Encrypted JMS Bridge between Wildfly 10 instances
shaped Dec 28, 2016 9:41 AMHi There
I'm trying to setup an encrypted JMS-Bridge between two Wildfly 10 instances. Currently I cannot get the two instances to successfully establish the connection.
My current setup:
- 1 Server running Wildfly 10.0.0.Final
- Server JMS Queue: ServerInQueue
- 1 Client running Wildfly 10.0.0.Final
- Client JMS Queue: ClientOutQueue
Goal: JMS-Bridge for ClientOutQueue -> ServerInQueue
Note: There are two other queues for the opposite direction (ommited for simplicity).
Current state and problem:
- Server is listening on the configured port 7212 (bridge-acceptor) and responds with the configured certificate (self-signed).
- Configuration specified in the clients remote-connector seems to be useless.
- Connection is made according to the specified java.naming.provider.url in the jms-bridge config.
I'm aware of the thread Wildfly 10 JMS bridge over HTTPS configuration issues . But this solution uses a Core Bridge.
Could anyone point me to the right direction? How can I specify that the jms-bridge connection should be encrypted?
With the given configuration below I get the following exceptions (see attached file for full stacktrace):
- Server: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
- Client: [https-remoting://server.name:7212 (javax.net.ssl.SSLHandshakeException: General SSLEngine problem)
Server:
<subsystem xmlns="urn:jboss:domain:messaging-activemq:1.0"> <server name="default"> <security-setting name="#"> <role name="ROLE" delete-non-durable-queue="true" create-non-durable-queue="true" consume="true" send="true" /> </security-setting> <address-setting name="#" redelivery-delay="5000" redelivery-multiplier="2" max-delivery-attempts="10" dead-letter-address="jms.queue.DLQ" /> <http-connector name="http-connector" endpoint="http-acceptor" socket-binding="http" /> <http-connector name="http-connector-throughput" endpoint="http-acceptor-throughput" socket-binding="http"> <param name="batch-delay" value="50" /> </http-connector> <in-vm-connector name="in-vm" server-id="0" /> <remote-acceptor name="bridge-acceptor" socket-binding="custom-bridge"> <param name="ssl-enabled" value="true"/> <param name="key-store-path" value="${jboss.server.config.dir}/keystore.jks" /> <param name="key-store-password" value="keystore-password" /> </remote-acceptor> <http-acceptor name="http-acceptor" http-listener="default" /> <http-acceptor name="http-acceptor-throughput" http-listener="default"> <param name="batch-delay" value="50" /> <param name="direct-deliver" value="false" /> </http-acceptor> <in-vm-acceptor name="in-vm" server-id="0" /> <connection-factory name="InVmConnectionFactory" entries="java:/ConnectionFactory" connectors="in-vm" /> <connection-factory name="RemoteConnectionFactory" entries="java:jboss/exported/jms/RemoteConnectionFactory" connectors="http-connector" /> <pooled-connection-factory name="activemq-ra" transaction="xa" entries="java:/JmsXA java:jboss/DefaultJMSConnectionFactory" connectors="in-vm" /> <jms-queue name="DLQ" entries="java:/jms/queue/DLQ" /> <jms-queue name="ServerInQueue" entries="java:/jms/queue/ServerInQueue java:jboss/exported/jms/queue/ServerInQueue" /> </server> </subsystem> ... <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> .... <socket-binding name="custom-bridge" port="7212" /> </socket-binding-group>
Client:
<subsystem xmlns="urn:jboss:domain:messaging-activemq:1.0"> <server name="default"> <address-setting name="#" redelivery-delay="5000" redelivery-multiplier="2" max-delivery-attempts="10" dead-letter-address="jms.queue.DLQ" /> <remote-connector name="bridge-connector" socket-binding="messaging-remote"> <param name="ssl-enabled" value="true" /> <param name="trust-store-path" value="${jboss.server.config.dir}/truststore.jks" /> <param name="trust-store-password" value="truststore-password" /> <!-- tried with no effect: --> <!--<param name="javax.net.ssl.trustStore" value="${jboss.server.config.dir}/truststore.jks" />--> <!--<param name="org.apache.activemq.ssl.trustStore" value="${jboss.server.config.dir}/truststore.jks" />--> </remote-connector> <in-vm-connector name="in-vm" server-id="0" /> <in-vm-acceptor name="in-vm" server-id="0" /> <connection-factory name="InVmConnectionFactory" entries="java:/ConnectionFactory" connectors="in-vm" /> <connection-factory name="BridgeConnectionFactory" entries="java:jboss/exported/jms/BridgeConnectionFactory java:/jms/BridgeConnectionFactory" connectors="bridge-connector"/> <pooled-connection-factory name="activemq-ra" transaction="xa" entries="java:/JmsXA java:jboss/DefaultJMSConnectionFactory" connectors="in-vm" /> <jms-queue name="DLQ" entries="java:/jms/queue/DLQ" /> <jms-queue name="ClientOutQueue" entries="java:jboss/exported/jms/queue/ClientOutQueue java:/jms/queue/ClientOutQueue" /> </server> <jms-bridge name="client-export-bridge" max-batch-time="100" max-batch-size="10" max-retries="-1" failure-retry-interval="10000" quality-of-service="DUPLICATES_OK"> <source destination="java:/jms/queue/ClientOutQueue" connection-factory="ConnectionFactory" /> <target user="jmsUser" password="jmsPassword" destination="jms/queue/ServerInQueue" connection-factory="java:/jms/BridgeConnectionFactory"> <target-context> <property name="java.naming.factory.initial" value="org.jboss.naming.remote.client.InitialContextFactory" /> <property name="java.naming.provider.url" value="https-remoting://server.name:7212" /> <property name="java.naming.security.principal" value="jmsUser" /> <property name="java.naming.security.credentials" value="jmsPassword" /> </target-context> </target> </jms-bridge> </subsystem> ... <socket-binding-group name="standard-sockets" default-interface="public" ... <outbound-socket-binding name="messaging-remote"> <remote-destination host="server.name" port="7212" /> </outbound-socket-binding> </socket-binding-group>