1 2 Previous Next 19 Replies Latest reply on Nov 6, 2003 5:05 PM by adrian.brock

JMS over SSL

colinmadere Sep 12, 2003 1:29 PM

Have successfully set up SSL on JBoss+Tomcat (as per 3.2.1 dox) and accessed the jmx-console over https.

Have configured JMS protocol UIL2 with this (no other changes):

java:/jaas/mySSL
org.jboss.security.ssl.ClientSocketFactory</attri
bute>
org.jboss.security.ssl.DomainServerSocketFactory<
/attribute>

Security domain is set up in the primary conf/jboss-service.xml and above is in deploy/jms/jboss-service.xml in the UIL2 section.

Server starts fine but when I try to connect using the very basic MQ test program (that works with above lines commented out) I get an SSLException in the server output:

22:58:33,845 ERROR [SocketManager] Failed to create ObjectInputStream
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at com.sun.net.ssl.internal.ssl.InputRecord.b(DashoA6275)
...

What am I missing? Isn't one purpose of those factories is to not have to have changes in the client code? If so, what needs to be changed? Here's the connection snippet:

iniCtx = new InitialContext();
Object factory = iniCtx.lookup("UIL2ConnectionFactory");
TopicConnectionFactory tcf = (TopicConnectionFactory) factory;
conn = tcf.createTopicConnection();

(client is hanging on this last statement when the server spits out the above error. I don't see anything obivous in the TCF class that would suggest I need to use a different one...)

1. Re: JMS over SSL

stephanenicoll Sep 13, 2003 1:53 AM (in response to colinmadere)

update log4j to run JMS in trace mode, This might help you figuring out what's happening
Actions
2. Re: JMS over SSL

colinmadere Sep 16, 2003 4:19 PM (in response to colinmadere)

Well, as you can see in my original message the exception is not in a jboss class, but rather a class that the jboss mq classes use.

I added this to my /conf/log4j.xml but it did not change the output at all (as expected due to where the error occurs).
Actions
3. Re: JMS over SSL

colinmadere Sep 16, 2003 4:23 PM (in response to colinmadere)

(would edit the previous message, but don't see the option)

Any idea why the entry log4j.xml would not take? I don't see any trace output at all even though I've defined it for "org.jboss.mq".
Actions
4. Re: JMS over SSL

colinmadere Sep 16, 2003 5:18 PM (in response to colinmadere)

Yes I "fixed" the above and added the correct class attribute for "TRACE" like in the dox and still don't get the extra output to the console...
Actions
5. Re: JMS over SSL

adrian.brock Sep 16, 2003 6:12 PM (in response to colinmadere)

It appears in log/server.log

I suspect your problem is in the ssl config,
there are some system properties in the jsse docs
for debugging.

Regards,
Adrian
Actions
6. Re: JMS over SSL

colinmadere Sep 16, 2003 7:27 PM (in response to colinmadere)

But I've followed the JBoss dox on configuring SSL. Are you saying they are incomplete with respect to configuring SSL for use with JBoss?
Actions
7. Re: JMS over SSL

adrian.brock Sep 17, 2003 10:39 AM (in response to colinmadere)

No, I'm saying you've probably gone wrong somewhere.
The error you are receiving is from the ssl layer
so you will need to enable debug at that level
to see the problem.

The most obvious problems will be with your truststore.

Regards,
Adrian
Actions
8. Re: JMS over SSL

colinmadere Sep 17, 2003 12:25 PM (in response to colinmadere)

Hmm. If the embedded Tomcat SSL works, and access to the JMX-console works via SSL and EJB SSL access works, would that rule out that possibility?

Trying to avoid wild goose chases :)

This is a clean install and the _only_ settings I've changed from 'default' are what is suggested in the documentation for SSL enabling and what I have mentioned above.
Actions
9. Re: JMS over SSL

colinmadere Sep 24, 2003 4:42 PM (in response to colinmadere)

So I have no resolution on this. Going to wait for the trainer to show up and hope he can fix this (or help us find the issue).

Adrian, if you could explain how it is that I followed the docs, set the right factories for the JMS service for use via SSL (and that the super-simple JMS test client works in non-SSL mode) and made no other config changes from the default settings and it is still I that "went wrong somewhere", I'm all ears.
Actions
10. Re: JMS over SSL

adrian.brock Sep 24, 2003 4:50 PM (in response to colinmadere)

I have no idea why it doesn't work.
I've never tried this configuration myself.

All you've posted is some configuration on the server.
I suggested you add some debugging so you can
see what the ssl connection initiated by the client
is trying (and failing) to do.

I can't help you if you only provide sarcastic comments
rather than information.

Regards,
Adrian
Actions

11. Re: JMS over SSL

adrian.brock Sep 24, 2003 5:48 PM (in response to colinmadere)

OK, I just tried it, here is what I did.

1) Created a keystore in server/default/conf/test.keystore
2) Created a security domain that references it
(resource: is jboss specific protocol that loads from the
classloader, conf/ is the first classloader installed by jboss)

 <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
 name="jboss.security:service=JaasSecurityDomain,domain=SSL">
 <constructor>
 <arg type="java.lang.String" value="SSL"/>
 </constructor>
 <attribute name="KeyStoreURL">resource:test.keystore</attribute>
 <attribute name="KeyStorePass">ssltest</attribute>
 </mbean>

3) Deployed a HTTPSUIL2ConnectionFactory

 <mbean code="org.jboss.mq.il.uil2.UILServerILService"
 name="jboss.mq:service=InvocationLayer,type=HTTPSUIL2">
 <depends optional-attribute-name="Invoker">jboss.mq:service=Invoker</depends>
 <attribute name="ConnectionFactoryJNDIRef">HTTPSUIL2ConnectionFactory</attribute>
 <attribute name="XAConnectionFactoryJNDIRef">HTTPSUIL2XAConnectionFactory</attribute>
 <attribute name="ServerBindPort">8193</attribute>
 <attribute name="PingPeriod">60000</attribute>
 <attribute name="EnableTcpNoDelay">true</attribute>
 <!-- Used to disconnect the client if there is no activity -->
 <!-- Ensure this is greater than the ping period -->
 <attribute name="ReadTimeout">70000</attribute>
 <!-- The size of the buffer (in bytes) wrapping the socket -->
 <!-- The buffer is flushed after each request -->
 <attribute name="BufferSize">2048</attribute>
 <!-- Large messages may block the ping/pong -->
 <!-- A pong is simulated after each chunk (in bytes) for both reading and writing -->
 <!-- It must be larger than the buffer size -->
 <attribute name="ChunkSize">1000000</attribute>
 <attribute name="ClientSocketFactory">org.jboss.security.ssl.ClientSocketFactory</attribute>
 <attribute name="ServerSocketFactory">org.jboss.security.ssl.DomainServerSocketFactory</attribute>
 <attribute name="SecurityDomain">java:/jaas/SSL</attribute>
 </mbean>

On the client set the system property to use the keystore
as the truststore.

 <java classname="test.client.Client" fork="true">

 <sysproperty key="javax.net.ssl.trustStore" path="${jboss.home}/server/${jboss.config}/conf/test.keystore"/>
 <classpath refid="client.classpath"/>

 </java>

Job Done.

Regards,
Adrian

12. Re: JMS over SSL

stephanenicoll Sep 25, 2003 1:27 AM (in response to colinmadere)

Adrian, your last comment should be added in the FAQ, shouldn't be?

Might be usefull

Regards,

Stephane
Actions
13. Re: JMS over SSL

urciolo Oct 10, 2003 2:31 PM (in response to colinmadere)

I am attempting to have JMS over SSL. What am I doing incorrectly. I attempted to follow the directions. But I get the the error message below when the OIL2 service starts. My security domain configuration looks like this:

ssl1
test01

I added these attributes to the oil2 config:

ssl1
org.jboss.security.ssl.ClientSocketFactory
org.jboss.security.ssl.DomainServerSocketFactory

16:18:23,366 ERROR [OIL2ServerILService] Failed to setSecurityDomain=ssl1 on socket factory
16:18:23,366 ERROR [OIL2ServerILService] Starting failed
java.lang.NullPointerException
at org.jboss.security.ssl.DomainServerSocketFactory.initSSLContext(DomainServerSocketFactory.java:171)
at org.jboss.security.ssl.DomainServerSocketFactory.createServerSocket(DomainServerSocketFactory.java:103)
at org.jboss.mq.il.oil2.OIL2ServerILService.startService(OIL2ServerILService.java:485)
at org.jboss.system.ServiceMBeanSupport.start(ServiceMBeanSupport.java:192)
at sun.reflect.GeneratedMethodAccessor24.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:546)
at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:976)
at $Proxy13.start(Unknown Source)
at org.jboss.system.ServiceController.start(ServiceController.java:394)
at org.jboss.system.ServiceController.start(ServiceController.java:411)
at org.jboss.system.ServiceController.start(ServiceController.java:411)
at org.jboss.system.ServiceController.start(ServiceController.java:411)
at org.jboss.system.ServiceController.start(ServiceController.java:411)
at org.jboss.system.ServiceController.start(ServiceController.java:411)
at org.jboss.system.ServiceController.start(ServiceController.java:411)
at org.jboss.system.ServiceController.start(ServiceController.java:411)
at sun.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:546)
at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:177)
at $Proxy4.start(Unknown Source)
at org.jboss.deployment.SARDeployer.start(SARDeployer.java:226)
at org.jboss.deployment.MainDeployer.start(MainDeployer.java:824)
at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:632)
at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:605)
at sun.reflect.GeneratedMethodAccessor19.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:546)
at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:177)
at $Proxy6.deploy(Unknown Source)
at org.jboss.deployment.scanner.URLDeploymentScanner.deploy(URLDeploymentScanner.java:302)
at org.jboss.deployment.scanner.URLDeploymentScanner.scan(URLDeploymentScanner.java:476)
at org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.doScan(AbstractDeploymentScanner.java:201)
at org.jboss.deployment.scanner.AbstractDeploymentScanner.startService(AbstractDeploymentScanner.java:274)
at org.jboss.system.ServiceMBeanSupport.start(ServiceMBeanSupport.java:192)
at sun.reflect.GeneratedMethodAccessor6.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:546)
at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:976)
at $Proxy0.start(Unknown Source)
at org.jboss.system.ServiceController.start(ServiceController.java:394)
at sun.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:546)
at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:177)
at $Proxy4.start(Unknown Source)
at org.jboss.deployment.SARDeployer.start(SARDeployer.java:226)
at org.jboss.deployment.MainDeployer.start(MainDeployer.java:824)
at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:632)
at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:605)
at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:589)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:546)
at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:177)
at $Proxy5.deploy(Unknown Source)
at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:384)
at org.jboss.system.server.ServerImpl.start(ServerImpl.java:291)
at org.jboss.Main.boot(Main.java:150)
at org.jboss.Main$1.run(Main.java:388)
at java.lang.Thread.run(Thread.java:534)
Actions
14. Re: JMS over SSL

adrian.brock Oct 10, 2003 2:36 PM (in response to colinmadere)
The security domain name is the constructor argument "SSL"

You should have:

<attribute name="SecurityDomain">SSL</attribute> <attribute name="ClientSocketFactory">org.jboss.security.ssl.ClientSocketFactory</attribute> <attribute name="ServerSocketFactory">org.jboss.security.ssl.DomainServerSocketFactory</attribute>

Regards,
Adrian
Actions

1 2 Previous Next

Go to original post