Wildfly 10 JMS bridge over HTTPS configuration issues
just4f Oct 28, 2016 2:54 PMHey, I have working JMS bridge over HTTP, but I need it to be secure.
I faced some challenges:
- when connecting to remote ip, remote server returns its local hostname and next client connections to the server fails, because of now client connects to the hostname, which is unreachable. For now, I added hostname to hosts file - no longer this strange issue.
- on client http-connector trust-store-path does not work - javax.net.ssl.trustStore does
- failed to open server undertow index page with browser (ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY, NS_ERROR_NET_INADEQUATE_SECURITY)
- Issue i couldn't solve: Connector towards NettyConnector [host=myhost, port=8080, httpEnabled=false, httpUpgradeEnabled=true, useServlet=false, servletPath=/messaging/ActiveMQServlet, sslEnabled=false, useNio=true] failed. - after, looks like to be successful connection through https, client tries to connect through http again... as well to the hostname....
Current configuration is the following, bolded, updated from the default. Can you help me to find the issue?
Client:
<subsystem xmlns="urn:jboss:domain:messaging-activemq:1.0">
<server name="default">
<security-setting name="#">
<role name="guest" delete-non-durable-queue="true" create-non-durable-queue="true" consume="true" send="true"/>
</security-setting>
<address-setting name="#" message-counter-history-day-limit="10" page-size-bytes="2097152" max-size-bytes="10485760" expiry-address="jms.queue.ExpiryQueue" dead-letter-address="jms.queue.DLQ"/>
<http-connector name="http-connector" endpoint="http-acceptor" socket-binding="https">
<param name="http-upgrade-endpoint" value="http-acceptor" />
<param name="ssl-enabled" value="true"/>
<param name="trust-store-path" value="C:\server.truststore"/> <!-- does not work??? -->
<param name="trust-store-password" value="xxx"/> <!-- does not work??? -->
</http-connector>
<http-connector name="http-connector-throughput" endpoint="http-acceptor-throughput" socket-binding="https">
<param name="http-upgrade-endpoint" value="http-acceptor-throughput" />
<param name="batch-delay" value="50"/>
<param name="ssl-enabled" value="true"/>
<param name="trust-store-path" value="C:\server.truststore"/> <!-- does not work??? -->
<param name="trust-store-password" value="xxx"/> <!-- does not work??? -->
</http-connector>
<in-vm-connector name="in-vm" server-id="0"/>
<http-acceptor name="http-acceptor" http-listener="default"/>
<http-acceptor name="http-acceptor-throughput" http-listener="default">
<param name="batch-delay" value="50"/>
<param name="direct-deliver" value="false"/>
</http-acceptor>
<in-vm-acceptor name="in-vm" server-id="0"/>
<jms-queue name="ExpiryQueue" entries="java:/jms/queue/ExpiryQueue"/>
<jms-queue name="DLQ" entries="java:/jms/queue/DLQ"/>
<jms-queue name="myqueue.input" entries="queue/myqueue.input java:jboss/exported/jms/queues/myqueue.input java:/jms/queue/myqueue/input"/>
<connection-factory name="InVmConnectionFactory" factory-type="XA_GENERIC" entries="java:/ConnectionFactory" connectors="in-vm"/>
<connection-factory name="RemoteConnectionFactory" factory-type="XA_GENERIC" reconnect-attempts="-1" entries="java:jboss/exported/jms/RemoteConnectionFactory" connectors="http-connector"/>
<pooled-connection-factory name="activemq-ra" transaction="xa" entries="java:/JmsXA java:jboss/DefaultJMSConnectionFactory" connectors="in-vm"/>
</server>
<jms-bridge name="myqueue-bridge" add-messageID-in-header="true" max-batch-time="100" max-batch-size="10" max-retries="-1" failure-retry-interval="60000" quality-of-service="ONCE_AND_ONLY_ONCE">
<source destination="queue/myqueue.input" connection-factory="ConnectionFactory"/>
<target password="xxx" user="jmsuser" destination="jms/queues/myqueue.input" connection-factory="jms/RemoteConnectionFactory">
<target-context>
<property name="java.naming.factory.initial" value="org.jboss.naming.remote.client.InitialContextFactory"/>
<property name="java.naming.provider.url" value="https-remoting://111.111.111.111:8443"/>
<property name="java.naming.security.principal" value="jmsuser"/>
<property name="java.naming.security.credentials" value="xxx"/>
</target-context>
</target>
</jms-bridge>
</subsystem>
<subsystem xmlns="urn:jboss:domain:remoting:3.0">
<endpoint/>
<http-connector name="http-remoting-connector" connector-ref="https" security-realm="ApplicationRealm"/>
</subsystem>
Server:
<subsystem xmlns="urn:jboss:domain:messaging-activemq:1.0">
<server name="default">
<security-setting name="#">
<role name="guest" delete-non-durable-queue="true" create-non-durable-queue="true" consume="true" send="true"/>
</security-setting>
<address-setting name="#" message-counter-history-day-limit="10" page-size-bytes="2097152" max-size-bytes="10485760" expiry-address="jms.queue.ExpiryQueue" dead-letter-address="jms.queue.DLQ"/>
<http-connector name="http-connector" endpoint="http-acceptor" socket-binding="http"/>
<http-connector name="http-connector-throughput" endpoint="http-acceptor-throughput" socket-binding="http">
<param name="batch-delay" value="50"/>
</http-connector>
<in-vm-connector name="in-vm" server-id="0"/>
<http-acceptor name="http-acceptor" http-listener="https">
<param name="ssl-enabled" value="true"/>
<param name="key-store-path" value="/opt/wildfly/standalone/configuration/server.keystore"/>
<param name="key-store-password" value="xxx"/>
</http-acceptor>
<http-acceptor name="http-acceptor-throughput" http-listener="https">
<param name="batch-delay" value="50"/>
<param name="direct-deliver" value="false"/>
<param name="ssl-enabled" value="true"/>
<param name="key-store-path" value="/opt/wildfly/standalone/configuration/server.keystore"/>
<param name="key-store-password" value="xxx"/>
</http-acceptor>
<in-vm-acceptor name="in-vm" server-id="0"/>
<jms-queue name="ExpiryQueue" entries="java:/jms/queue/ExpiryQueue"/>
<jms-queue name="DLQ" entries="java:/jms/queue/DLQ"/>
<jms-queue name="myqueue.input" entries="queue/myqueue.input java:jboss/exported/jms/queues/myqueue.input java:/jms/queue/myqueue/input"/>
<connection-factory name="InVmConnectionFactory" factory-type="XA_GENERIC" entries="java:/ConnectionFactory" connectors="in-vm"/>
<connection-factory name="RemoteConnectionFactory" factory-type="XA_GENERIC" reconnect-attempts="-1" entries="java:jboss/exported/jms/RemoteConnectionFactory" connectors="http-connector"/>
<pooled-connection-factory name="activemq-ra" entries="java:/JmsXA java:jboss/DefaultJMSConnectionFactory" connectors="in-vm" transaction="xa"/>
</server>
</subsystem>
<subsystem xmlns="urn:jboss:domain:remoting:3.0">
<endpoint/>
<http-connector name="http-remoting-connector" connector-ref="https" security-realm="ApplicationRealm"/>
</subsystem>