Queue.QUEUE_PUT"
read="user,group,admins" write="user,group,admins" admin="admins"/>
<authorizationEntry topic="ActiveMQ.Advisory.TempTopic.Topic.QUEUE_PUT"
read="user,group,admins" write="user,group,admins" admin="admins"/>
<authorizationEntry topic="ActiveMQ.Advisory.TempQueue"
read="user,group,admins" write="user,group,admins" admin="admins"/>
<authorizationEntry topic="ActiveMQ.Advisory.TempTopic"
read="user,group,admins" write="user,group,admins" admin="admins"/>
Here is an example of the error that the end user receives.
Fatal JMS authorization error: user is not permitted to access the queue.
Stopping program.
javax.jms.JMSSecurityException: User CN=MY_CERT, OU=MY_OU, O=MY_O,
L=MY_LOCATION, ST=MY_STATE, C=MY_COUNTRY is not authorized to read from:
queue://QUEUE_GET
at
org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:65)
~[activemq-client-5.19.7.jar:5.19.7]
at
org.apache.activemq.ActiveMQConnection.syncSendPacket(ActiveMQConnection.java:1465)
~[activemq-client-5.19.7.jar:5.19.7]
at
org.apache.activemq.ActiveMQConnection.syncSendPacket(ActiveMQConnection.java:1498)
~[activemq-client-5.19.7.jar:5.19.7]
at
org.apache.activemq.ActiveMQSession.syncSendPacket(ActiveMQSession.java:2159)
~[activemq-client-5.19.7.jar:5.19.7]
at
org.apache.activemq.ActiveMQMessageConsumer.<init>(ActiveMQMessageConsumer.java:294)
~[activemq-client-5.19.7.jar:5.19.7]
at
org.apache.activemq.ActiveMQSession.createConsumer(ActiveMQSession.java:1326)
~[activemq-client-5.19.7.jar:5.19.7]
at
org.apache.activemq.ActiveMQSession.createConsumer(ActiveMQSession.java:1269)
~[activemq-client-5.19.7.jar:5.19.7]
at
org.apache.activemq.ActiveMQSession.createConsumer(ActiveMQSession.java:1181)
~[activemq-client-5.19.7.jar:5.19.7]
at
org.apache.activemq.ActiveMQSession.createConsumer(ActiveMQSession.java:1153)
~[activemq-client-5.19.7.jar:5.19.7]
at application.activemq.Get.createConsumer(Get.java:898)
~[jmscommlib-1.0.0-SNAPSHOT.jar:?]
at application.activemq.Get.startReceive(Get.java:850)
[jmscommlib-1.0.0-SNAPSHOT.jar:?]
at application.activemq.Get.setup(Get.java:381)
[jmscommlib-1.0.0-SNAPSHOT.jar:?]
at application.activemq.Get.main(Get.java:289)
[jmscommlib-1.0.0-SNAPSHOT.jar:?]
Caused by: java.lang.SecurityException: User CN=MY_CERT, OU=MY_OU, O=MY_O,
L=MY_LOCATION, ST=MY_STATE, C=MY_COUNTRY is not authorized
Any suggestions are appreciated.
Thank you.
Jason
________________________________
From: Christopher Shannon <[email protected]>
Sent: Thursday, June 11, 2026 11:08 AM
To: [email protected] <[email protected]>
Subject: Re: ActiveMQ Classic 6.2.6 mTLS Failure and Assistance
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe.
EXTERNAL EMAIL - This email was sent by a person from outside your
organization. Exercise caution when clicking links, opening attachments or
taking further action, before validating its authenticity.
Secured by Check Point
So your certs are properly working now? It looked like the original
transport config was wrong, it should be
"transport.needClientAuth=true" on the URL but I'm guessing you
figured that out if it is working.
For the clients that it's failing username/password for when using
dual mode, is a cert still set by the client? Looking at the code it
will only process username and password if the client does not present
a certificate.
Chris
On Tue, Jun 9, 2026 at 2:11 PM Jason Jackson <[email protected]> wrote:
>
> Another update
>
> I now have the following configured and working
>
> activemq.xml
> <jaasDualAuthenticationPlugin configuration="queueUserModules"
> sslConfiguration="queueCertModules"/>
>
> The certificate base authentication works but the username and password
> authentication fails.
>
> Any configuration setting suggestions for the jaasDualAuthentication plugin
>
>
> Jason
>
>
> ________________________________
> From: Jason Jackson <[email protected]>
> Sent: Tuesday, June 9, 2026 1:16 PM
> To: [email protected] <[email protected]>
> Subject: Re: ActiveMQ Classic 6.2.6 mTLS Failure and Assistance
>
> After continued troubleshooting and testing, I have been able to get mTLS to
> work.
>
> Here is how I was able to get mTLS to work correctly
>
> activemq.xml
> <jaasAuthenticationPlugin configuration="queueModules"/> -->
> <jaasCertificateAuthenticationPlugin configuration="queueModules"/>
>
> The issue I have now is I have some accounts that provide a username and
> password and also need the ability for Certificate base authentication.
>
> I have tried the following
>
> <jaasDualAuthenticationPlugin configuration="queueModules"/>
>
> This causes all authentication methods to fail; meaning username and password
> as well as certificate authentication all fail.
>
> Are there any suggestions on how to enable username and password along with
> certification authentication at the same time?
>
>
> Jason
>
>
> ________________________________
> From: Jason Jackson <[email protected]>
> Sent: Tuesday, June 9, 2026 9:40 AM
> To: [email protected] <[email protected]>
> Subject: ActiveMQ Classic 6.2.6 mTLS Failure and Assistance
>
> I am using ActiveMQ in a Linux environment with OpenJDK 17.x.
>
> I have a JAVA Client that is connecting to the ActiveMQ broker but fails to
> authenticate/authorize using mTLS using SSL Certificates. The client is able
> to reach the broker, perform all of the necessary handshakes, attempts the
> connection and fails on the authentication portion. I see all of the
> communication and failures within the broker log files and see the connection
> attempt.
>
> I have enabled debug logging on the client and broker, the client provides
> the following information:
>
> Caused by: java.lang.SecurityException: User name [null] or password is
> invalid.
>
> Looking through the broker log files I see the client connection and see that
> userName = null and password = ****. From the documentation I found this is
> expected if JAAS is configured for certificate authentication.
>
> The client logs the additional information after the above:
>
> Caused by: javax.security.auth.login.LoginException: Client certificates not
> found. Cannot authenticate
>
> My client and broker certificates have the following:
>
>
> 1.
> Client/server certificates
> 2.
> X.509 certificates
> 3.
> Signed by the same intermediate
> 4.
> Signed by the same root
>
> I am using the same P12 for the keystore and truststore, I am not sure if
> these must be separated for mTLS to function correctly.
>
> My broker transport is configured the following way
>
> activemq.xml
> <transportConnectors>
> <transportConnector name="nio+ssl_6161"
> uri="nio+ssl://host_name:6161?verifyHostName=false&needClientAuth=true"/>
> </transportConnectors>
>
> login.conf
> certModule (Tried this the first time)
> {
> org.apache.activemq.jaas.TextFileCertificateLoginModule required
> org.apache.activemq.jaas.textfiledn.user=users.properties
> org.apache.activemq.jaas.textfiledn.group=groups.properties
> }
>
> certModule (Tried this the second time)
> {
> org.apache.activemq.jaas.CertificateLoginModule required
> org.apache.activemq.jaas.textfiledn.user=users.properties
> org.apache.activemq.jaas.textfiledn.group=groups.properties
> }
>
> users.properties
> partner=CN=PARTNER, OU=My Sub Org, O=My Org, L=City, ST=State, C=Country
>
> groups.propertiesd
> partnerg=CN=PARTNER, OU=My Sub Org, O=My Org, L=City, ST=State, C=Country
> Admin=admin,partner,partnerg
>
>
> The JAVA ActiveMQ client has the following set and connects using the
> following options:
>
> String brokerConnection = "nio+ssl://host_name:6161"?verifyHostName=false;
> ActiveMQSslConnectionFactory connectionFactory = new
> ActiveMQSslConnectionFactory(brokerConnection);
> connectionFactory.setKeyStore("myKeyStore.p12");
> connectionFactory.setKeyStorePassword("myPassword");
> connectionFactory.setKeyStoreType("PKCS12");
> connectionFactory.setTrustStore("myKeyStore.p12");
> connectionFactory.setTrustStorePassword("myPassword");
> connectionFactory.setTrustStoreType("PKCS12");
> Connection connection = connectionFactory.createConnection();
> connection.start();
> session = connection.CreateSession(false, Session.Auto_ACKNOWLEDGE);
>
> What am I missing on the client or broker side that would allow mTLS to be
> successful?
>
>
>
> Jason
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
