Client side SSL with specified Key and Truststores

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Client side SSL with specified Key and Truststores

ee7arh
Hi,

I have a broker application which needs to connect to another broker using fake certificates. Therefore I followed the instructions on activeMq website and created certificates and imported them as described in the tutorial:

ActiveMQ SSL HowTo

When I set system wide properties as follows, it works fine:

javax.net.ssl.keyStore=/path/to/client.ks
javax.net.ssl.keyStorePassword=password
javax.net.ssl.trustStore=/path/to/client.ts

However my broker also needs to connect using SSL in other unrelated parts of the application and since I have overridden the default keystores, I am having problems since I have overridden the default java keystore.

In the tutorial it offers a solution on the broker side of things to get around this by using the "sslContext" property in the broker. However it does not offer a solution from the client's perspective.

I tried downloading the 2nd patch from:

 http://issues.apache.org/activemq/browse/AMQ-1754

so that I can set the Keystore and Truststores on the factory level but this simply did not work. It looks like even though I override the ConnectionFactory, it is never used.

I am setting up the following Beans from spring so that I can connect via Camel. Notice I have overridden the ActiveMQConnectionFactory with the patch:

<bean id = "sslConnectionFactory" class="com.downloadedfrom.amq1754.ActiveMQSslConnectionFactoryx">
                <property name="brokerURL" value="failover:(ssl:remoteHostBroker:1818)?startupMaxReconnectAttempts=5&amp;initialReconnectDelay=1000&amp;useExponentialBackOff=true" />
                <property name="userName" value="${jms.username}" />
                <property name="password" value="${jms.password}" />
                <property name="keyStore" value="../config/client.ks" />
                <property name="keyStorePassword" value="password" />
                <property name="trustStore" value="../config/client.ts" />
                <property name="trustStorePassword" value="password" />
            </bean>
   
   
    <bean id="myJmsComponent" class="org.apache.activemq.camel.component.ActiveMQComponent">
                <property name="connectionFactory">
                        <bean id="conxFactory"
                  factory-bean="sslConnectionFactory"
                  factory-method="getInstance"/>
                </property>
        </bean>

I modified the patch slightly so that it can be instantiated from Spring, here is my modified version.

ActiveMQSslConnectionFactoryx.java


When I try to connect, I always get this error which indicates that the certificate is not found:

Could not refresh JMS Connection for destination '2eQueue' - retrying in 5000 ms. Cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExcepti
on: unable to find valid certification path to requested target


Does anyone have an idea how I can specify the trust and keystores on a specific connection rather than having to rely on the System wide properties?

Thanks and BRegards
Andrew
Reply | Threaded
Open this post in threaded view
|

Re: Client side SSL with specified Key and Truststores

dejanb
Hi,

I just created an enhancement request to allow configuring clients with
<sslContext> tag - https://issues.apache.org/activemq/browse/AMQ-2642

I haven't looked at the AMQ-1754 patch yet, but this message usually appears
when certificates cannot be found. Are you sure you have keystore/trustore
in the right places?

Cheers
--
Dejan Bosanac - http://twitter.com/dejanb

Open Source Integration - http://fusesource.com/
ActiveMQ in Action - http://www.manning.com/snyder/
Blog - http://www.nighttale.net


On Mon, Mar 8, 2010 at 6:07 PM, ee7arh <[hidden email]> wrote:

>
> Hi,
>
> I have a broker application which needs to connect to another broker using
> fake certificates. Therefore I followed the instructions on activeMq
> website
> and created certificates and imported them as described in the tutorial:
>
> http://activemq.apache.org/how-do-i-use-ssl.html ActiveMQ SSL HowTo
>
> When I set system wide properties as follows, it works fine:
>
> javax.net.ssl.keyStore=/path/to/client.ks
> javax.net.ssl.keyStorePassword=password
> javax.net.ssl.trustStore=/path/to/client.ts
>
> However my broker also needs to connect using SSL in other unrelated parts
> of the application and since I have overridden the default keystores, I am
> having problems since I have overridden the default java keystore.
>
> In the tutorial it offers a solution on the broker side of things to get
> around this by using the "sslContext" property in the broker. However it
> does not offer a solution from the client's perspective.
>
> I tried downloading the 2nd patch from:
>
>  http://issues.apache.org/activemq/browse/AMQ-1754
> http://issues.apache.org/activemq/browse/AMQ-1754
>
> so that I can set the Keystore and Truststores on the factory level but
> this
> simply did not work. It looks like even though I override the
> ConnectionFactory, it is never used.
>
> I am setting up the following Beans from spring so that I can connect via
> Camel. Notice I have overridden the ActiveMQConnectionFactory with the
> patch:
>
> <bean id = "sslConnectionFactory"
> class="com.downloadedfrom.amq1754.ActiveMQSslConnectionFactoryx">
>                <property name="brokerURL"
>
> value="failover:(ssl:remoteHostBroker:1818)?startupMaxReconnectAttempts=5&amp;initialReconnectDelay=1000&amp;useExponentialBackOff=true"
> />
>                <property name="userName" value="${jms.username}" />
>                <property name="password" value="${jms.password}" />
>                <property name="keyStore" value="../config/client.ks" />
>                <property name="keyStorePassword" value="password" />
>                <property name="trustStore" value="../config/client.ts" />
>                <property name="trustStorePassword" value="password" />
>            </bean>
>
>    <!-- Queue conneciton so that Camel can use the connection-->
>    <bean id="myJmsComponent"
> class="org.apache.activemq.camel.component.ActiveMQComponent">
>                <property name="connectionFactory">
>                        <bean id="conxFactory"
>                  factory-bean="sslConnectionFactory"
>                  factory-method="getInstance"/>
>                </property>
>        </bean>
>
> I modified the patch slightly so that it can be instantiated from Spring,
> here is my modified version.
>
> http://old.nabble.com/file/p27824328/ActiveMQSslConnectionFactoryx.java
> ActiveMQSslConnectionFactoryx.java
>
>
> When I try to connect, I always get this error which indicates that the
> certificate is not found:
>
> Could not refresh JMS Connection for destination '2eQueue' - retrying in
> 5000 ms. Cause: sun.security.validator.ValidatorException: PKIX path
> building failed: sun.security.provider.certpath.SunCertPathBuilderExcepti
> on: unable to find valid certification path to requested target
>
>
> Does anyone have an idea how I can specify the trust and keystores on a
> specific connection rather than having to rely on the System wide
> properties?
>
> Thanks and BRegards
> Andrew
>
> --
> View this message in context:
> http://old.nabble.com/Client-side-SSL-with-specified-Key-and-Truststores-tp27824328p27824328.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Client side SSL with specified Key and Truststores

ee7arh
In reply to this post by ee7arh
Hi,

We have traced the problem down to the failover transport.

If the "failover" transport is removed from the configuration I showed above, then the Trust and KeyManagers are overridden as expected and the certificates are validated against our own keystore.

As soon as failover is added back in, we see that validation of certificates is performed against the default Java "cacerts" instead of our own keystore. So it looks like Failover is not using our overridden instance of ActiveMQConnectionFactory anymore.

Here are some SSL logs when Failover is included which show that the default java truststore is used:

keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: /usr/lib/jvm/java-6-sun-1.6.0.16/jre/lib/security/cacerts
trustStore type is : jks


Does this sound like a bug or is there something we can do to ensure that Failover makes use of our overridden ConnectionFactory?

Thanks and BRegards
Andrew
Reply | Threaded
Open this post in threaded view
|

Re: Client side SSL with specified Key and Truststores

fabien.bk
This post has NOT been accepted by the mailing list yet.
Hello,

We are running into the same exact problem: the failover reconnection process does not use our specific truststore file but the default one (cacerts.jks in glassfish 2.1), even thought we are redefining the system-wide property "javax.net.ssl.trustStore".

Is there a recommended workaround besides adding the certificates to the default truststore ?

Thanks a lot,

Fabien