8 Replies Latest reply on Jun 25, 2013 9:34 AM by Justin Bertram

    Anonymous SSL in HornetQ

    notafrog Newbie

      I would like to use HornetQ with anonymous SSL.  In other words, I do not want to have a trust store or key store on either the client or server.  I basically just want the data to be encrypted.  This is apparently possible with Netty, but is it possible with HornetQ?  If so, only with 2.3.0?

       

      I assumed the following behaviour would give the desired outcome, but apparently with my limited SSL knowledge, I am missing something:

       

         <connectors>

            <connector name="netty-ssl">

               <factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>

               <param key="host"  value="${hornetq.remoting.netty.host:localhost}"/>

               <param key="port"  value="${hornetq.remoting.netty.port:5445}"/>

               <param key="ssl-enabled" value="true"/>

            </connector>

         </connectors>

       

         <acceptors>

            <acceptor name="netty-ssl">

               <factory-class>org.hornetq.core.remoting.impl.netty.NettyAcceptorFactory</factory-class>

               <param key="host"  value="${hornetq.remoting.netty.host:localhost}"/>

               <param key="port"  value="${hornetq.remoting.netty.port:5445}"/>

               <param key="ssl-enabled" value="true"/>

            </acceptor>

         </acceptors>

       

      Thanks in advance for any help with this

        • 1. Re: Anonymous SSL in HornetQ
          Justin Bertram Master

          This was recently fixed via HORNETQ-408 and will be available in 2.3.0.

          • 2. Re: Anonymous SSL in HornetQ
            notafrog Newbie

            Great, thanks for the quick reply.

             

            I therefore assume that abovementioned config file should work for my scenario, without any code changes or key/trust-stores required, from the next release?

            • 3. Re: Anonymous SSL in HornetQ
              Justin Bertram Master

              I misunderstood your initial question.  SSL was essentially broken in all previous versions of HornetQ.  HORNETQ-408 fixed that, but did not enable "anonymous" SSL so your configuration would not work.  At the very least you are required to have a keystore on the server.  If you don't want to have a truststore on the client then that keystore would have to be signed by an authority which the client trusted already. 

               

              Can you point me to how "anonymous" SSL is possible in Netty?

              • 4. Re: Anonymous SSL in HornetQ
                notafrog Newbie

                Hi.  After putting this issue on hold for a while, I am now back to implementing SSL with HornetQ.  Upgraded to latest 2.3.0 final, but still unable to get SSL working.  I guess it should be simple, but clearly I am missing something here.  Are there any simple (not JMS / Servlet) standalone SSL examples available somewhere?  What is the simplest way of implementing SSL?

                 

                hornetq-beans.xml:

                 

                   <!-- MBean server -->

                   <bean name="MBeanServer" class="javax.management.MBeanServer">

                      <constructor factoryClass="java.lang.management.ManagementFactory"

                                   factoryMethod="getPlatformMBeanServer"/>

                   </bean>

                 

                   <!-- The core configuration -->

                   <bean name="Configuration" class="org.hornetq.core.config.impl.FileConfiguration">

                   </bean>

                 

                    <!-- The security manager -->

                   <bean name="HornetQSecurityManager" class="com.myapp.security.AppSecManager">

                   </bean>

                  

                    <!-- The core server -->

                   <bean name="HornetQServer" class="org.hornetq.core.server.impl.HornetQServerImpl">

                      <constructor>

                         <parameter>

                            <inject bean="Configuration"/>

                         </parameter>

                         <parameter>

                            <inject bean="MBeanServer"/>

                         </parameter>

                         <parameter>

                            <inject bean="HornetQSecurityManager"/>

                         </parameter>       

                      </constructor>

                      <start ignored="true"/>

                      <stop ignored="true"/>

                   </bean>

                  

                   <!-- The JMS server  -->

                   <bean name="JMSServerManager" class="org.hornetq.jms.server.impl.JMSServerManagerImpl">

                      <constructor>        

                         <parameter>

                            <inject bean="HornetQServer"/>

                         </parameter>        

                      </constructor>

                   </bean>           

                  

                   <bean name="MainServer" class="com.myapp.MainServer">

                   </bean>

                 

                   <bean name="SecurityService" class="com.myapp.SecurityService">

                   </bean>

                 

                hornetq-configuration.xml:

                <!-- Acceptors -->

                   <acceptors>

                      <acceptor name="netty-ssl">

                         <factory-class>org.hornetq.core.remoting.impl.netty.NettyAcceptorFactory</factory-class>

                         <param key="host" value="localhost"/>

                         <param key="port" value="5666"/>

                         <param key="ssl-enabled" value="true"/>

                         <param key="key-store-path" value="some.keystore"/>

                         <param key="key-store-password" value="something"/>  

                         <param key="trust-store-path" value="some.truststore"/>

                         <param key="trust-store-password" value="something"/>        

                      </acceptor>

                   </acceptors>

                 

                   <!-- Connectors -->

                   <connectors>

                      <connector name="netty-ssl">

                         <factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>

                         <param key="host" value="localhost"/>

                         <param key="port" value="5666"/>

                         <param key="key-store-path" value="some.keystore"/>

                         <param key="key-store-password" value="something"/>

                      </connector>

                   </connectors>

                 

                 

                   <security-settings>

                      <security-setting match="#">

                         <permission type="createNonDurableQueue" roles="PreRegister"/>

                      </security-setting>

                   </security-settings>

                • 5. Re: Anonymous SSL in HornetQ
                  notafrog Newbie

                  I am really stuck with this.  My understanding was that, if everything runs fine withouth SSL, all that is needed to enable SSL, is to add the relevant settings to the hornetq-configuration.xml file.  Is this correct, or must there be some code changes as well?

                   

                  I changed first the above hornetq-configuration.xml to the following:

                  <!-- Acceptors -->

                     <acceptors>

                        <acceptor name="netty-ssl">

                           <factory-class>org.hornetq.core.remoting.impl.netty.NettyAcceptorFactory</factory-class>

                           <param key="host" value="localhost"/>

                           <param key="port" value="6665"/>

                           <param key="hornetq.remoting.netty.ssl-enabled" value="true"/>

                           <param key="hornetq.remoting.netty.key-store-path" value="blah.keystore"/>

                           <param key="hornetq.remoting.netty.key-store-password" value="blah"/>

                        </acceptor>

                     </acceptors>

                   

                   

                    <connectors>     

                        <connector name="netty-ssl-connector">

                           <factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>

                           <param key="hornetq.remoting.netty.host" value="localhost"/>

                           <param key="hornetq.remoting.netty.port" value="6665"/>                        

                           <param key="hornetq.remoting.netty.ssl-enabled" value="true"/>

                           <param key="hornetq.remoting.netty.trust-store-path" value="blah.truststore"/>

                           <param key="hornetq.remoting.netty.trust-store-password" value="blah"/>

                        </connector>       

                     </connectors>

                   

                  which did not work.  Then I tried:

                     <!-- Acceptors -->

                     <acceptors>

                        <acceptor name="netty-ssl">

                           <factory-class>org.hornetq.core.remoting.impl.netty.NettyAcceptorFactory</factory-class>

                           <param key="host" value="localhost"/>

                           <param key="port" value="6665"/>

                           <param key="hornetq.remoting.netty.ssl-enabled" value="true"/>

                           <param key="hornetq.remoting.netty.key-store-path" value="blah.keystore"/>

                           <param key="hornetq.remoting.netty.key-store-password" value="blah"/>

                           <param key="hornetq.remoting.netty.trust-store-path" value="blah.truststore"/>

                           <param key="hornetq.remoting.netty.trust-store-password" value="blah"/>

                        </acceptor>

                     </acceptors>

                   

                   

                    <connectors>     

                        <connector name="netty-ssl-connector">

                           <factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>

                           <param key="hornetq.remoting.netty.host" value="localhost"/>

                           <param key="hornetq.remoting.netty.port" value="6665"/>                        

                           <param key="hornetq.remoting.netty.ssl-enabled" value="true"/>

                           <param key="hornetq.remoting.netty.trust-store-path" value="blah.truststore"/>

                           <param key="hornetq.remoting.netty.trust-store-password" value="blah"/>

                           <param key="hornetq.remoting.netty.key-store-path" value="blah.keystore"/>

                           <param key="hornetq.remoting.netty.key-store-password" value="blah"/>

                        </connector>       

                     </connectors>

                   

                  which also does not work.  However, if I remove the SSL-related lines, everything works as expected..

                   

                  In both the above SSL cases, I get:

                  ERROR Error installing to Start: name=MainServer state=Create (AbstractController::incrementState)

                  HornetQException[errorType=NOT_CONNECTED message=HQ119007: Cannot connect to server(s). Tried with all available servers

                  .]

                  at org.hornetq.core.client.impl.ServerLocatorImpl.createSessionFactory(ServerLocatorImpl.java:852)

                   

                  Any help / advice appreciated

                  • 6. Re: Anonymous SSL in HornetQ
                    Justin Bertram Master

                    Did you take a look at the "ssl-enabled" example shipped in HornetQ?

                     

                    Your first configuration snippet looked like it would work, but you just say it "did not work" and do not elaborate on what behavior you observed or provide other relevant configuration and code details.

                    • 7. Re: Anonymous SSL in HornetQ
                      notafrog Newbie

                      Thanks, finally got it working.  Just in case someone else struggles with the same:

                      1. The JMSServerManagerImpl bean in my hornetq-beans.xml (previous post) was removed, as I do not need it.  It somehow slipped back in.

                      2. My keystore had an unkown issue.  Using the provided HornetQ sample one solved this, so I will now just recreate my own keystore and truststore.  I do not expect this to be a further issue, since I have now have a working setup to troubleshoot against.

                      3. I also needed to add some connection parameters when constructing the ServerLocator,  in both my server- and client code.  Not sure if this is the best way of doing it, but for now, it will do.

                              final HashMap<String, Object> map = new HashMap<String, Object>();

                              map.put("host", theHost);

                              map.put("port", thePort);

                              map.put(org.hornetq.core.remoting.impl.netty.TransportConstants.SSL_ENABLED_PROP_NAME, true);

                              map.put(org.hornetq.core.remoting.impl.netty.TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "../hornetq.example.truststore");

                              map.put(org.hornetq.core.remoting.impl.netty.TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "hornetqexample");

                              ServerLocator serverLocator = HornetQClient.createServerLocatorWithoutHA(new TransportConfiguration(NettyConnectorFactory.class.getName(),map));


                      This is not anonymous SSL, as I initially intended to use.  The only drawback is that the clients now need to add the server certificate to their trust store.  My next step is therefore to implement adding to the truststore in a seamless way, as to minimise the input required by the client when connecting to the server for the first time.

                      • 8. Re: Anonymous SSL in HornetQ
                        Justin Bertram Master

                        As you noted, this is not anonymous SSL.  I was never able to find any additional information about how to implement anonymous SSL with Netty.

                         

                        If the certificate on the server is signed by a trusted authority (e.g. Verisign) then the client won't need to add it to its truststore.