1 2 Previous Next 16 Replies Latest reply on Jul 2, 2014 10:07 PM by lifeonatrip

    Enable SSL in hornetq netty-connector with AS 7.2 as a client using pooled-connection-factory and outbound-socket-binding

    lifeonatrip
    lifeonatrip Jun 29, 2014 10:27 PM

      Hello all,

       

      I have a question in regards the use of pooled connection factory with a SSL-enabled netty connector.

       

      The setup is as following:

      • 2 instances of jboss as 7.2
      • Instance A is used as an Application Server (client)
      • Instance B is used only as queue server (HornetQ)

       

      The application deployed in instance A leverage on the AS' pooled-connection-factory to connect to Instance B. Below the portion of the configuration in Instance A:

       

       

      <pooled-connection-factory name="PooledXAConnectionFactory">
  <ha>true</ha>
  <user>USER</user>
  <password>PASS</password>
  <!--consumer-window-size>0</consumer-window-size-->
  <reconnect-attempts>3</reconnect-attempts>
  <retry-interval-multiplier>1.0</retry-interval-multiplier>
  <retry-interval>1000</retry-interval>
  <transaction mode="xa"/>
  <connectors>
      <connector-ref connector-name="remote-netty-connector"/>
  </connectors>
  <entries>
      <entry name="java:/PooledXAConnectionFactory"/>
  </entries>
</pooled-connection-factory>

      This is the connectors part inside <hornetq-server>:

       

      <connectors>
    <in-vm-connector name="in-vm" server-id="0"/>
    <netty-connector name="remote-netty-connector" socket-binding="messaging1"/>
</connectors>

      And this is the outbound socket binding inside <socket-binding-group>:

       

      <outbound-socket-binding name="messaging1">
    <remote-destination host="10.20.103.87" port="5595"/>
</outbound-socket-binding>

       

      In instance B (the actual queue server), the configuration of the netty connector and acceptor referenced in the Instance A as "messaging1"  is as following:

       

      <netty-connector name="messaging1" socket-binding="messaging">
    <param key="ssl-enabled" value="true"/>
    <param key="key-store-path" value="${jboss.domain.config.dir}/keystore.ks"/>
    <param key="trust-store-path" value="${jboss.domain.config.dir}/truststore.ks"/>
    <param key="trust-store-password" value="changeit"/>
    <param key="key-store-password" value="changeit"/>
</netty-connector>

       

      <netty-acceptor name="messaging1" socket-binding="messaging">                     
   <param key="ssl-enabled" value="true"/>
   <param key="key-store-path" value="${jboss.domain.config.dir}/keystore.ks"/>
   <param key="trust-store-path" value="${jboss.domain.config.dir}/keystore.ks"/>
   <param key="trust-store-password" value="changeit"/>
   <param key="key-store-password" value="changeit"/>
   <param key="direct-deliver" value="false"/>
</netty-acceptor>

       

      The setup it's perfectly working if the SSL part is not enabled. Once I enable the SSL in the netty-connector and acceptor I get:

       

       

      12:19:36,098 WARN  [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (Camel (camelContext) thread #2 - JmsConsumer[notifyEmailProcessingQueue]) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.
ResourceException: Error during setup
        at org.hornetq.ra.HornetQRAManagedConnection.<init>(HornetQRAManagedConnection.java:151)
        at org.hornetq.ra.HornetQRAManagedConnectionFactory.createManagedConnection(HornetQRAManagedConnectionFactory.java:164)
        at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.createConnectionEventListener(SemaphoreArrayListManagedConnectionPool.java:782)
        at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:345)
        at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getTransactionNewConnection(AbstractPool.java:495)
        at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:374)
        at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:329)
        at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:368)
        at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:464)
        at org.hornetq.ra.HornetQRASessionFactoryImpl.allocateConnection(HornetQRASessionFactoryImpl.java:832)
        at org.hornetq.ra.HornetQRASessionFactoryImpl.createSession(HornetQRASessionFactoryImpl.java:465)
        at org.springframework.jms.support.JmsAccessor.createSession(JmsAccessor.java:196) [spring-jms-3.2.2.RELEASE.jar:3.2.2.RELEASE]
        at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.access$200(AbstractPollingMessageListenerContainer.java:77) [spring-jms-3.2.2.RELEASE.jar:3.2.2.RELEASE]
        at org.springframework.jms.listener.AbstractPollingMessageListenerContainer$MessageListenerContainerResourceFactory.createSession(AbstractPollingMessageListenerContainer.java:531) [spring-jms-3.2.2.RELEASE.jar:3.2.2.RELEASE]
        at org.springframework.jms.connection.ConnectionFactoryUtils.doGetTransactionalSession(ConnectionFactoryUtils.java:300) [spring-jms-3.2.2.RELEASE.jar:3.2.2.RELEASE]
        at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.doReceiveAndExecute(AbstractPollingMessageListenerContainer.java:288) [spring-jms-3.2.2.RELEASE.jar:3.2.2.RELEASE]
        at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.receiveAndExecute(AbstractPollingMessageListenerContainer.java:243) [spring-jms-3.2.2.RELEASE.jar:3.2.2.RELEASE]
        at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.invokeListener(DefaultMessageListenerContainer.java:1096) [spring-jms-3.2.2.RELEASE.jar:3.2.2.RELEASE]
        at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.executeOngoingLoop(DefaultMessageListenerContainer.java:1088) [spring-jms-3.2.2.RELEASE.jar:3.2.2.RELEASE]
        at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.run(DefaultMessageListenerContainer.java:985) [spring-jms-3.2.2.RELEASE.jar:3.2.2.RELEASE]
        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895) [rt.jar:1.6.0_41]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918) [rt.jar:1.6.0_41]
        at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_41]
Caused by: javax.resource.ResourceException: Failed to create session factory
        at org.hornetq.ra.HornetQRAManagedConnection.setup(HornetQRAManagedConnection.java:829)
        at org.hornetq.ra.HornetQRAManagedConnection.<init>(HornetQRAManagedConnection.java:140)
        ... 22 more
Caused by: javax.jms.JMSException: Failed to create session factory
        at org.hornetq.jms.client.HornetQConnectionFactory.createConnectionInternal(HornetQConnectionFactory.java:587) [hornetq-jms-client-2.3.0.CR1.jar:]
        at org.hornetq.jms.client.HornetQConnectionFactory.createXAConnection(HornetQConnectionFactory.java:143) [hornetq-jms-client-2.3.0.CR1.jar:]
        at org.hornetq.ra.HornetQRAManagedConnection.setup(HornetQRAManagedConnection.java:813)
        ... 23 more
Caused by: HornetQException[errorType=CONNECTION_TIMEDOUT message=HQ119032: Timed out waiting to receive cluster topology. Group:null]
        at org.hornetq.core.client.impl.ServerLocatorImpl.createSessionFactory(ServerLocatorImpl.java:884) [hornetq-core-client-2.3.0.CR1.jar:]
        at org.hornetq.jms.client.HornetQConnectionFactory.createConnectionInternal(HornetQConnectionFactory.java:583) [hornetq-jms-client-2.3.0.CR1.jar:]
        ... 25 more

       

      On the Instance B side (the hornetq server):

       

      12:18:17,432 WARN  [org.hornetq.core.client] (hornetq-failure-check-thread) HQ212107: Connection failure has been detected: HQ119034: Did not receive data from /10.20.103.62:42952. It is likely the client has exited or crashed without closing its connection, or the network between the server and client has failed. You also might have configured connection-ttl and client-failure-check-period incorrectly. Please check user manual for more information. The connection will now be closed. [code=CONNECTION_TIMEDOUT]
12:18:17,433 WARN  [org.hornetq.core.client] (hornetq-failure-check-thread) HQ212107: Connection failure has been detected: HQ119034: Did not receive data from /10.20.103.62:42935. It is likely the client has exited or crashed without closing its connection, or the network between the server and client has failed. You also might have configured connection-ttl and client-failure-check-period incorrectly. Please check user manual for more information. The connection will now be closed. [code=CONNECTION_TIMEDOUT]
12:18:17,433 WARN  [org.hornetq.core.client] (hornetq-failure-check-thread) HQ212107: Connection failure has been detected: HQ119034: Did not receive data from /10.20.103.62:42949. It is likely the client has exited or crashed without closing its connection, or the network between the server and client has failed. You also might have configured connection-ttl and client-failure-check-period incorrectly. Please check user manual for more information. The connection will now be closed. [code=CONNECTION_TIMEDOUT]
12:19:23,488 WARN  [org.hornetq.core.client] (hornetq-failure-check-thread) HQ212107: Connection failure has been detected: HQ119034: Did not receive data from /10.20.103.62:42961. It is likely the client has exited or crashed without closing its connection, or the network between the server and client has failed. You also might have configured connection-ttl and client-failure-check-period incorrectly. Please check user manual for more information. The connection will now be closed. [code=CONNECTION_TIMEDOUT]
12:20:07,518 WARN  [org.hornetq.core.client] (hornetq-failure-check-thread) HQ212107: Connection failure has been detected: HQ119034: Did not receive data from /10.20.103.62:42980. It is likely the client has exited or crashed without closing its connection, or the network between the server and client has failed. You also might have configured connection-ttl and client-failure-check-period incorrectly. Please check user manual for more information. The connection will now be closed. [code=CONNECTION_TIMEDOUT]
12:20:41,551 WARN  [org.hornetq.core.client] (hornetq-failure-check-thread) HQ212107: Connection failure has been detected: HQ119034: Did not receive data from /10.20.103.62:42981. It is likely the client has exited or crashed without closing its connection, or the network between the server and client has failed. You also might have configured connection-ttl and client-failure-check-period incorrectly. Please check user manual for more information. The connection will now be closed. [code=CONNECTION_TIMEDOUT]
12:21:17,578 WARN  [org.hornetq.core.client] (hornetq-failure-check-thread) HQ212107: Connection failure has been detected: HQ119034: Did not receive data from /10.20.103.62:42982. It is likely the client has exited or crashed without closing its connection, or the network between the server and client has failed. You also might have configured connection-ttl and client-failure-check-period incorrectly. Please check user manual for more information. The connection will now be closed. [code=CONNECTION_TIMEDOUT]
12:21:31,588 WARN  [org.hornetq.core.client] (hornetq-failure-check-thread) HQ212107: Connection failure has been detected: HQ119034: Did not receive data from /10.20.103.62:42983. It is likely the client has exited or crashed without closing its connection, or the network between the server and client has failed. You also might have configured connection-ttl and client-failure-check-period incorrectly. Please check user manual for more information. The connection will now be closed. [code=CONNECTION_TIMEDOUT]
12:21:51,609 WARN  [org.hornetq.core.client] (hornetq-failure-check-thread) HQ212107: Connection failure has been detected: HQ119034: Did not receive data from /10.20.103.62:42984. It is likely the client has exited or crashed without closing its connection, or the network between the server and client has failed. You also might have configured connection-ttl and client-failure-check-period incorrectly. Please check user manual for more information. The connection will now be closed. [code=CONNECTION_TIMEDOUT]

       

      The application is using Spring + Camel.

       

      Any help would be really appreciated.

        • 1. Re: Enable SSL in hornetq netty-connector with AS 7.2 as a client using pooled-connection-factory and outbound-socket-binding
          jbertram
          jbertram Jun 29, 2014 11:02 PM (in response to lifeonatrip)

          I believe the problem is that the connector used on instance A isn't configured to use SSL so when you enable SSL on the acceptor on instance B you can't connect.

           

          The connector on instance B isn't being used by anything as far as I can tell so configuring it to use SSL isn't terribly helpful.

            • Actions
          • 2. Re: Enable SSL in hornetq netty-connector with AS 7.2 as a client using pooled-connection-factory and outbound-socket-binding
            lifeonatrip
            lifeonatrip Jun 29, 2014 11:59 PM (in response to lifeonatrip)

            Hi Justin,

             

            Thanks for your response.

             

            How can I configure the outbound-socket to use the SSL? I could not find it in the Docs.

             

            When you say that the connector on instance B is not used, what do you mean? I am specifying <remote-destination host="10.20.103.87" port="5595"/> on the client Instance A, I thought that this directive will connect whatever uses messaging1 to the Instance B connector. Am I wrong in assuming this?

              • Actions
            • 3. Re: Enable SSL in hornetq netty-connector with AS 7.2 as a client using pooled-connection-factory and outbound-socket-binding
              jbertram
              jbertram Jun 30, 2014 12:00 AM (in response to lifeonatrip)

              How can I configure the outbound-socket to use the SSL? I could not find it in the Docs.

              You don't need to configure anything on the outbound socket itself (and I'm not sure why you think you should).  You just need to configure SSL on the connector on instance A.  That is what the pooled connection factory (on instance A) is using to connect to instance B.  Look at the connector you've configured to use SSL on instance B for an example.

               

              When you say that the connector on instance B is not used, what do you mean? I am specifying <remote-destination host="10.20.103.87" port="5595"/> on the client Instance A, I thought that this directive will connect whatever uses messaging1 to the Instance B connector. Am I wrong into assuming this?

              I think you're confused on the semantics of acceptors and connectors.  Simply put, connectors connect and acceptors accept.  A client doesn't connect to a connector.  It connects with a connector to an acceptor.  You have a connector on instance A that is used to to connect to an acceptor on instance B.  If you want to use SSL then both of those components need to be configured as required.  The documentation covers SSL configuration for both connectors and acceptors.

               

              Perhaps you're getting confused because you have a client running in an application server where the connector is configured locally rather than on the remote server.  However, it doesn't matter where the connector is configured (either locally or remotely) as long as it is configured correctly.

                • Actions
              • 4. Re: Enable SSL in hornetq netty-connector with AS 7.2 as a client using pooled-connection-factory and outbound-socket-binding
                lifeonatrip
                lifeonatrip Jun 30, 2014 1:54 AM (in response to jbertram)

                Thanks for your help, let's see if I understand now:

                 

                Instance A connector  ---SSL---> Instance B acceptor

                 

                So, basically I just need to add the ssl setting on the connector of Instance A:

                 

                <connectors>
    <netty-connector name="remote-netty-connector" socket-binding="messaging1">
        <param key="ssl-enabled" value="true"/>
        <param key="key-store-path" value="${jboss.server.config.dir}/keystore.ks"/>
        <param key="trust-store-path" value="${jboss.server.config.dir}/trustore.ks"/>
        <param key="trust-store-password" value="changeit"/>
        <param key="key-store-password" value="changeit"/>
    </netty-connector>
</connectors>

                and in the acceptor of Instance B:

                 

                <netty-acceptor name="remote-netty-acceptor" socket-binding="messaging">
     <param key="ssl-enabled" value="true"/>
     <param key="key-store-path" value="${jboss.domain.config.dir}/keystore.ks"/>
     <param key="trust-store-path" value="${jboss.domain.config.dir}/trustore.ks"/>
     <param key="trust-store-password" value="changeit"/>
     <param key="key-store-password" value="changeit"/>
</netty-acceptor>

                 

                But I get this:

                 

                Caused by: java.lang.IllegalStateException: The following keys are invalid for configuring a connector: trust-store-password, trust-store-path
        at org.hornetq.core.client.impl.ClientSessionFactoryImpl.checkTransportKeys(ClientSessionFactoryImpl.java:1506) [hornetq-core-client-2.3.0.CR1.jar:]
        at org.hornetq.core.client.impl.ClientSessionFactoryImpl.<init>(ClientSessionFactoryImpl.java:205) [hornetq-core-client-2.3.0.CR1.jar:]
        at org.hornetq.core.client.impl.ServerLocatorImpl.createSessionFactory(ServerLocatorImpl.java:808) [hornetq-core-client-2.3.0.CR1.jar:]
        at org.hornetq.jms.client.HornetQConnectionFactory.createConnectionInternal(HornetQConnectionFactory.java:583) [hornetq-jms-client-2.3.0.CR1.jar:]
        ... 25 more

                 

                So, I am assuming that the trust-store* elements are acceptor only elements.

                 

                Therefore, I am using this as a connector, and it works:

                 

                <connectors>
    <in-vm-connector name="in-vm" server-id="0"/>
    <netty-connector name="remote-netty-connector" socket-binding="messaging1">
        <param key="ssl-enabled" value="true"/>
        <param key="key-store-path" value="${jboss.server.config.dir}/keystore.ks"/>
        <param key="key-store-password" value="changeit"/>
    </netty-connector>
</connectors>

                 

                Now the last question is:

                 

                Without the trust-store-path  and the trust-store-password, how the client knows if it can trust the server certificate (it's self signed). It is just using the default Jboss AS one? Or is the acceptor in Instance B to trust the client?

                  • Actions
                • 5. Re: Enable SSL in hornetq netty-connector with AS 7.2 as a client using pooled-connection-factory and outbound-socket-binding
                  jbertram
                  jbertram Jun 30, 2014 9:37 AM (in response to lifeonatrip)

                  Thanks for your help, let's see if I understand now:

                   

                  Instance A connector  ---SSL---> Instance B acceptor

                   

                  So, basically I just need to add the ssl setting on the connector of Instance A:

                   

                  1. <connectors> 
                  2.     <netty-connector name="remote-netty-connector" socket-binding="messaging1"> 
                  3.         <param key="ssl-enabled" value="true"/> 
                  4.         <param key="key-store-path" value="${jboss.server.config.dir}/keystore.ks"/> 
                  5.         <param key="trust-store-path" value="${jboss.server.config.dir}/trustore.ks"/> 
                  6.         <param key="trust-store-password" value="changeit"/> 
                  7.         <param key="key-store-password" value="changeit"/> 
                  8.     </netty-connector> 
                  9. </connectors> 

                  That's correct.

                   

                  But I get this:

                   

                  1. Caused by: java.lang.IllegalStateException: The following keys are invalid for configuring a connector: trust-store-password, trust-store-path 
                  2.         at org.hornetq.core.client.impl.ClientSessionFactoryImpl.checkTransportKeys(ClientSessionFactoryImpl.java:1506) [hornetq-core-client-2.3.0.CR1.jar:] 
                  3.         at org.hornetq.core.client.impl.ClientSessionFactoryImpl.<init>(ClientSessionFactoryImpl.java:205) [hornetq-core-client-2.3.0.CR1.jar:] 
                  4.         at org.hornetq.core.client.impl.ServerLocatorImpl.createSessionFactory(ServerLocatorImpl.java:808) [hornetq-core-client-2.3.0.CR1.jar:] 
                  5.         at org.hornetq.jms.client.HornetQConnectionFactory.createConnectionInternal(HornetQConnectionFactory.java:583) [hornetq-jms-client-2.3.0.CR1.jar:] 
                  6.         ... 25 more 

                   

                  You need to upgrade HornetQ to 2.3.0.Final (either by upgrading HornetQ itself or moving to a later version of AS7/EAP/Wildfly) to resolve this issue (i.e. [HORNETQ-408] SSL transport is hardcoded for unilateral mode, see also this discussion thread).  This is an important upgrade if you require SSL functionality.  I can't vouch for the security of the SSL implementation pre 2.3.0.Final.

                   

                  Now the last question is:

                   

                  Without the trust-store-path  and the trust-store-password, how the client knows if it can trust the server certificate (it's self signed). It is just using the default Jboss AS one? Or is the acceptor in Instance B to trust the client?

                  From what I recall (I worked on this over a year ago) the client will simply trust any certificate on the server (which is clearly insecure).  That's why I strongly recommend you upgrade.

                    • Actions
                  • 6. Re: Enable SSL in hornetq netty-connector with AS 7.2 as a client using pooled-connection-factory and outbound-socket-binding
                    lifeonatrip
                    lifeonatrip Jun 30, 2014 8:38 PM (in response to jbertram)

                    You need to upgrade HornetQ to 2.3.0.Final (either by upgrading HornetQ itself or moving to a later version of AS7/EAP/Wildfly) to resolve this issue (i.e. [HORNETQ-408] SSL transport is hardcoded for unilateral mode, see also this discussion thread).  This is an important upgrade if you require SSL functionality.  I can't vouch for the security of the SSL implementation pre 2.3.0.Final.

                    That's very interesting, this should be mentioned in red bold on the Jboss 7.x documentation (I'll do it).

                     

                    Now, I have another issue with the Jboss Transaction recovery environment. Because I'm running the pooled connection factory in XA, I need a XARecovery environment to be available, this works fine without SSL but when the SSL comes into the game, I get this in Instance A:

                     

                    10:23:39,886 WARN  [org.hornetq.core.client] (Periodic Recovery) HQ212023: connector.create or connectorFactory.createConnector should never throw an exception, implementation is badly behaved, but we will deal with it anyway.: java.lang.IllegalStateException: Unable to create NettyConnector for 10.20.103.87

                            at org.hornetq.core.remoting.impl.netty.NettyConnector.start(NettyConnector.java:358) [hornetq-core-client-2.3.0.CR1.jar:]

                            at org.hornetq.core.client.impl.ClientSessionFactoryImpl.getConnection(ClientSessionFactoryImpl.java:1218) [hornetq-core-client-2.3.0.CR1.jar:]

                            at org.hornetq.core.client.impl.ClientSessionFactoryImpl.getConnectionWithRetry(ClientSessionFactoryImpl.java:1071) [hornetq-core-client-2.3.0.CR1.jar:]

                            at org.hornetq.core.client.impl.ClientSessionFactoryImpl.connect(ClientSessionFactoryImpl.java:246) [hornetq-core-client-2.3.0.CR1.jar:]

                            at org.hornetq.core.client.impl.ServerLocatorImpl.createSessionFactory(ServerLocatorImpl.java:826) [hornetq-core-client-2.3.0.CR1.jar:]

                            at org.hornetq.jms.server.recovery.HornetQXAResourceWrapper.connect(HornetQXAResourceWrapper.java:378) [hornetq-jms-server-2.3.0.CR1.jar:]

                            at org.hornetq.jms.server.recovery.HornetQXAResourceWrapper.getDelegate(HornetQXAResourceWrapper.java:287) [hornetq-jms-server-2.3.0.CR1.jar:]

                            at org.hornetq.jms.server.recovery.HornetQXAResourceWrapper.recover(HornetQXAResourceWrapper.java:75) [hornetq-jms-server-2.3.0.CR1.jar:]

                            at com.arjuna.ats.internal.jta.recovery.arjunacore.XARecoveryModule.xaRecoveryStart(XARecoveryModule.java:520) [jbossjts-jacorb-4.17.3.Final.jar:4.17.3.Final (revision: 74343b48951c0fdab92316e56bfcaed605d620f6)]

                            at com.arjuna.ats.internal.jta.recovery.arjunacore.XARecoveryModule.resourceInitiatedRecoveryForRecoveryHelpers(XARecoveryModule.java:476) [jbossjts-jacorb-4.17.3.Final.jar:4.17.3.Final (revision: 74343b48951c0fdab92316e56bfcaed605d620f6)]

                            at com.arjuna.ats.internal.jta.recovery.arjunacore.XARecoveryModule.bottomUpRecovery(XARecoveryModule.java:378) [jbossjts-jacorb-4.17.3.Final.jar:4.17.3.Final (revision: 74343b48951c0fdab92316e56bfcaed605d620f6)]

                            at com.arjuna.ats.internal.jta.recovery.arjunacore.XARecoveryModule.periodicWorkSecondPass(XARecoveryModule.java:166) [jbossjts-jacorb-4.17.3.Final.jar:4.17.3.Final (revision: 74343b48951c0fdab92316e56bfcaed605d620f6)]

                            at com.arjuna.ats.internal.arjuna.recovery.PeriodicRecovery.doWorkInternal(PeriodicRecovery.java:789) [jbossjts-jacorb-4.17.3.Final.jar:4.17.3.Final (revision: 74343b48951c0fdab92316e56bfcaed605d620f6)]

                            at com.arjuna.ats.internal.arjuna.recovery.PeriodicRecovery.run(PeriodicRecovery.java:371) [jbossjts-jacorb-4.17.3.Final.jar:4.17.3.Final (revision: 74343b48951c0fdab92316e56bfcaed605d620f6)]

                    Caused by: java.lang.Exception: Failed to find a store at /usr/local/jboss-as-queue/domain/configuration/trustore.ks

                            at org.hornetq.core.remoting.impl.ssl.SSLSupport.validateStoreURL(SSLSupport.java:199) [hornetq-core-client-2.3.0.CR1.jar:]

                            at org.hornetq.core.remoting.impl.ssl.SSLSupport.loadKeystore(SSLSupport.java:144) [hornetq-core-client-2.3.0.CR1.jar:]

                            at org.hornetq.core.remoting.impl.ssl.SSLSupport.loadKeyManagers(SSLSupport.java:167) [hornetq-core-client-2.3.0.CR1.jar:]

                            at org.hornetq.core.remoting.impl.ssl.SSLSupport.createClientContext(SSLSupport.java:72) [hornetq-core-client-2.3.0.CR1.jar:]

                            at org.hornetq.core.remoting.impl.ssl.SSLSupport.getInstance(SSLSupport.java:86) [hornetq-core-client-2.3.0.CR1.jar:]

                            at org.hornetq.core.remoting.impl.netty.NettyConnector.start(NettyConnector.java:353) [hornetq-core-client-2.3.0.CR1.jar:]

                            ... 13 more

                    The client (Instance A) is looking for a truststore or keystore in the directory /usr/local/jboss-as-queue/domain/configuration, however this directory doesn't exist in Instance A and it's only configured in Instance B. Is it taking the truststore/keystore settings from the queue server?

                     

                    If I am correct, how can I define the keystore/truststore to use for the recovery environment? Or I just missed the point?

                      • Actions
                    • 7. Re: Enable SSL in hornetq netty-connector with AS 7.2 as a client using pooled-connection-factory and outbound-socket-binding
                      jbertram
                      jbertram Jun 30, 2014 10:37 PM (in response to lifeonatrip)

                      Can you paste the relevant configuration details from instance A (e.g. pooled-connection-factory, connector, etc.)?

                        • Actions
                      • 8. Re: Re: Enable SSL in hornetq netty-connector with AS 7.2 as a client using pooled-connection-factory and outbound-socket-binding
                        lifeonatrip
                        lifeonatrip Jul 1, 2014 12:26 AM (in response to jbertram)

                        Of course, here you go:

                         

                        <connectors>
  <in-vm-connector name="in-vm" server-id="0"/>
  <netty-connector name="messaging1" socket-binding="messaging1">
     <param key="ssl-enabled" value="true"/>
     <param key="key-store-path" value="${jboss.server.config.dir}/keystore.ks"/>
     <param key="key-store-password" value="changeit"/>
  </netty-connector>
  <netty-connector name="messaging2" socket-binding="messaging2">
     <param key="ssl-enabled" value="true"/>
     <param key="key-store-path" value="${jboss.server.config.dir}/keystore.ks"/>
     <param key="key-store-password" value="changeit"/>
  </netty-connector>
</connectors>

                         

                        <acceptors>
     <in-vm-acceptor name="in-vm" server-id="0"/>
</acceptors>

                         

                        <pooled-connection-factory name="hornetq-ra">
    <transaction mode="xa"/>
    <connectors>
        <connector-ref connector-name="in-vm"/>
    </connectors>
    <entries>
        <entry name="java:/JmsXA"/>
    </entries>
</pooled-connection-factory>
<connection-factory name="ConnectionFactory">
    <reconnect-attempts>3</reconnect-attempts>
    <retry-interval-multiplier>1.0</retry-interval-multiplier>
    <retry-interval>1000</retry-interval>
    <connectors>
        <connector-ref connector-name="messaging1"/>
        <connector-ref connector-name="messaging2"/>
    </connectors>
    <entries>
        <entry name="java:/ConnectionFactory"/>
        <entry name="java:jboss/exported/jms/ConnectionFactory"/>
    </entries>
</connection-factory>
<pooled-connection-factory name="PooledXAConnectionFactory">
    <ha>true</ha>
    <user>USER</user>
    <password>PASS</password>
    <!--consumer-window-size>0</consumer-window-size-->
    <reconnect-attempts>3</reconnect-attempts>
    <retry-interval-multiplier>1.0</retry-interval-multiplier>
    <retry-interval>1000</retry-interval>
    <transaction mode="xa"/>
    <connectors>
        <connector-ref connector-name="messaging1"/>
        <connector-ref connector-name="messaging2"/>
    </connectors>
    <entries>
        <entry name="java:/PooledXAConnectionFactory"/>
    </entries>
</pooled-connection-factory>

                         

                        <outbound-socket-binding name="messaging1">
      <remote-destination host="10.20.103.87" port="5595"/>
</outbound-socket-binding>
<outbound-socket-binding name="messaging2">
      <remote-destination host="10.20.103.88" port="5595"/>
</outbound-socket-binding>

                         

                        In summary:

                         

                        • ConnectionFactory is not used.
                        • PooledXAConnectionFactory is the one I'm using
                        • hornetq-ra is there as part of the default configuration
                          • Actions
                        • 9. Re: Enable SSL in hornetq netty-connector with AS 7.2 as a client using pooled-connection-factory and outbound-socket-binding
                          jbertram
                          jbertram Jul 1, 2014 9:22 AM (in response to lifeonatrip)

                          And what version of HornetQ are you using now?

                            • Actions
                          • 10. Re: Enable SSL in hornetq netty-connector with AS 7.2 as a client using pooled-connection-factory and outbound-socket-binding
                            lifeonatrip
                            lifeonatrip Jul 1, 2014 9:24 PM (in response to jbertram)

                            I am using the version embedded in Jboss 7.2 . HornetQ 2.3.0.CR1

                              • Actions
                            • 11. Re: Enable SSL in hornetq netty-connector with AS 7.2 as a client using pooled-connection-factory and outbound-socket-binding
                              jbertram
                              jbertram Jul 1, 2014 9:38 PM (in response to lifeonatrip)

                              I was under the impression you had upgraded.  IMO, there's basically no point in using SSL in any version before 2.3.0.Final.  Move to at least that version (preferably something even more recent) and then I can give you a hand.

                                • Actions
                              • 12. Re: Enable SSL in hornetq netty-connector with AS 7.2 as a client using pooled-connection-factory and outbound-socket-binding
                                lifeonatrip
                                lifeonatrip Jul 1, 2014 10:30 PM (in response to jbertram)

                                Ok, I was thinking that only the authentication part was broken not the encryption one.

                                I obviously cannot upgrade by myself to version 2.3.0.Final (it means changing the internal of the AS and I don't have time and/or expertise) and upgrading the whole AS to 8 it's not an easy task as well since I must migrate the applications.

                                 

                                Am I basically forced to turn SSL off and find another way to encrypt the message?

                                 

                                I don't understand why a non final release of HornetQ was included as part of the final GA  release of AS 7, that's sounds weird.

                                  • Actions
                                • 13. Re: Enable SSL in hornetq netty-connector with AS 7.2 as a client using pooled-connection-factory and outbound-socket-binding
                                  jbertram
                                  jbertram Jul 1, 2014 11:12 PM (in response to lifeonatrip)

                                  Ok, I was thinking that only the authentication part was broken not the encryption one.

                                  As I understand it, if authentication is vulnerable then you open yourself to man-in-the-middle attacks which could then compromise encryption.  The two stand and fall together.

                                   

                                  Am I basically forced to turn SSL off and find another way to encrypt the message?

                                  Unless you upgrade I don't see what other choice you have.

                                   

                                  I don't understand why a non final release of HornetQ was included as part of the final GA  release of AS 7, that's sounds weird.

                                  It's not clear to me that a non-final release of HornetQ was actually included as part of a GA release of AS7.  The last public release of AS7 available for download is 7.1.1 which includes HornetQ 2.2.13.Final (which is a final release although it still suffers from this issue).  What version of AS7 are you using and from where did you download it?  A user on the forum thread which I linked earlier was unwittingly using JBoss EAP 6.1 Alpha which included HornetQ 2.3.0.CR1, and he solved his problem by using a newer version of JBoss EAP 6.x.  You can likely do the same.

                                    • Actions
                                  • 14. Re: Enable SSL in hornetq netty-connector with AS 7.2 as a client using pooled-connection-factory and outbound-socket-binding
                                    lifeonatrip
                                    lifeonatrip Jul 2, 2014 12:04 AM (in response to jbertram)

                                    As I understand it, if authentication is vulnerable then you open yourself to man-in-the-middle attacks which could then compromise encryption.  The two stand and fall together.

                                    Correct in majority of the cases, especially in public networks, but in my case, I already trust the authenticity of the other end.

                                     

                                    Unless you upgrade I don't see what other choice you have.

                                    Is there really no way to configure this XARecovery environment with SSL?

                                     

                                    It's not clear to me that a non-final release of HornetQ was actually included as part of a GA release of AS7.  The last public release of AS7 available for download is 7.1.1 which includes HornetQ 2.2.13.Final (which is a final release although it still suffers from this issue).  What version of AS7 are you using and from where did you download it?  A user on the forum thread which I linked earlier was unwittingly using JBoss EAP 6.1 Alpha which included HornetQ 2.3.0.CR1, and he solved his problem by using a newer version of JBoss EAP 6.x.  You can likely do the same.

                                     

                                    The latest public release of Jboss AS 7.x is 7.2.Final, I am not using EAP (it's not the topic of the discussion but I am not interested in switching to the EAP version).

                                    The source I'm using is this one jbossas/jboss-as at 7.2.0.Final-testsuite-fix · GitHub. (This is the commit for hornetq version change [AS7-6398] Upgrade to HornetQ 2.3.0.CR1 · 209a7cf · jbossas/jboss-as · GitHub )

                                    As discussed in the community during 7.2 release time, 7.2 was called EAP 6.1 (and used as base for EAP) but despite that version name, 7.2 was the actual latest AS7 stable release. (as mentioned in the git commit  that states "version 7.2.0.Final")

                                    Version 7.2 also fixes many bugs that I experienced with 7.1.1, that's why I don't understand the introduction of many CR and Beta packages in 7.2.0.Final (why call it final?)

                                     

                                    Thanks for spending your time helping me out on this, it's really appreciated.

                                      • Actions
                                    1 2 Previous Next