JAAS Authentication/Authorization with STOMP+SSL
jamesc Jul 1, 2009 8:52 AMWe?ve been doing work with STOMP over SSL from python ? we?ve implemented our own SSL client side connection on top of stomp.py 2.0.1. The broker is running RHEL5/FUSE5.3.0.2/ java-1.6.0-openjdk-devel-1.6.0.0-0.30.b09.el5
We have created the broker and CA keystores/truststores and now have a SSL connection negotiated and can verify the server certificate. We can then use this SSL connection to send messages to a broker with no authentication/ authorization configured and all works fine.
Now we turn on JAAS authentication/ authorization. We?re following the FUSE security guide for this (even though it is more openwire specific) along with some instructions done by another user within our community ( http://wiki.ndgf.org/display/ndgfwiki/StandaloneApacheActiveMQwithSSL+support). We?ve setup the JAAS properties and the user/group configurations. I?ve attached our activemq.xml for you to look at.
We?re having a problem getting the JAAS layer to use the client certificate ? we get the following stack trace on STOMP CONNECT:
2009-06-30 16:04:49,320 DEBUG TransportConnection - Setting up new connection: localhost.cern.ch/127.0.0.1:49784
2009-06-30 16:04:49,321 DEBUG Service - Error occured while processing sync command: ConnectionInfo {commandId = 0,
ion: Unable to authenticate transport without SSL certificate.
java.lang.SecurityException: Unable to authenticate transport without SSL certificate.
at org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:75)
at org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:82)
at org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89)
at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:686)
at org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:86)
at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134)
at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:308)
at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:182)
at org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
at org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:210)
at org.apache.activemq.transport.stomp.StompTransportFilter.sendToActiveMQ(StompTransportFilter.java:78)
at org.apache.activemq.transport.stomp.ProtocolConverter.sendToActiveMQ(ProtocolConverter.java:135)
at org.apache.activemq.transport.stomp.ProtocolConverter.onStompConnect(ProtocolConverter.java:491)
at org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:187)
at org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:67)
at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
at org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:104)
at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:203)
at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:185)
at java.lang.Thread.run(Thread.java:636)
out SSL certificate.
java.io.IOException: Unable to authenticate transport without SSL certificate.
at org.apache.activemq.util.IOExceptionSupport.create(IOExceptionSupport.java:39)
at org.apache.activemq.transport.stomp.ProtocolConverter$2.onResponse(ProtocolConverter.java:498)
at org.apache.activemq.transport.stomp.ProtocolConverter.onActiveMQCommand(ProtocolConverter.java:567)
at org.apache.activemq.transport.stomp.StompTransportFilter.oneway(StompTransportFilter.java:56)
at org.apache.activemq.transport.InactivityMonitor.oneway(InactivityMonitor.java:237)
at org.apache.activemq.transport.MutexTransport.oneway(MutexTransport.java:40)
at org.apache.activemq.broker.TransportConnection.dispatch(TransportConnection.java:1215)
at org.apache.activemq.broker.TransportConnection.processDispatch(TransportConnection.java:800)
at org.apache.activemq.broker.TransportConnection.dispatchSync(TransportConnection.java:759)
at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:184)
at org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
at org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:210)
at org.apache.activemq.transport.stomp.StompTransportFilter.sendToActiveMQ(StompTransportFilter.java:78)
at org.apache.activemq.transport.stomp.ProtocolConverter.sendToActiveMQ(ProtocolConverter.java:135)
at org.apache.activemq.transport.stomp.ProtocolConverter.onStompConnect(ProtocolConverter.java:491)
at org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:187)
at org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:67)
at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
at org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:104)
at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:203)
at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:185)
at java.lang.Thread.run(Thread.java:636)
Caused by: java.lang.SecurityException: Unable to authenticate transport without SSL certificate.
at org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:75)
at org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:82)
at org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89)
at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:686)
at org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:86)
at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134)
at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:308)
at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:182)
... 12 more
2009-06-30 16:04:49,323 DEBUG TransportConnection - Stopping connection: localhost.cern.ch/127.0.0.1:49784
2009-06-30 16:04:49,324 DEBUG TcpTransport - Stopping transport ssl://localhost.cern.ch/127.0.0.1:49784
2009-06-30 16:04:49,337 DEBUG TransportConnection - Stopped transport: localhost.cern.ch/127.0.0.1:49784
2009-06-30 16:04:49,338 DEBUG TransportConnection - Cleaning up connection resources: localhost.cern.ch/127.0.0.1:49784
Note this is not particular to the python STOMP client, if we directly use ?openssl s_client? to do the negotiation, we get the same problem.
I note for openwire there are options WantClientAuth and needClientAuth to turn on client side cert checking - is something similar needed or available for STOMP ?
-
activemq.xml.stomp-ssl 4.8 KB