2 Replies Latest reply on Jul 10, 2009 9:35 AM by jamesc

    JAAS Authentication/Authorization with STOMP+SSL

    jamesc
    jamesc Jul 1, 2009 8:52 AM

      We?ve been doing work with STOMP over SSL from python ? we?ve implemented our own SSL client side connection on top of stomp.py 2.0.1.  The broker is running RHEL5/FUSE5.3.0.2/ java-1.6.0-openjdk-devel-1.6.0.0-0.30.b09.el5

       

      We have created the broker and CA keystores/truststores and now have a SSL connection negotiated and can verify the server certificate.   We can then use this SSL connection to send messages to a broker with no authentication/ authorization configured and all works fine.

       

      Now we turn on JAAS authentication/ authorization.  We?re following the FUSE security guide for this (even though it is more openwire specific) along with some instructions done by another user within our community ( http://wiki.ndgf.org/display/ndgfwiki/StandaloneApacheActiveMQwithSSL+support).  We?ve setup the JAAS properties and the user/group configurations.  I?ve attached our activemq.xml for you to look at.

       

       

      We?re having a problem getting the JAAS layer to use the client certificate ? we get the following stack trace on STOMP CONNECT:

       

      2009-06-30 16:04:49,320 DEBUG TransportConnection            - Setting up new connection: localhost.cern.ch/127.0.0.1:49784

      2009-06-30 16:04:49,321 DEBUG Service                        - Error occured while processing sync command: ConnectionInfo {commandId = 0,

      ion: Unable to authenticate transport without SSL certificate.

      java.lang.SecurityException: Unable to authenticate transport without SSL certificate.

              at org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:75)

              at org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:82)

              at org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89)

              at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:686)

              at org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:86)

              at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134)

              at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:308)

              at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:182)

              at org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)

              at org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:210)

              at org.apache.activemq.transport.stomp.StompTransportFilter.sendToActiveMQ(StompTransportFilter.java:78)

              at org.apache.activemq.transport.stomp.ProtocolConverter.sendToActiveMQ(ProtocolConverter.java:135)

              at org.apache.activemq.transport.stomp.ProtocolConverter.onStompConnect(ProtocolConverter.java:491)

              at org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:187)

              at org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:67)

              at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)

              at org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:104)

              at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:203)

              at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:185)

              at java.lang.Thread.run(Thread.java:636)

      out SSL certificate.

      java.io.IOException: Unable to authenticate transport without SSL certificate.

              at org.apache.activemq.util.IOExceptionSupport.create(IOExceptionSupport.java:39)

              at org.apache.activemq.transport.stomp.ProtocolConverter$2.onResponse(ProtocolConverter.java:498)

              at org.apache.activemq.transport.stomp.ProtocolConverter.onActiveMQCommand(ProtocolConverter.java:567)

              at org.apache.activemq.transport.stomp.StompTransportFilter.oneway(StompTransportFilter.java:56)

              at org.apache.activemq.transport.InactivityMonitor.oneway(InactivityMonitor.java:237)

              at org.apache.activemq.transport.MutexTransport.oneway(MutexTransport.java:40)

              at org.apache.activemq.broker.TransportConnection.dispatch(TransportConnection.java:1215)

              at org.apache.activemq.broker.TransportConnection.processDispatch(TransportConnection.java:800)

              at org.apache.activemq.broker.TransportConnection.dispatchSync(TransportConnection.java:759)

              at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:184)

              at org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)

              at org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:210)

              at org.apache.activemq.transport.stomp.StompTransportFilter.sendToActiveMQ(StompTransportFilter.java:78)

              at org.apache.activemq.transport.stomp.ProtocolConverter.sendToActiveMQ(ProtocolConverter.java:135)

              at org.apache.activemq.transport.stomp.ProtocolConverter.onStompConnect(ProtocolConverter.java:491)

              at org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:187)

              at org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:67)

              at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)

              at org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:104)

              at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:203)

              at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:185)

              at java.lang.Thread.run(Thread.java:636)

      Caused by: java.lang.SecurityException: Unable to authenticate transport without SSL certificate.

              at org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:75)

              at org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:82)

              at org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89)

              at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:686)

              at org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:86)

              at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134)

              at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:308)

              at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:182)

              ... 12 more

      2009-06-30 16:04:49,323 DEBUG TransportConnection            - Stopping connection: localhost.cern.ch/127.0.0.1:49784

      2009-06-30 16:04:49,324 DEBUG TcpTransport                   - Stopping transport ssl://localhost.cern.ch/127.0.0.1:49784

      2009-06-30 16:04:49,337 DEBUG TransportConnection            - Stopped transport: localhost.cern.ch/127.0.0.1:49784

      2009-06-30 16:04:49,338 DEBUG TransportConnection            - Cleaning up connection resources: localhost.cern.ch/127.0.0.1:49784

       

      Note this is not particular to the python STOMP client, if we directly use ?openssl s_client? to do the negotiation, we get the same problem.

       

      I note for openwire there are options WantClientAuth and needClientAuth  to turn on client side cert checking - is something similar needed or available for STOMP ?

       

           

      • 752 Views
      • Tags:
        • 1. Re: JAAS Authentication/Authorization with STOMP+SSL
          gseben
          gseben Jul 1, 2009 6:15 PM (in response to jamesc)

          Hi James,

           

          From the looks of the exception it seems that the your stomp SSL connection is not being setup correctly. This particular exception is thrown when JAAS tries to get the security context of a connection and finds it to be null.

           

          How did you verify your SSL connection to the broker? Have you tried a different client aside from the python one?

           

          Gio

            • Actions
          • 2. Re: JAAS Authentication/Authorization with STOMP+SSL
            jamesc
            jamesc Jul 10, 2009 9:35 AM (in response to gseben)

            Hi Gio,

             

            apologies for the delay in answering - we've been working on some stuff to try and understand this better and simplify the test case by removing python stomp.py from the loop

             

            Firstly, your question about clients.  I've now reproduced all the results using the 'openssl s_client' client, which just does the SSL handshake and hands off to stdin for the rest (and I do the STOMP connect there by hand)

             

            I do the following:

             

            >openssl s_client -connect vtb-generic-40:6162 -CApath /etc/grid-security/certificates -cert /Users/jamesc/.globus/usercert.pem  -key /Users/jamesc/.globus/userkey.pem -state

             

            where stomp+ssl is on port 6162.

             

            In this case with JAAS cert login enabled I get the same output as i do when  I test against the openwire+ssl port (6167 in my case).

             

            I configure the stomp+ssl transport connector as :

             

                   <transportConnector name="stompssl"     uri="stompssl://0.0.0.0:6162?transport.closeAsync=false&amp;wantClientAuth=true&amp;needClientAuth=true"/>

             

            I see that now I get proper client authentication - on the client side the list of accepted client CAs is sent back, and in the broker SSL debug logs I see that my certificate is logged as being read and verified.

             

            But If I try to do a STOMP CONNECT, I get the error message.  This is again all within the openssl s_client. Attached is a dump of the client log.

             

            I hope this helps.

             

            James.

              • Actions