2 Replies Latest reply on Aug 15, 2012 12:01 PM by sikanrong

    Websocket-secure support, best practices?

    sikanrong
    sikanrong Aug 15, 2012 6:53 AM

      Hi All,

       

      I have an app where it would be great to be able to use websockets to communicate directly with our HornetQ STOMP server. Right now we facilitate this with COMET workarounds, which have a host of their own problems.

       

      Anyway this works fine if I do it from localhost running the HTTP protocol and use the regular STOMP_WS protocol from hornet. My problem is that the LIVE site is HTTPS and so I am forced to use the websocket-secure (or 'wss://') protocol. From here, I'm a bit lost -

       

      Firstly, creating the jboss keyshare is easy enough, but after configuring the netty acceptor and connector to point to those keyshares, I guess it's supposed to just work (?) and it doesn't. Meaning, chrome just won't connect to STOMP. After awhile I get debug messaging in HornetQ saying that it "detected a failed connection attempt", or something similar to this.. Also I should mention, I created the trustStore just by copying the keyStore file, which I guess is okay?

       

      Anyway please help, quite confused by the whole thing. Also shouldn't I be sharing the certs that my site already uses with HornetQ so that the hornetQ certs don't appear as unsafe??

        • 1. Re: Websocket-secure support, best practices?
          jbertram
          jbertram Aug 15, 2012 11:28 AM (in response to sikanrong)

          I'm not entirely sure that our STOMP websocket implementation supports security like this, but then again I'm not terribly familiar with this section of the code-base.

           

          Can you post the <acceptor> you've configured to handle this?

           

          Also, I'm not sure it is OK to use the keystore as the truststore.  It may be fine, but that's certainly not how clients would do it in the real world since the keystore will have your private key in it along with the public key that the clients need in their truststore.

            • Actions
          • 2. Re: Websocket-secure support, best practices?
            sikanrong
            sikanrong Aug 15, 2012 12:01 PM (in response to jbertram)

            Hey Justin, thanks for speedy repsonse;

             

            This is my acceptor config block, but again I just don't know if this was the right thing to do or not.. Basically I just took the SSL-related parts from the "ssl-enabled" hornetq example and tried to use them with me stomp_ws acceptor...

             

            <acceptor name="stomp-ws-acceptor">

                    <factory-class>org.hornetq.core.remoting.impl.netty.NettyAcceptorFactory</factory-class>

                    <param key="protocol" value="stomp_ws" />

                    <param key="port" value="61614" />

                    <param key="host" value="localhost" />

                    <param key="ssl-enabled" value="true"/>

                    <param key="key-store-path" value="/etc/hornetq/keystore"/>

                    <param key="key-store-password" value="pass"/>

                    <param key="trust-store-path" value="/etc/hornetq/truststore"/>

                    <param key="trust-store-password" value="pass"/>

            </acceptor>

             

            ...this didn't seem to work.

             

            Secondarily, how was I supposed to create an empty truststore? It won't take just an empty file so I guess I have to use keytool for this too?

              • Actions