12 Replies Latest reply on Jun 27, 2014 11:02 AM by jbertram

    SSL

    jbertram
    jbertram Feb 11, 2013 3:42 PM

      I was looking through the documentation and the code to figure out how to configure one-way SSL security using self-signed certs.  In general this requires a self-signed certificate on the server stored in a keystore and a trust-store on the client into which the server's certificate has been imported.  It shouldn't require a truststore on the server or a keystore on the client.  This is the simplest and probably most common SSL use-case.  However, this doesn't appear possible with current implementation because:

       

      1. If you configure Netty SSL connector/acceptor pair the server won't start unless you define a trust-store on the acceptor.  Here's the configuration:

       

            <acceptor name="netty-ssl">

               <factory-class>org.hornetq.core.remoting.impl.netty.NettyAcceptorFactory</factory-class>

               <param key="host" value="localhost"/>

               <param key="port" value="5500"/>

               <param key="ssl-enabled" value="true"/>

               <param key="key-store-path" value="hornetq.example.keystore"/>

               <param key="key-store-password" value="hornetqexample"/>

            </acceptor>

       

      And here's the exception:

       

      11:43:33,381 SEVERE [org.hornetq.core.server.impl.HornetQServerImpl] (MSC service thread 1-4) Failure in initialisation: java.lang.IllegalStateException: Unable to create NettyAcceptor for localhost:5500

                at org.hornetq.core.remoting.impl.netty.NettyAcceptor.start(NettyAcceptor.java:344) [hornetq-core-2.2.16.Final-redhat-1.jar:2.2.16.Final (HQ_2_2_16_FINAL, 122)]

                at org.hornetq.core.remoting.server.impl.RemotingServiceImpl.start(RemotingServiceImpl.java:240) [hornetq-core-2.2.16.Final-redhat-1.jar:2.2.16.Final (HQ_2_2_16_FINAL, 122)]

                at org.hornetq.core.server.impl.HornetQServerImpl.initialisePart2(HornetQServerImpl.java:1495) [hornetq-core-2.2.16.Final-redhat-1.jar:2.2.16.Final (HQ_2_2_16_FINAL, 122)]

                at org.hornetq.core.server.impl.HornetQServerImpl.access$1200(HornetQServerImpl.java:138) [hornetq-core-2.2.16.Final-redhat-1.jar:2.2.16.Final (HQ_2_2_16_FINAL, 122)]

                at org.hornetq.core.server.impl.HornetQServerImpl$SharedStoreLiveActivation.run(HornetQServerImpl.java:1919) [hornetq-core-2.2.16.Final-redhat-1.jar:2.2.16.Final (HQ_2_2_16_FINAL, 122)]

                at org.hornetq.core.server.impl.HornetQServerImpl.start(HornetQServerImpl.java:366) [hornetq-core-2.2.16.Final-redhat-1.jar:2.2.16.Final (HQ_2_2_16_FINAL, 122)]

                at org.hornetq.jms.server.impl.JMSServerManagerImpl.start(JMSServerManagerImpl.java:277) [hornetq-jms-2.2.16.Final-redhat-1.jar:2.2.16.Final (HQ_2_2_16_FINAL, 122)]

                at org.jboss.as.messaging.jms.JMSService.start(JMSService.java:73) [jboss-as-messaging-7.1.2.Final-redhat-1.jar:7.1.2.Final-redhat-1]

                at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811) [jboss-msc-1.0.2.GA-redhat-1.jar:1.0.2.GA-redhat-1]

                at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746) [jboss-msc-1.0.2.GA-redhat-1.jar:1.0.2.GA-redhat-1]

                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_13]

                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_13]

                at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_13]

      Caused by: java.lang.Exception: Failed to find a store at hornetq.truststore

                at org.hornetq.core.remoting.impl.ssl.SSLSupport.validateStoreURL(SSLSupport.java:200) [hornetq-core-2.2.16.Final-redhat-1.jar:2.2.16.Final (HQ_2_2_16_FINAL, 122)]

                at org.hornetq.core.remoting.impl.ssl.SSLSupport.loadKeystore(SSLSupport.java:145) [hornetq-core-2.2.16.Final-redhat-1.jar:2.2.16.Final (HQ_2_2_16_FINAL, 122)]

                at org.hornetq.core.remoting.impl.ssl.SSLSupport.loadTrustManager(SSLSupport.java:129) [hornetq-core-2.2.16.Final-redhat-1.jar:2.2.16.Final (HQ_2_2_16_FINAL, 122)]

                at org.hornetq.core.remoting.impl.ssl.SSLSupport.createServerContext(SSLSupport.java:64) [hornetq-core-2.2.16.Final-redhat-1.jar:2.2.16.Final (HQ_2_2_16_FINAL, 122)]

                at org.hornetq.core.remoting.impl.netty.NettyAcceptor.start(NettyAcceptor.java:340) [hornetq-core-2.2.16.Final-redhat-1.jar:2.2.16.Final (HQ_2_2_16_FINAL, 122)]

                ... 12 more

       

       

      1. If you go ahead and define a trust-store on the acceptor the server will start, but the client will fail unless you define a keystore on the connector.  Here's the configuration I tried:

       

            <connector name="netty-ssl">

               <factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>

               <param key="host" value="localhost"/>

               <param key="port" value="5500"/>

               <param key="ssl-enabled" value="true"/>

            </connector>

       

      And here's the exception on the client:

       

      WARNING: connector.create or connectorFactory.createConnector should never throw an exception, implementation is badly behaved, but we'll deal with it anyway.

      java.lang.IllegalStateException: Unable to create NettyConnector for localhost

                at org.hornetq.core.remoting.impl.netty.NettyConnector.start(NettyConnector.java:342)

                at org.hornetq.core.client.impl.ClientSessionFactoryImpl.getConnection(ClientSessionFactoryImpl.java:1136)

                at org.hornetq.core.client.impl.ClientSessionFactoryImpl.getConnectionWithRetry(ClientSessionFactoryImpl.java:993)

                at org.hornetq.core.client.impl.ClientSessionFactoryImpl.connect(ClientSessionFactoryImpl.java:224)

                at org.hornetq.core.client.impl.ServerLocatorImpl.createSessionFactory(ServerLocatorImpl.java:747)

                at org.hornetq.jms.client.HornetQConnectionFactory.createConnectionInternal(HornetQConnectionFactory.java:601)

                at org.hornetq.jms.client.HornetQConnectionFactory.createConnection(HornetQConnectionFactory.java:119)

                at com.redhat.example.jms.PlainMessageSender.main(PlainMessageSender.java:22)

                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

                at java.lang.reflect.Method.invoke(Method.java:601)

                at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)

      Caused by: java.lang.Exception: Failed to find a store at hornetq.keystore

                at org.hornetq.core.remoting.impl.ssl.SSLSupport.validateStoreURL(SSLSupport.java:200)

                at org.hornetq.core.remoting.impl.ssl.SSLSupport.loadKeystore(SSLSupport.java:145)

                at org.hornetq.core.remoting.impl.ssl.SSLSupport.loadKeyManagers(SSLSupport.java:168)

                at org.hornetq.core.remoting.impl.ssl.SSLSupport.createClientContext(SSLSupport.java:73)

                at org.hornetq.core.remoting.impl.ssl.SSLSupport.getInstance(SSLSupport.java:87)

                at org.hornetq.core.remoting.impl.netty.NettyConnector.start(NettyConnector.java:337)

                ... 12 more

       

      1. There no way to define a trust-store on the client.  The connector doesn't support "trust-store-path" or "trust-store-password" parameters, and it doesn't obey the universal "javax.net.ssl.trustStore" and "trustStorePassword" Java system properties either.

       

      As noted previously, I don't believe either of these artifacts should be required for this use-case.  As I understand it, a server-side truststore and a client-side keystore should only be required when performing 2-way SSL (i.e. mutual authentication).  We should definitely support 2-way SSL, but that support shouldn't complicate the configuration for 1-way SSL.

       

      I can do the work to implement this, but I wanted to make sure my understanding here is correct on all points.

      • 3773 Views
      • Tags:
        • 1. Re: SSL
          jbertram
          jbertram Feb 11, 2013 4:00 PM (in response to jbertram)

          BTW, most of this is related to HORNETQ-408.

            • Actions
          • 2. Re: SSL
            jbertram
            jbertram Feb 12, 2013 5:51 PM (in response to jbertram)

            Just to tie a bow on this...

             

            I've resolved HORNETQ-408 (which has the link to the git pull request).

              • Actions
            • 3. Re: SSL
              ybxiang.china
              ybxiang.china Oct 18, 2013 4:42 AM (in response to jbertram)

              JBoss AS 7.2.0  uses  HornetQ 2.3.0.CR1, then it has this problem.

              Today, I migrated my app to 7.2.0 and found this problem too!

               

                • Actions
              • 4. Re: SSL
                ybxiang.china
                ybxiang.china Oct 18, 2013 4:43 AM (in response to jbertram)

                It seems that every community version since 7.0 has such critical bugs.

                  • Actions
                • 5. Re: SSL
                  jbertram
                  jbertram Oct 18, 2013 9:48 AM (in response to ybxiang.china)

                  Then replace HornetQ 2.3.0.CR1 with HornetQ 2.3.0.Final that is available for download.  This issue was resolved over 8 months ago.

                    • Actions
                  • 6. Re: SSL
                    ybxiang.china
                    ybxiang.china Oct 18, 2013 10:29 AM (in response to jbertram)

                    Unfortunately, it is NOT included in jboss 7.2.0 final or EAP 6.1.

                    Just now, I changed 2.3.0.CR1 to 2.3.0.final in the pom.xml of jboss-7.2.0-final-src and rebuild it, but failed wiht "no suitable method for xxx".

                     

                    I think I had better wait for wildfly-final.

                      • Actions
                    • 7. Re: SSL
                      ybxiang.china
                      ybxiang.china Oct 18, 2013 10:51 AM (in response to jbertram)

                      Sorry, I used the EAP 6.1 Alpha version.

                      I should download final version from JBoss Application Server Downloads - JBoss Community.

                      I checked it just now, EAP 6.1 final does use hornetq 2.3.1.final.

                        • Actions
                      • 8. Re: SSL
                        linda777
                        linda777 Jun 17, 2014 4:30 AM (in response to jbertram)

                        Hi Justin,

                        did you implement your SSL-solution? Would be great if you can send/show it to me. Thanks a lot.

                        Best wishes,

                        Linda

                          • Actions
                        • 9. Re: SSL
                          jbertram
                          jbertram Jun 17, 2014 9:58 AM (in response to linda777)

                          Yes, the issue was resolved almost a year and a half ago.  See https://issues.jboss.org/browse/HORNETQ-408.

                            • Actions
                          • 10. Re: SSL
                            linda777
                            linda777 Jun 18, 2014 9:18 AM (in response to jbertram)

                            Hi Justin,

                             

                            thank you for your response. I have exactly the same error like you had before:

                             

                            WARN  org.hornetq.core.client - HQ212007: connector.create or connectorFactory.createConnector should never throw an exception, implementation is badly behaved, but we will deal with it anyway.


                            java.lang.IllegalStateException: Unable to create NettyConnector for ...

                             

                            In the Git Pull Request there are many changes. I configure my connector/acceptor in the standalone-full.xml to work with ssl. How can I configure my connector/acceptor and what are the essential changes to make it work with ssl? And how did you create your trust- and keystore which you give to the connector/acceptor?


                            Thanks a lot

                            Linda

                              • Actions
                            • 11. Re: SSL
                              linda777
                              linda777 Jun 27, 2014 4:07 AM (in response to jbertram)

                              Hi Justin,

                               

                              I am new to JBoss and in the Git Pull Request from the link which you send to me are so many files and changes and I don't know how to deal with it. Are they all necessary to implement 1-way or 2-way SSL? I thought only the configuration of the connector/acceptor in the standalone-full.xml and the creation of the trust- and keystore are necessary? Could you please help me?

                               

                              Thank you so much,

                               

                              Linda

                                • Actions
                              • 12. Re: SSL
                                jbertram
                                jbertram Jun 27, 2014 11:02 AM (in response to linda777)

                                All the changes in the PR were specifically related to implementing SSL properly.  However, all the changes are not strictly necessary for the runtime code.  In total 14 files were changed, but 9 of those files were related to either tests or documentation.  In any case, you can just use Git's "cherry-pick" command to apply all the changes to your branch.  If you don't know how to do that or just don't want to do that then I suggest you simply upgrade to a version of JBoss AS7 or Wildfly that uses HornetQ 2.3.0.Final or newer.

                                  • Actions