1 2 Previous Next 19 Replies Latest reply on Nov 6, 2003 5:05 PM by Adrian Brock

    JMS over SSL

    colinmadere Newbie

      Have successfully set up SSL on JBoss+Tomcat (as per 3.2.1 dox) and accessed the jmx-console over https.

      Have configured JMS protocol UIL2 with this (no other changes):

      java:/jaas/mySSL
      org.jboss.security.ssl.ClientSocketFactory</attri
      bute>
      org.jboss.security.ssl.DomainServerSocketFactory<
      /attribute>

      Security domain is set up in the primary conf/jboss-service.xml and above is in deploy/jms/jboss-service.xml in the UIL2 section.

      Server starts fine but when I try to connect using the very basic MQ test program (that works with above lines commented out) I get an SSLException in the server output:

      22:58:33,845 ERROR [SocketManager] Failed to create ObjectInputStream
      javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
      at com.sun.net.ssl.internal.ssl.InputRecord.b(DashoA6275)
      ...

      What am I missing? Isn't one purpose of those factories is to not have to have changes in the client code? If so, what needs to be changed? Here's the connection snippet:

      iniCtx = new InitialContext();
      Object factory = iniCtx.lookup("UIL2ConnectionFactory");
      TopicConnectionFactory tcf = (TopicConnectionFactory) factory;
      conn = tcf.createTopicConnection();

      (client is hanging on this last statement when the server spits out the above error. I don't see anything obivous in the TCF class that would suggest I need to use a different one...)

        • 1. Re: JMS over SSL
          Stephane Nicoll Master

          update log4j to run JMS in trace mode, This might help you figuring out what's happening

          • 2. Re: JMS over SSL
            colinmadere Newbie

            Well, as you can see in my original message the exception is not in a jboss class, but rather a class that the jboss mq classes use.

            I added this to my /conf/log4j.xml but it did not change the output at all (as expected due to where the error occurs).




            • 3. Re: JMS over SSL
              colinmadere Newbie

              (would edit the previous message, but don't see the option)

              Any idea why the entry log4j.xml would not take? I don't see any trace output at all even though I've defined it for "org.jboss.mq".

              • 4. Re: JMS over SSL
                colinmadere Newbie

                Yes I "fixed" the above and added the correct class attribute for "TRACE" like in the dox and still don't get the extra output to the console...

                • 5. Re: JMS over SSL
                  Adrian Brock Master

                  It appears in log/server.log

                  I suspect your problem is in the ssl config,
                  there are some system properties in the jsse docs
                  for debugging.

                  Regards,
                  Adrian

                  • 6. Re: JMS over SSL
                    colinmadere Newbie

                    But I've followed the JBoss dox on configuring SSL. Are you saying they are incomplete with respect to configuring SSL for use with JBoss?

                    • 7. Re: JMS over SSL
                      Adrian Brock Master

                      No, I'm saying you've probably gone wrong somewhere.
                      The error you are receiving is from the ssl layer
                      so you will need to enable debug at that level
                      to see the problem.

                      The most obvious problems will be with your truststore.

                      Regards,
                      Adrian

                      • 8. Re: JMS over SSL
                        colinmadere Newbie

                        Hmm. If the embedded Tomcat SSL works, and access to the JMX-console works via SSL and EJB SSL access works, would that rule out that possibility?

                        Trying to avoid wild goose chases :)

                        This is a clean install and the _only_ settings I've changed from 'default' are what is suggested in the documentation for SSL enabling and what I have mentioned above.

                        • 9. Re: JMS over SSL
                          colinmadere Newbie

                          So I have no resolution on this. Going to wait for the trainer to show up and hope he can fix this (or help us find the issue).

                          Adrian, if you could explain how it is that I followed the docs, set the right factories for the JMS service for use via SSL (and that the super-simple JMS test client works in non-SSL mode) and made no other config changes from the default settings and it is still I that "went wrong somewhere", I'm all ears.

                          • 10. Re: JMS over SSL
                            Adrian Brock Master

                            I have no idea why it doesn't work.
                            I've never tried this configuration myself.

                            All you've posted is some configuration on the server.
                            I suggested you add some debugging so you can
                            see what the ssl connection initiated by the client
                            is trying (and failing) to do.

                            I can't help you if you only provide sarcastic comments
                            rather than information.

                            Regards,
                            Adrian

                            • 11. Re: JMS over SSL
                              Adrian Brock Master

                              OK, I just tried it, here is what I did.

                              1) Created a keystore in server/default/conf/test.keystore
                              2) Created a security domain that references it
                              (resource: is jboss specific protocol that loads from the
                              classloader, conf/ is the first classloader installed by jboss)

                               <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
                               name="jboss.security:service=JaasSecurityDomain,domain=SSL">
                               <constructor>
                               <arg type="java.lang.String" value="SSL"/>
                               </constructor>
                               <attribute name="KeyStoreURL">resource:test.keystore</attribute>
                               <attribute name="KeyStorePass">ssltest</attribute>
                               </mbean>
                              


                              3) Deployed a HTTPSUIL2ConnectionFactory

                               <mbean code="org.jboss.mq.il.uil2.UILServerILService"
                               name="jboss.mq:service=InvocationLayer,type=HTTPSUIL2">
                               <depends optional-attribute-name="Invoker">jboss.mq:service=Invoker</depends>
                               <attribute name="ConnectionFactoryJNDIRef">HTTPSUIL2ConnectionFactory</attribute>
                               <attribute name="XAConnectionFactoryJNDIRef">HTTPSUIL2XAConnectionFactory</attribute>
                               <attribute name="ServerBindPort">8193</attribute>
                               <attribute name="PingPeriod">60000</attribute>
                               <attribute name="EnableTcpNoDelay">true</attribute>
                               <!-- Used to disconnect the client if there is no activity -->
                               <!-- Ensure this is greater than the ping period -->
                               <attribute name="ReadTimeout">70000</attribute>
                               <!-- The size of the buffer (in bytes) wrapping the socket -->
                               <!-- The buffer is flushed after each request -->
                               <attribute name="BufferSize">2048</attribute>
                               <!-- Large messages may block the ping/pong -->
                               <!-- A pong is simulated after each chunk (in bytes) for both reading and writing -->
                               <!-- It must be larger than the buffer size -->
                               <attribute name="ChunkSize">1000000</attribute>
                               <attribute name="ClientSocketFactory">org.jboss.security.ssl.ClientSocketFactory</attribute>
                               <attribute name="ServerSocketFactory">org.jboss.security.ssl.DomainServerSocketFactory</attribute>
                               <attribute name="SecurityDomain">java:/jaas/SSL</attribute>
                               </mbean>
                              


                              On the client set the system property to use the keystore
                              as the truststore.

                               <java classname="test.client.Client" fork="true">
                              
                               <sysproperty key="javax.net.ssl.trustStore" path="${jboss.home}/server/${jboss.config}/conf/test.keystore"/>
                               <classpath refid="client.classpath"/>
                              
                               </java>
                              


                              Job Done.

                              Regards,
                              Adrian

                              • 12. Re: JMS over SSL
                                Stephane Nicoll Master

                                Adrian, your last comment should be added in the FAQ, shouldn't be?

                                Might be usefull

                                Regards,

                                Stephane

                                • 13. Re: JMS over SSL
                                  Kevin Urciolo Newbie

                                  I am attempting to have JMS over SSL. What am I doing incorrectly. I attempted to follow the directions. But I get the the error message below when the OIL2 service starts. My security domain configuration looks like this:





                                  ssl1
                                  test01


                                  I added these attributes to the oil2 config:

                                  ssl1
                                  org.jboss.security.ssl.ClientSocketFactory
                                  org.jboss.security.ssl.DomainServerSocketFactory



                                  16:18:23,366 ERROR [OIL2ServerILService] Failed to setSecurityDomain=ssl1 on socket factory
                                  16:18:23,366 ERROR [OIL2ServerILService] Starting failed
                                  java.lang.NullPointerException
                                  at org.jboss.security.ssl.DomainServerSocketFactory.initSSLContext(DomainServerSocketFactory.java:171)
                                  at org.jboss.security.ssl.DomainServerSocketFactory.createServerSocket(DomainServerSocketFactory.java:103)
                                  at org.jboss.mq.il.oil2.OIL2ServerILService.startService(OIL2ServerILService.java:485)
                                  at org.jboss.system.ServiceMBeanSupport.start(ServiceMBeanSupport.java:192)
                                  at sun.reflect.GeneratedMethodAccessor24.invoke(Unknown Source)
                                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                                  at java.lang.reflect.Method.invoke(Method.java:324)
                                  at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
                                  at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:546)
                                  at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:976)
                                  at $Proxy13.start(Unknown Source)
                                  at org.jboss.system.ServiceController.start(ServiceController.java:394)
                                  at org.jboss.system.ServiceController.start(ServiceController.java:411)
                                  at org.jboss.system.ServiceController.start(ServiceController.java:411)
                                  at org.jboss.system.ServiceController.start(ServiceController.java:411)
                                  at org.jboss.system.ServiceController.start(ServiceController.java:411)
                                  at org.jboss.system.ServiceController.start(ServiceController.java:411)
                                  at org.jboss.system.ServiceController.start(ServiceController.java:411)
                                  at org.jboss.system.ServiceController.start(ServiceController.java:411)
                                  at sun.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
                                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                                  at java.lang.reflect.Method.invoke(Method.java:324)
                                  at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
                                  at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:546)
                                  at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:177)
                                  at $Proxy4.start(Unknown Source)
                                  at org.jboss.deployment.SARDeployer.start(SARDeployer.java:226)
                                  at org.jboss.deployment.MainDeployer.start(MainDeployer.java:824)
                                  at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:632)
                                  at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:605)
                                  at sun.reflect.GeneratedMethodAccessor19.invoke(Unknown Source)
                                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                                  at java.lang.reflect.Method.invoke(Method.java:324)
                                  at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
                                  at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:546)
                                  at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:177)
                                  at $Proxy6.deploy(Unknown Source)
                                  at org.jboss.deployment.scanner.URLDeploymentScanner.deploy(URLDeploymentScanner.java:302)
                                  at org.jboss.deployment.scanner.URLDeploymentScanner.scan(URLDeploymentScanner.java:476)
                                  at org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.doScan(AbstractDeploymentScanner.java:201)
                                  at org.jboss.deployment.scanner.AbstractDeploymentScanner.startService(AbstractDeploymentScanner.java:274)
                                  at org.jboss.system.ServiceMBeanSupport.start(ServiceMBeanSupport.java:192)
                                  at sun.reflect.GeneratedMethodAccessor6.invoke(Unknown Source)
                                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                                  at java.lang.reflect.Method.invoke(Method.java:324)
                                  at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
                                  at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:546)
                                  at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:976)
                                  at $Proxy0.start(Unknown Source)
                                  at org.jboss.system.ServiceController.start(ServiceController.java:394)
                                  at sun.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
                                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                                  at java.lang.reflect.Method.invoke(Method.java:324)
                                  at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
                                  at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:546)
                                  at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:177)
                                  at $Proxy4.start(Unknown Source)
                                  at org.jboss.deployment.SARDeployer.start(SARDeployer.java:226)
                                  at org.jboss.deployment.MainDeployer.start(MainDeployer.java:824)
                                  at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:632)
                                  at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:605)
                                  at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:589)
                                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                                  at java.lang.reflect.Method.invoke(Method.java:324)
                                  at org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
                                  at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:546)
                                  at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:177)
                                  at $Proxy5.deploy(Unknown Source)
                                  at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:384)
                                  at org.jboss.system.server.ServerImpl.start(ServerImpl.java:291)
                                  at org.jboss.Main.boot(Main.java:150)
                                  at org.jboss.Main$1.run(Main.java:388)
                                  at java.lang.Thread.run(Thread.java:534)

                                  • 14. Re: JMS over SSL
                                    Adrian Brock Master

                                    The security domain name is the constructor argument "SSL"

                                    You should have:

                                    <attribute name="SecurityDomain">SSL</attribute>
                                    <attribute name="ClientSocketFactory">org.jboss.security.ssl.ClientSocketFactory</attribute>
                                    <attribute name="ServerSocketFactory">org.jboss.security.ssl.DomainServerSocketFactory</attribute>
                                    


                                    Regards,
                                    Adrian

                                    1 2 Previous Next