3

I have been working on a java activemq client software to connect to a ssl powered broker, but setting the trust store programatically through:

// Configure the secure connection factory.
ActiveMQSslConnectionFactory connectionFactory = new ActiveMQSslConnectionFactory(url);
connectionFactory.setTrustStore("/conf/client.ts"); // truststore which includes the certificate of the broaker
connectionFactory.setTrustStorePassword("password");

as indicated here. However, that throw a

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error

Following the response of the QA Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error? I was able to successfully connect the client to the broker by adding the broker certificate to my java installation's trusted certificates.

However, in this case, I do not want each user using the application to import the certificate on their java distribution, but rather that the client application already carries the broker certificate. How can I do that preferably using the ActiveMQSslConnectionFactory class?

Community
  • 1
  • 1
Thomas
  • 2,751
  • 5
  • 31
  • 52

2 Answers2

1

From what I understand, you need to trust all the incoming self-signed certificates.

You could try this way (create a trust-manager which does not validate and then register it:

TrustManager[] trustAllCerts = new TrustManager[] { 
    new X509TrustManager() {     
        public java.security.cert.X509Certificate[] getAcceptedIssuers() { 
            return null;
        } 
        public void checkClientTrusted( 
            java.security.cert.X509Certificate[] certificates, String authType) {
            } 
        public void checkServerTrusted( 
            java.security.cert.X509Certificate[] certificates, String authType) {
        }
    } 
}; 

try {
    SSLContext sslContext = SSLContext.getInstance("SSL"); 
    sslContext.init(null, trustAllCerts, new java.security.SecureRandom()); 
    HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
} catch (GeneralSecurityException e) {
} 

//then do the ssl conversation.
Chris
  • 5,584
  • 9
  • 40
  • 58
  • though this would serve, I was wondering about a solution where I would set the specific self-signed certificates to be accepted. Any ideas? – Thomas May 25 '13 at 10:43
  • In that case you would have to implement `TrustManager` suiting to your requirement. – Chris May 25 '13 at 10:44
  • isnt there a way to invoke the default TrustManager programmatically and import the certificates? I thought that this was what the `connectionFactory.setTrustStore` lines would do, though it did not work. – Thomas May 25 '13 at 10:47
  • Are you talking about http://stackoverflow.com/questions/8415267/how-do-i-import-a-trusted-certificate-into-an-existing-keystore-programmatically – Chris May 25 '13 at 10:49
  • It would be something on that line, but together with the `ActiveMQConnection` and preferably with the `ActiveMQSslConnectionFactory`. The solution you proposed of using a TrustManager that accept all certificates work in the sense of not having the exception and not needing to run the keytool on the client machine. I tried editing your solution to port it from the `HttpsURLConnection` to `ActiveMQSslConnectionFactory` but it was rejected =( I hope you dont mind that I added a new solution the Activemq connection specifics – Thomas May 30 '13 at 12:00
0

I still havent managed to set the truststore programattically using the setTrustStore method from ActiveMQSslConnectionFactory

But based on @Chris response, it was possible to attach a new trust manager which accept all certificates to the ActiveMQSslConnectionFactory.

In order to do so, I created the same TrustManager as him, but used a different method to link it to the ActiveMQSslConnectionFactory

TrustManager[] trustAllCerts = new TrustManager[] { 
    new X509TrustManager() {     
        public java.security.cert.X509Certificate[] getAcceptedIssuers() { 
            return null;
        } 
        public void checkClientTrusted( 
            java.security.cert.X509Certificate[] certificates, String authType) {
            } 
        public void checkServerTrusted( 
            java.security.cert.X509Certificate[] certificates, String authType) {
        }
    } 
}; 

try {
    String connectionString = "ssl://ipaddress:port"
    ActiveMQSslConnectionFactory factory = new  ActiveMQSslConnectionFactory(connectionString);
factory.setKeyAndTrustManagers(null, trustAllCerts, new SecureRandom());
    Connection connection = factory.createConnection(user,password);
    connection.start(); 

} catch (Exception e) {
}
Thomas
  • 2,751
  • 5
  • 31
  • 52