Disclamier: Sorry the lengthy post! I'm trying to be as clear and precise as possible.
I'm trying to set up an HTTPS REST endpoint for ActiveMQ (Mac OS X 10.9.4 and ActiveMQ 5.9.1). By using,
- https://activemq.apache.org/rest.html
- https://activemq.apache.org/http-and-https-transports-reference.html
- http://troyjsd.blogspot.co.uk/2013/06/activemq-https.html
- Setting up ActiveMQ with HTTPS REST
I was able to add a message to a queue and see it in the ActiveMQ Web Console (https://localhost:8162/) through this command:
curl -k -u admin:admin -d "body=message" https://localhost:8162/api/message/TEST?type=queue
However, I'd like to use my own certificate, rather than using the default ones provided by ActiveMQ. Also, I'd like to be able to use cURL without the -k (i.e. --insecure) argument. I did the following to generate the keys:
# create server (broker) keystore and certificate, create client truststore and import the server certificate to it.
keytool -genkey -alias amq-server -keyalg RSA -keysize 2048 -validity 90 -keystore amq-server.ks -keypass 123456 -storepass 123456 -dname CN=JohnSmith
keytool -export -alias amq-server -keystore amq-server.ks -storepass 123456 -file amq-server_cert
keytool -genkey -alias amq-client -keyalg RSA -keysize 2048 -validity 90 -keystore amq-client.ks -keypass 123456 -storepass 123456 -dname CN=ClientBlack
keytool -import -noprompt -alias amq-client -keystore amq-client.ts -storepass 123456 -keypass 123456 -file amq-server_cert
Also, I modified conf/jetty.xml as follows:
<bean id="SecureConnector" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<property name="port" value="8162" />
<property name="keystore" value="file:${activemq.conf}/amq-server.ks" />
<property name="password" value="123456" />
</bean>
Finally, I converted my server (broker) key store into PEM format using:
keytool -importkeystore -srckeystore amq-server.ks -destkeystore amq-server.p12 -srcstoretype jks -deststoretype pkcs12 -srcstorepass 123456 -deststorepass 123456
openssl pkcs12 -in amq-server.p12 -out amq-server.pem
When I try with either of:
curl --cacert ~/dev/apache-activemq-5.9.1/conf/amq-server.pem -u admin:admin -v -d "body=message7" https://localhost:8162/api/message/TEST?type=queue
OR (just changing pem with p12)
curl --cacert ~/dev/apache-activemq-5.9.1/conf/amq-server.p12:123456 -u admin:admin -v -d "body=message7" https://localhost:8162/api/message/TEST?type=queue
I get the following error:
* Adding handle: conn: 0x7f897c80aa00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f897c80aa00) send_pipe: 1, recv_pipe: 0
* About to connect() to localhost port 8162 (#0)
* Trying ::1...
* Connected to localhost (::1) port 8162 (#0)
* SSL certificate problem: Invalid certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
Now, after this point I tried the following:
cd /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/security
sudo keytool -import -trustcacerts -file ~/dev/apache-activemq-5.9.1/conf/amq-server_cert -alias amq-server -keystore ./cacerts -storepass changeit -noprompt
Unfortunately, I still get the same cURL error. I also found that cURL has a problem with certificates in Mac OS X Mavericks, and tried the remedies in SSL Certificates - OS X Mavericks (essentially, added the server keystore amq-server.p12 to Mac OS Keychain login and System certificates, and also tried using --cacert amq-server.p12:123456 format for cURL) These didn't solve the problem either. Then I tried adding the following to activemq.xml:
<transportConnector name="https" uri="https://0.0.0.0:61684"/>
Then, I observed that I can no longer open https://localhost:8162/ in the browser (This webpage is not available) and cURL gives me curl: (7) Failed connect to localhost:8162; Connection refused error.
By the way, after each step explained above, I stop ActiveMQ with:
bin/activemq stop
and start again with:
bin/activemq start -Djavax.net.ssl.keyStore=~/dev/apache-activemq-5.9.1/conf/amq-server.ks -Djavax.net.ssl.keyStorePassword=123456 -Djavax.net.ssl.trustStore=~/dev/apache-activemq-5.9.1/conf/amq-server.ts -Djavax.net.ssl.trustStorePassword=123456 -Djavax.net.debug=all
So, my questions are:
- How can I make this work
- Why do I get "Connection refused" error when I add the
transportConnectortoactivemq.xml? - What are the exact roles of ports
8162and61684? - If this is a problem with cURL, what is the easiest way to try/test otherwise?
Thanks!
Edit 1:
I discovered bin/activemq console command, which gives me a lot more information. I also realized that I was passing -Djavax.net.ssl.trustStore=~/dev/apache-activemq-5.9.1/conf/amq-server.ts paramater, even though I don't have a amq-server.ts. I created one, and put amq-client_cert and amq-server_cert in it. Also, I changed all relative path names with absolute ones. I still have problems, but I believe these were needed to be fixed. Also, here's a relevant debug dump from the ActiveMQ console (redacting some unnecessary raw bytes, etc):
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
[Raw read]: length = 5
0000: 16 03 01 00 BF .....
[Raw read]: length = 191
0000: 01 00 00 BB 03 03 53 D2 A5 8D 34 17 06 07 58 85 ......S...4...X.
0010: 4D A5 66 8E E6 42 B4 0A BA 36 B3 71 E5 AD 71 58 M.f..B...6.q..qX
0020: 40 61 69 B5 D0 1D 00 00 5E 00 FF C0 24 C0 23 C0 @ai.....^...$.#.
0030: 0A C0 09 C0 07 C0 08 C0 28 C0 27 C0 14 C0 13 C0 ........(.'.....
0040: 11 C0 12 C0 26 C0 25 C0 2A C0 29 C0 05 C0 04 C0 ....&.%.*.).....
0050: 02 C0 03 C0 0F C0 0E C0 0C C0 0D 00 3D 00 3C 00 ............=.<.
0060: 2F 00 05 00 04 00 35 00 0A 00 67 00 6B 00 33 00 /.....5...g.k.3.
0070: 39 00 16 00 AF 00 AE 00 8D 00 8C 00 8A 00 8B 00 9...............
0080: B1 00 B0 00 2C 00 3B 01 00 00 34 00 00 00 0E 00 ....,.;...4.....
0090: 0C 00 00 09 6C 6F 63 61 6C 68 6F 73 74 00 0A 00 ....localhost...
00A0: 08 00 06 00 17 00 18 00 19 00 0B 00 02 01 00 00 ................
00B0: 0D 00 0C 00 0A 05 01 04 01 02 01 04 03 02 03 ...............
qtp912856016-98, READ: TLSv1 Handshake, length = 191
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1389470861 bytes = { 52, 23, 6, 7, 88, 133, 77, 165, 102, 142, 230, 66, 180, 10, 186, 54, 179, 113, 229, 173, 113, 88, 64, 97, 105, 181, 208, 29 }
Session ID: {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_PSK_WITH_AES_256_CBC_SHA384, TLS_PSK_WITH_AES_128_CBC_SHA256, TLS_PSK_WITH_AES_256_CBC_SHA, TLS_PSK_WITH_AES_128_CBC_SHA, TLS_PSK_WITH_RC4_128_SHA, TLS_PSK_WITH_3DES_EDE_CBC_SHA, TLS_PSK_WITH_NULL_SHA384, TLS_PSK_WITH_NULL_SHA256, TLS_PSK_WITH_NULL_SHA, TLS_RSA_WITH_NULL_SHA256]
Compression Methods: { 0 }
Extension server_name, server_name: [host_name: localhost]
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA384withRSA, SHA256withRSA, SHA1withRSA, SHA256withECDSA, SHA1withECDSA
***
[read] MD5 and SHA1 hashes: len = 191
0000: 01 00 00 BB 03 03 53 D2 A5 8D 34 17 06 07 58 85 ......S...4...X.
0010: 4D A5 66 8E E6 42 B4 0A BA 36 B3 71 E5 AD 71 58 M.f..B...6.q..qX
0020: 40 61 69 B5 D0 1D 00 00 5E 00 FF C0 24 C0 23 C0 @ai.....^...$.#.
0030: 0A C0 09 C0 07 C0 08 C0 28 C0 27 C0 14 C0 13 C0 ........(.'.....
0040: 11 C0 12 C0 26 C0 25 C0 2A C0 29 C0 05 C0 04 C0 ....&.%.*.).....
0050: 02 C0 03 C0 0F C0 0E C0 0C C0 0D 00 3D 00 3C 00 ............=.<.
0060: 2F 00 05 00 04 00 35 00 0A 00 67 00 6B 00 33 00 /.....5...g.k.3.
0070: 39 00 16 00 AF 00 AE 00 8D 00 8C 00 8A 00 8B 00 9...............
0080: B1 00 B0 00 2C 00 3B 01 00 00 34 00 00 00 0E 00 ....,.;...4.....
0090: 0C 00 00 09 6C 6F 63 61 6C 68 6F 73 74 00 0A 00 ....localhost...
00A0: 08 00 06 00 17 00 18 00 19 00 0B 00 02 01 00 00 ................
00B0: 0D 00 0C 00 0A 05 01 04 01 02 01 04 03 02 03 ...............
%% Initialized: [Session-6, SSL_NULL_WITH_NULL_NULL]
%% Negotiating: [Session-6, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1389470861 bytes = { 253, 146, 229, 68, 48, 212, 3, 8, 113, 71, 109, 110, 184, 188, 198, 5, 154, 125, 169, 214, 91, 62, 7, 160, 209, 234, 192, 113 }
Session ID: {83, 210, 165, 141, 67, 144, 76, 190, 108, 169, 166, 110, 244, 43, 203, 94, 33, 250, 61, 25, 173, 144, 78, 5, 18, 237, 44, 62, 216, 239, 136, 216}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=JohnSmith
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 23443053568440042246531872968622973697701206618166078931212659460396425391980877938302410947640918723945398633811909745246922517027436466308653487666338280101966482309719126372779122526329803061293848183628816382389433439362099975823230525386905011886252381517523892058843409147388887295981911246906888339817495259393348887347266311244472033630192873726881579789730820158345394536738010457875814538778722469498249439501737234201246276532676924740000249757406932101045895162819707223648268675317346645714862960034871361001771712210647437473089523986958365303768943687792233055665803773956096876559907271222453818932683
public exponent: 65537
Validity: [From: Fri Jul 25 15:14:25 BST 2014,
To: Thu Oct 23 15:14:25 BST 2014]
Issuer: CN=JohnSmith
SerialNumber: [ 4bbf23ad]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 11 8B 53 73 97 BE 8B AA 23 06 CD 34 86 F8 14 58 ..Ss....#..4...X
0010: B0 F9 E9 8D ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: A4 96 FE 04 D2 21 17 6E ED 00 DA AE 05 A0 45 E1 .....!.n......E.
0010: 9B C7 8D DD BA 97 11 CE 5A 02 D1 05 0E 0E 90 6F ........Z......o
0020: 75 26 59 E4 2B A8 8E A4 C1 3B 2C AC 20 1E 5F E9 u&Y.+....;,. ._.
0030: 78 97 58 1B F1 8D B0 41 95 0A C7 69 67 22 76 2C x.X....A...ig"v,
0040: BF 3A B6 5A A1 CC FE 16 1A 18 5A 53 D2 E8 51 7C .:.Z......ZS..Q.
0050: 1A BF 23 0F C1 75 FB F5 01 72 A8 3F 3F D0 86 C6 ..#..u...r.??...
0060: EB C3 AF 70 BB 1D E6 B6 96 44 BD 21 2B E0 9A 83 ...p.....D.!+...
0070: 04 C2 E9 4B D6 84 BC 03 7A BA 12 38 A7 36 82 03 ...K....z..8.6..
0080: C5 C3 77 3B 83 64 19 38 E8 03 26 64 5A AF F3 FB ..w;.d.8..&dZ...
0090: A1 0E 07 24 AC 77 39 31 67 4C 13 CD 19 A5 55 53 ...$.w91gL....US
00A0: BB B9 F8 CA 57 19 E6 B2 3A B1 6A F7 2E 0A 6D 1A ....W...:.j...m.
00B0: 03 96 A0 F1 19 51 45 A1 66 67 DD 5E CC 03 9A C1 .....QE.fg.^....
00C0: 93 A2 6F D0 D1 26 23 DB B8 1B 10 6C 46 D8 20 6C ..o..&#....lF. l
00D0: 34 CE 7C FD 8B 57 37 4C C0 E5 DB 7B 45 27 8A C7 4....W7L....E'..
00E0: 0A 19 60 E0 7F 2F 9F 7A CE E2 C0 99 ED 8E 65 74 ..`../.z......et
00F0: E5 16 63 3C DC EB 6F C2 E0 F9 68 E7 4D 4D 42 9A ..c<..o...h.MMB.
]
***
*** ECDH ServerKeyExchange
Signature Algorithm SHA384withRSA
Server key: Sun EC public key, 256 bits
public x coord: 24723137471290150466369886238486766785229281750738143116146132931059687741723
public y coord: 45716326424554000158606804317014537804446576101681363567734642117747889965832
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** ServerHelloDone
[write] MD5 and SHA1 hashes: len = 1143
!!!! REDACTED
qtp912856016-98, WRITE: TLSv1.2 Handshake, length = 1143
[Raw write]: length = 1148
!!!! REDACTED
[Raw read]: length = 5
0000: 15 03 03 00 02 .....
[Raw read]: length = 2
0000: 02 2E ..
qtp912856016-98, READ: TLSv1.2 Alert, length = 2
qtp912856016-98, RECV TLSv1.2 ALERT: fatal, certificate_unknown
qtp912856016-98, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
qtp912856016-98, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
WARN | javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
