ejp*_*jpb 5 ssl activemq-classic mutual-authentication
我正在尝试设置 ActiveMQ 进行相互身份验证,客户端需要一个证书才能将消息传递给代理。我在代理上创建了一个密钥库和一个信任库,并导出了复制到客户端的证书。在客户端,我做了同样的事情,尽管我使用的是 NMS,所以我只使用导出的证书,并将其添加到代理的信任库中。我还将证书添加到其他计算机的本地计算机受信任根证书中。
经纪人的配置是这样的:
<transportConnectors>
<transportConnector name="ssl" uri="ssl://0.0.0.0:61616"/>
</transportConnectors>
<sslContext>
<sslContext keyStore="file:${activemq.base}/conf/keystore.jks"
keyStorePassword="ksPass"
trustStore="file:${activemq.base}/conf/shared.ks"
trustStorePassword="ksPass"/>
</sslContext>
<plugins>
<jaasCertificateAuthenticationPlugin configuration="CertLogin" />
</plugins>
amq 服务wrapper.conf有
wrapper.java.additional.8=-Djava.security.auth.login.config="%ACTIVEMQ_CONF%/login.config"
${activemq.base}/conf/login.config
CertLogin {
org.apache.activemq.jaas.TextFileCertificateLoginModule required
debug=true
org.apache.activemq.jaas.textfiledn.user="users.properties"
org.apache.activemq.jaas.textfiledn.group="groups.properties";
};
${activemq.base}/conf/user.properties 有
user=CN=nms.client.170,\ OU=IT,\ O=MyOrg,\ L=Oslo,\ S=Oslo,\ C=NO
${activemq.base}/conf/groups.properties 有
admins=system
users=system,user
在 NMS 客户端的 appSettings 中,我使用它来连接:
< add key="jms.uri" value="ssl://brokeraddress.in.hosts:61616?needClientAuth=true&wantClientAuth=true&transport.clientCertSubject=nms.client.170&transport.clientCertPassword=ksClientPw&transport.clientCertFilename=C:\TestClient\client170.crt" />
如果我在代理中没有 jaasCertificateAuthenticationPlugin,我可以通过 ssl 连接,但有了它(这就是我的想法),我会收到错误,它在Apache.NMS.ActiveMQ.Connection中失败
获取 ExeptionResponse: "java .lang.SecurityException:无法在没有 SSL 证书的情况下验证传输。”
// Send the connection and see if an ack/nak is returned.
Response response = transport.Request(this.info, this.RequestTimeout);
跟踪显示:
10:19:16,479 INFO Client.MyTrace - BrokerUri set = ssl://brokeraddress.in.hosts:61616?transport.clientcertpassword=ksClient&transport.clientcertsubject=nms.client.170&needclientauth=true&wantclientauth=true&transport.clientcertfilename=C:\TestClient\client170.crt
10:19:16,492 DEBUG Client.MyTrace - SetProperties called with target: ConnectionFactory, and prefix: connection.
10:19:16,492 DEBUG Client.MyTrace - SetProperties called with target: ConnectionFactory, and prefix: nms.
10:19:16,495 INFO Client.MyTrace - Connecting to: ssl://brokeraddress.in.hosts:61616/?transport.clientcertpassword=ksClient&transport.clientcertsubject=nms.client.170&needclientauth=true&wantclientauth=true&transport.clientcertfilename=C:\TestClient\client170.crt
10:19:16,497 DEBUG Client.MyTrace - Searching Assembly: Apache.NMS.ActiveMQ for factory of the id: ssl
10:19:16,549 DEBUG Client.MyTrace - Found the Factory of type Apache.NMS.ActiveMQ.Transport.Tcp.SslTransportFactory for id: ssl
10:19:16,552 DEBUG Client.MyTrace - Opening socket to: brokeraddress.in.hosts on port: 61616
10:19:16,554 DEBUG Client.MyTrace - Connected to brokeraddress.in.hosts:61616 using InterNetwork protocol.
10:19:16,562 DEBUG Client.MyTrace - Creating new instance of the SSL Transport.
10:19:16,564 DEBUG Client.MyTrace - Creating Inactivity Monitor: 1
10:19:16,677 DEBUG Client.MyTrace - Authorizing as Client for Server: brokeraddress.in.hosts
10:19:16,679 DEBUG Client.MyTrace - Attempting to load Client Certificate from file := C:\TestClient\client170.crt
10:19:16,682 DEBUG Client.MyTrace - Loaded Client Certificate := [Subject] CN=nms.client.170, OU=IT, O=MyOrg, L=Oslo, S=Oslo, C=NO [Issuer] CN=nms.client.170, OU=IT, O=MyOrg, L=Oslo, S=Oslo, C=NO
10:19:16,684 DEBUG Client.MyTrace - Client is selecting a local certificate from 1 possibilities.
10:19:16,684 DEBUG Client.MyTrace - Client has selected certificate with Subject = CN=nms.client.170, OU=IT, O=MyOrg, L=Oslo, S=Oslo, C=NO
10:19:16,969 DEBUG Client.MyTrace - ValidateServerCertificate: Issued By CN=brokeraddress.in.hosts, OU=DataCom, O=MyOrg, L=Oslo, S=Oslo, C=NO
10:19:16,969 DEBUG Client.MyTrace - Server is Authenticated = True
10:19:16,970 DEBUG Client.MyTrace - Server is Encrypted = True
10:19:16,978 DEBUG Client.MyTrace - InactivityMonitor[1]: Read Check time interval: 30000
10:19:16,978 DEBUG Client.MyTrace - InactivityMonitor[1]: Initial Delay time interval: 10000
10:19:16,985 DEBUG Client.MyTrace - InactivityMonitor[1]: Write Check time interval: 10000
10:19:19,017 DEBUG Client.MyTrace - Exception received in the Inactivity Monitor: Unable to read beyond the end of the stream.
10:19:19,019 DEBUG Client.MyTrace - InactivityMonitor[1].Runner: Task Runner Shut Down
10:19:19,019 DEBUG Client.MyTrace - InactivityMonitor[1]: Stopped Monitor Threads.
10:19:19,032 DEBUG Client.MyTrace - Connection[ID:EJPB-56409-635193299565662525-1:0]: Async exception with no exception listener: System.IO.EndOfStreamException: Unable to read beyond the end of the stream.
System.IO.BinaryRe.FillBuffer(Int32 numBytes)
System.IO.BinaryRe.ReadInt32()
Apache.NMS.Util.EnBinaryReader.ReadInt32() in c:\dev\NMS\src\main\csharp\Util\EndianBinaryReader.cs:line 135
Apache.NMS.ActiveMenWire.OpenWireFormat.Unmarshal(BinaryReader dis) in c:\dev\NMS.ActiveMQ\src\main\csharp\OpenWire\OpenWireFormat.cs:line 228
Apache.NMS.ActiveMansport.Tcp.TcpTransport.ReadLoop() in c:\dev\NMS.ActiveMQ\src\main\csharp\Transport\Tcp\TcpTransport.cs:line 295
10:19:19,035 DEBUG Client.MyTrace - TransportFilter disposing of next Transport: MutexTransport
10:19:19,035 DEBUG Client.MyTrace - TransportFilter disposing of next Transport: WireFormatNegotiator
10:19:19,036 DEBUG Client.MyTrace - TransportFilter disposing of next Transport: InactivityMonitor
10:19:19,036 DEBUG Client.MyTrace - InactivityMonitor[1]: Stopped Monitor Threads.
10:19:19,037 DEBUG Client.MyTrace - TransportFilter disposing of next Transport: SslTransport
10:19:19,071 INFO Client.MyTrace - Connection[ID:SUSSDEV2-56409-635193299565662525-1:0]: Closing Connection Now.
10:19:19,073 DEBUG Client.MyTrace - Connection[ID:SUSSDEV2-56409-635193299565662525-1:0]: Disposing of the Transport.
10:19:19,073 DEBUG Client.MyTrace - InactivityMonitor[1]: Stopped Monitor Threads.
在经纪人中它说:
信息| JVM 1 | 10:18:20 | 10:18:20 警告 | 无法添加连接 ID:EJPB-56409-635193299565662525-1:0,原因:java.lang.SecurityException:无法在没有 SSL 证书的情况下对传输进行身份验证。 信息| JVM 1 | 10:18:22 | 10:18:22 信息| 停止 tcp://192.168.5.170:56408,因为失败并出现 SecurityException:无法在没有 SSL 证书的情况下对传输进行身份验证。
好吧,我错过了什么?它说“没有 SSL 证书的传输”,但它在客户端连接期间选择它,并且它位于代理的信任库和根证书中。
使用NMS 1.6.0和activeMQ 5.8.0。
我还尝试了一个简单的java客户端,结果相同。
线程“main”javax.jms.JMSException 中出现异常:无法在没有 SSL 证书的情况下验证传输。
在 org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:49)
在 org.apache.activemq.ActiveMQConnection.syncSendPacket (ActiveMQConnection.java:1295)
在 org.apache.activemq.ActiveMQConnection.ensureConnectionInfoSent (ActiveMQConnection.java:1392)
在 org.apache.activemq.ActiveMQConnection.start(ActiveMQConnection.java:504)
在 com.atest.jms.Client.main(Client.java:69)
原因:java.lang.SecurityException:无法在没有 SSL 证书的情况下验证传输。
在 org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:74)
在 org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:91)
在 org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:766)
在org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:79)
在 org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:139)
在 org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:329)
在 org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:184)
在 org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:50)
在 org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113)
在 org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:288)
在 org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
在 org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:91)
在 org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:214)
在org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:196)
在 java.lang.Thread.run(来源未知)
有人有什么想法吗?谢谢。
好吧,我又试了一次。我发现我没有添加到代理的 TransportConnector ssl:
<transportConnector name="ssl" uri="ssl://0.0.0.0:61616?needClientAuth=true"/>
我尝试了 java 客户端,它可以发送,但 NMS 客户端仍然出现错误(相同的配置):
15:28:14,044 ERROR Test_DataCom.MyTrace - Exception: A call to SSPI failed, see inner exception.
15:28:14,045 ERROR Test_DataCom.MyTrace - Inner exception: An unknown error occurred while processing the certificate
15:28:14,045 ERROR Test_DataCom.MyTrace - Authentication failed - closing the connection.
在经纪人处我得到空证书链
INFO | jvm 1 | 15:28:13 | ERROR | Could not accept connection from tcp://192.168.50.170:61978: javax.net.ssl.SSLHandshakeException: null cert chain
我在彼此的信任库和本地计算机受信任的根 CA 中都有证书...还需要什么?如果不存在,它应该在哪里找到自签名证书的证书链?
好吧,我现在好像有了。重新阅读此评论后,我将客户端证书和密钥导出到 PKCS 文件,并将其导入到 Windows 中的当前用户证书存储中。
C:\> keytool -v -importkeystore -srckeystore client-keystore.jks -srcalias client -destkeystore client.p12 -deststoretype PKCS12
然后我使用了这个 url 编码的连接:
<add key="jms.uri" value="ssl://brokeraddress.in.hosts:61616?needClientAuth=true&wantClientAuth=true&transport.clientCertSubject=CN%3Dnms.client.170%2C+OU%3DIT%2C+O%3DMyOrg%2C+L%3DOslo%2C+S%3DOslo%2C+C%3DNO" />
我还有
${activemq.base}/conf/users.properties: user=CN=nms.client.170,\ OU=IT,\ O=MyOrg,\ L=Oslo,\ S=Oslo,\ C=NO,试图转义空格,我删除了这些空格并将 S 更正为 ST,就像 keytool 报告 Owner 行一样。我查了一下,否则会出错。
更正了 ${activemq.base}/conf/users.properties:
user=CN=nms.client.170, OU=IT, O=MyOrg, L=Oslo, ST=Oslo, C=NO
| 归档时间: |
|
| 查看次数: |
11403 次 |
| 最近记录: |