当前位置: 首页 > 知识库问答 >
问题:

ActiveMQ相互SSL身份验证

龙星渊
2023-03-14

我正在尝试为相互身份验证设置ActiveMQ,以便客户端需要证书才能将消息传递给代理。我在代理上创建了一个密钥库和一个信任库,并导出了一个复制到客户端的证书。在客户端,我也做了同样的事情,尽管我使用的是NMS,所以我只使用导出的证书,我将其添加到代理的信任库中。我还将证书添加到另一个本地计算机可信根证书中。
代理的配置如下:

<transportConnectors>  
  <transportConnector name="ssl" uri="ssl://0.0.0.0:61616"/>  
</transportConnectors>  
<sslContext>  
  <sslContext keyStore="file:${activemq.base}/conf/keystore.jks"  
    keyStorePassword="ksPass"  
    trustStore="file:${activemq.base}/conf/shared.ks"  
    trustStorePassword="ksPass"/>  
</sslContext>  
<plugins>  
 <jaasCertificateAuthenticationPlugin configuration="CertLogin" />  
</plugins>  

${activemq.base}/conf/login.config

CertLogin {
 org.apache.activemq.jaas.TextFileCertificateLoginModule required
 debug=true
 org.apache.activemq.jaas.textfiledn.user="users.properties"
 org.apache.activemq.jaas.textfiledn.group="groups.properties";
};  

${activemq.base}/conf/users。属性具有

user=CN=nms.client.170,\ OU=IT,\ O=MyOrg,\ L=Oslo,\ S=Oslo,\ C=NO  

${activemq.base}/conf/groups。属性具有

admins=system  
users=system,user    

在NMS客户端的appSettings中,我使用此选项连接:

< add key="jms.uri" value="ssl://brokeraddress.in.hosts:61616?needClientAuth=true&amp;wantClientAuth=true&amp;transport.clientCertSubject=nms.client.170&amp;transport.clientCertPassword=ksClientPw&amp;transport.clientCertFilename=C:\TestClient\client170.crt" />    

如果我在代理中没有jaas证书身份验证插件,我可以通过ssl连接,但有了它(这是我的想法),我得到一个错误,它在Apache中失败。NMS. ActiveMQ. Connection
//发送连接,看看是否返回ack/nak。响应=传输。请求(this.info,这。请求超时);
获取Exeption响应:“java.lang.安全异常:没有SSL证书无法验证传输。”

跟踪显示:

10:19:16,479 INFO  Client.MyTrace - BrokerUri set = ssl://brokeraddress.in.hosts:61616?transport.clientcertpassword=ksClient&transport.clientcertsubject=nms.client.170&needclientauth=true&wantclientauth=true&transport.clientcertfilename=C:\TestClient\client170.crt  
10:19:16,492 DEBUG Client.MyTrace - SetProperties called with target: ConnectionFactory, and prefix: connection.  
10:19:16,492 DEBUG Client.MyTrace - SetProperties called with target: ConnectionFactory, and prefix: nms.  
10:19:16,495 INFO  Client.MyTrace - Connecting to: ssl://brokeraddress.in.hosts:61616/?transport.clientcertpassword=ksClient&transport.clientcertsubject=nms.client.170&needclientauth=true&wantclientauth=true&transport.clientcertfilename=C:\TestClient\client170.crt  
10:19:16,497 DEBUG Client.MyTrace - Searching Assembly: Apache.NMS.ActiveMQ for factory of the id: ssl  
10:19:16,549 DEBUG Client.MyTrace - Found the Factory of type Apache.NMS.ActiveMQ.Transport.Tcp.SslTransportFactory for id: ssl  
10:19:16,552 DEBUG Client.MyTrace - Opening socket to: brokeraddress.in.hosts on port: 61616  
10:19:16,554 DEBUG Client.MyTrace - Connected to brokeraddress.in.hosts:61616 using InterNetwork protocol.  
10:19:16,562 DEBUG Client.MyTrace - Creating new instance of the SSL Transport.  
10:19:16,564 DEBUG Client.MyTrace - Creating Inactivity Monitor: 1  
10:19:16,677 DEBUG Client.MyTrace - Authorizing as Client for Server: brokeraddress.in.hosts  
10:19:16,679 DEBUG Client.MyTrace - Attempting to load Client Certificate from file := C:\TestClient\client170.crt  
10:19:16,682 DEBUG Client.MyTrace - Loaded Client Certificate := [Subject]  CN=nms.client.170, OU=IT, O=MyOrg, L=Oslo, S=Oslo, C=NO [Issuer]  CN=nms.client.170, OU=IT, O=MyOrg, L=Oslo, S=Oslo, C=NO  
10:19:16,684 DEBUG Client.MyTrace - Client is selecting a local certificate from 1 possibilities.  
10:19:16,684 DEBUG Client.MyTrace - Client has selected certificate with Subject = CN=nms.client.170, OU=IT, O=MyOrg, L=Oslo, S=Oslo, C=NO  
10:19:16,969 DEBUG Client.MyTrace - ValidateServerCertificate: Issued By CN=brokeraddress.in.hosts, OU=DataCom, O=MyOrg, L=Oslo, S=Oslo, C=NO  
10:19:16,969 DEBUG Client.MyTrace - Server is Authenticated = True  
10:19:16,970 DEBUG Client.MyTrace - Server is Encrypted = True  
10:19:16,978 DEBUG Client.MyTrace - InactivityMonitor[1]: Read Check time interval: 30000  
10:19:16,978 DEBUG Client.MyTrace - InactivityMonitor[1]: Initial Delay time interval: 10000  
10:19:16,985 DEBUG Client.MyTrace - InactivityMonitor[1]: Write Check time interval: 10000  
10:19:19,017 DEBUG Client.MyTrace - Exception received in the Inactivity Monitor: Unable to read beyond the end of the stream.  
10:19:19,019 DEBUG Client.MyTrace - InactivityMonitor[1].Runner: Task Runner Shut Down  
10:19:19,019 DEBUG Client.MyTrace - InactivityMonitor[1]: Stopped Monitor Threads.  
10:19:19,032 DEBUG Client.MyTrace - Connection[ID:EJPB-56409-635193299565662525-1:0]: Async exception with no exception listener: System.IO.EndOfStreamException: Unable to read beyond the end of the stream.  
 System.IO.BinaryRe.FillBuffer(Int32 numBytes)  
 System.IO.BinaryRe.ReadInt32()  
 Apache.NMS.Util.EnBinaryReader.ReadInt32() in c:\dev\NMS\src\main\csharp\Util\EndianBinaryReader.cs:line 135  
 Apache.NMS.ActiveMenWire.OpenWireFormat.Unmarshal(BinaryReader dis) in c:\dev\NMS.ActiveMQ\src\main\csharp\OpenWire\OpenWireFormat.cs:line 228  
 Apache.NMS.ActiveMansport.Tcp.TcpTransport.ReadLoop() in c:\dev\NMS.ActiveMQ\src\main\csharp\Transport\Tcp\TcpTransport.cs:line 295  
10:19:19,035 DEBUG Client.MyTrace - TransportFilter disposing of next Transport: MutexTransport  
10:19:19,035 DEBUG Client.MyTrace - TransportFilter disposing of next Transport: WireFormatNegotiator  
10:19:19,036 DEBUG Client.MyTrace - TransportFilter disposing of next Transport: InactivityMonitor  
10:19:19,036 DEBUG Client.MyTrace - InactivityMonitor[1]: Stopped Monitor Threads.  
10:19:19,037 DEBUG Client.MyTrace - TransportFilter disposing of next Transport: SslTransport  
10:19:19,071 INFO  Client.MyTrace - Connection[ID:SUSSDEV2-56409-635193299565662525-1:0]: Closing Connection Now.  
10:19:19,073 DEBUG Client.MyTrace - Connection[ID:SUSSDEV2-56409-635193299565662525-1:0]: Disposing of the Transport.  
10:19:19,073 DEBUG Client.MyTrace - InactivityMonitor[1]: Stopped Monitor Threads.  

在经纪人中,它说:

INFO | jvm 1 | 10:18:20 | WARN | Failed to add Connection ID:EJPB-56409-635193299565662525-1:0, reason: java.lang.SecurityException: Unable to authenticate transport without SSL certificate.  
INFO | jvm 1 | 10:18:22 | INFO | Stopping tcp://192.168.5.170:56408 because Failed with SecurityException: Unable to authenticate transport without SSL certificate.  

好吧,我错过了什么?它表示“无SSL证书的传输”,但它在客户端连接期间选择它,并且它位于代理的信任库和根证书中。

使用NMS 1.6.0和activeMQ 5.8.0。
我还尝试了一个java中的简单客户端,结果相同。

Exception in thread "main" javax.jms.JMSException: Unable to authenticate transport without SSL certificate.  
    at org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:49)  
    at org.apache.activemq.ActiveMQConnection.syncSendPacket  (ActiveMQConnection.java:1295)  
    at org.apache.activemq.ActiveMQConnection.ensureConnectionInfoSent  (ActiveMQConnection.java:1392)  
    at org.apache.activemq.ActiveMQConnection.start(ActiveMQConnection.java:504)  
    at com.atest.jms.Client.main(Client.java:69)  
Caused by: java.lang.SecurityException: Unable to authenticate transport without SSL certificate.  
    at org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:74)  
    at org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:91)  
    at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:766)  
    at org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:79)  
    at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:139)  
    at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:329)  
    at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:184)  
    at org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:50)  
    at org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:113)  
    at org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:288)  
    at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)  
    at org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:91)  
    at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:214)  
    at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:196)  
    at java.lang.Thread.run(Unknown Source)    

有人有什么想法吗?谢谢。

好的,我再试了一次。我知道我没有添加到代理的transportConnector ssl中:

<transportConnector name="ssl" uri="ssl://0.0.0.0:61616?needClientAuth=true"/>  

我尝试了java客户端,它可以发送,但我仍然收到NMS客户端的错误(相同的配置):

15:28:14,044 ERROR Test_DataCom.MyTrace - Exception: A call to SSPI failed, see inner exception.
15:28:14,045 ERROR Test_DataCom.MyTrace - Inner exception: An unknown error occurred while processing the certificate
15:28:14,045 ERROR Test_DataCom.MyTrace - Authentication failed - closing the connection.  

在经纪人那里我得到了空证书链

INFO | jvm 1 | 15:28:13 | ERROR | Could not accept connection from tcp://192.168.50.170:61978: javax.net.ssl.SSLHandshakeException: null cert chain

我在彼此的信任库和本地计算机信任根证书中都有证书。。。还需要什么?如果没有自签名证书,它应该在哪里找到证书链?

共有1个答案

宦翔
2023-03-14

好的,我现在好像有了。重新阅读此评论后,我将客户端证书和密钥导出到PKCS文件,并将其导入Windows中的当前用户证书存储区
C:\

然后我使用了这个url编码的连接:

我还有${activemq.base}/conf/users。属性:<代码>用户=CN=nms。客户170、\OU=IT、\O=MyOrg、\L=Oslo、\S=Oslo、\C=NO,试图逃离空格,我删除了这些空格并将S更正为ST,就像keytool报告所有者行一样。我检查过了,否则会出错。

已更正${activemq.base}/conf/users。属性:
用户=CN=nms。客户170,OU=IT,O=MyOrg,L=奥斯陆,ST=奥斯陆,C=否

 类似资料:
  • 在不限制客户端证书的情况下,TLS中的相互身份验证有什么用? 以下是我对使用TLS的客户端/相互身份验证的理解。 现在rfc5246表示如下 这不会实现任何身份验证正确吗?例如,如果我有一个服务器信任由世界各地受信任的CA签署的任何证书,那么为什么还要费心于客户端身份验证呢?

  • 我正在尝试在两个LAMP服务器之间进行相互ssl身份验证。 我实际上有3台服务器。一个是主服务器,另外两个是对其进行SOAP调用的客户端。 在主客户端和一个客户端上,我安装了Comodo Postive SSL证书。我可以从该客户端连接到主客户端并成功进行SSL身份验证。 在第二个客户端上,我安装了一个Lets加密证书。我从他们的网站上获得了根证书(并使用https://whatsmychainc

  • 我正在尝试为部署在Kubernetes集群中的应用程序启用基于TLS的相互身份验证。 希望将对应用程序的访问限制为只有那些具有受信任客户端证书的用户。 基于某些情况/条件,我还希望吊销特定用户的证书,以便该用户不再能够使用其证书访问应用程序。 我尝试在kuberentes ingress controller(基于nginx)中设置Mutual TLS,方法是添加以下注释。 是包含用于颁发客户端证

  • 我遇到了ActiveMQ Artemis AMQ229031 error with mutual SSL中描述的相同问题。 设置按官方示例进行。

  • 我需要对Web服务(SOAP)应用SSL“相互身份验证”和对网页应用“单向身份验证”,以避免浏览器中存在证书。对于informationg,GUI和SOAP Webservices位于同一个war模块中。 我在Tomcat容器级别使用了SSL相互身份验证: clientAuth=“true”意味着在接受连接之前,客户端(从浏览器和web服务使用者)应该提供有效的证书链。我知道,通过使用client

  • 我试图设置2方式ssl身份验证。我的要求是经纪人应该只认证特定的客户。 我的组织有一个CA,它发行pkcs12格式的所有证书。我遵循的步骤如下。 获取代理的证书,并在代理密钥库中配置它 当我运行代理和客户端时,我希望代理验证客户端并建立ssl连接。但是下面的错误被抛出。 当我用只包含CA证书的信任存储文件替换 /etc/pki/java/cacerts代理信任存储时,它工作得很好。但是它将验证任何