0

I configured single standalone Artemis with SSL on the server.

I generated trustStore and keyStore

    openssl genrsa -des3 -out brokerRoot.key 4096
    openssl req -newkey rsa:2048 -nodes -keyout brokerRoot.key -x509 -days 3600 -out brokerRoot.pem -subj "/C=US/ST=Maryland/L=Aberdeen/O=Company/OU=IT/CN=company/emailAddress=test@test.de" -passin pass:passphrase
    openssl pkcs12 -inkey brokerRoot.key -in brokerRoot.pem -export -out broker_ks.p12 -password pass:keyStorePassword
    //Create a truststore for the client
    keytool -import -alias broker -keystore client_ts.p12 -file brokerRoot.pem -deststoretype pkcs12 -storepass trustStorePassword -noprompt

broker.xml

<?xml version='1.0'?>

<configuration xmlns="urn:activemq"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xmlns:xi="http://www.w3.org/2001/XInclude"
               xsi:schemaLocation="urn:activemq /schema/artemis-configuration.xsd">

   <core xmlns="urn:activemq:core" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="urn:activemq:core ">

      <name>0.0.0.0</name>


      <persistence-enabled>true</persistence-enabled>

      <journal-type>ASYNCIO</journal-type>

      <paging-directory>data/paging</paging-directory>

      <bindings-directory>data/bindings</bindings-directory>

      <journal-directory>data/journal</journal-directory>

      <large-messages-directory>data/large-messages</large-messages-directory>

      <journal-datasync>true</journal-datasync>

      <journal-min-files>2</journal-min-files>

      <journal-pool-files>10</journal-pool-files>

      <journal-device-block-size>4096</journal-device-block-size>

      <journal-file-size>10M</journal-file-size>

      <journal-buffer-timeout>28000</journal-buffer-timeout>


      <journal-max-io>4096</journal-max-io>

      <disk-scan-period>5000</disk-scan-period>

      <max-disk-usage>100</max-disk-usage>

      <critical-analyzer>true</critical-analyzer>

      <critical-analyzer-timeout>120000</critical-analyzer-timeout>

      <critical-analyzer-check-period>60000</critical-analyzer-check-period>

      <critical-analyzer-policy>HALT</critical-analyzer-policy>


      <page-sync-timeout>1628000</page-sync-timeout>

            <global-max-size>204Mb</global-max-size>
      <!-- Connectors -->
      <connectors>
         <connector name="netty-connector">tcp://hostname:61616?sslEnabled=true;trustStorePath=/home/artemis/client_ts.p12;trustStorePassword=trustStorePassword</connector>
      </connectors>

      <acceptors>
        <acceptor name="netty-acceptor">tcp://hostname:61616?sslEnabled=true;keyStorePath=/home/artemis/broker_ks.p12;keyStorePassword=keyStorePassword</acceptor>
      </acceptors>

      <cluster-connections>
         <cluster-connection name="my-cluster">
            <connector-ref>netty-connector</connector-ref>
            <retry-interval>1000</retry-interval>
            <retry-interval-multiplier>3</retry-interval-multiplier>
            <use-duplicate-detection>true</use-duplicate-detection>
            <message-load-balancing>STRICT</message-load-balancing>
         </cluster-connection>
      </cluster-connections>

      <security-settings>
         <security-setting match="#">
            <permission type="createNonDurableQueue" roles="amq"/>
            <permission type="deleteNonDurableQueue" roles="amq"/>
            <permission type="createDurableQueue" roles="amq"/>
            <permission type="deleteDurableQueue" roles="amq"/>
            <permission type="createAddress" roles="amq"/>
            <permission type="deleteAddress" roles="amq"/>
            <permission type="consume" roles="amq"/>
            <permission type="browse" roles="amq"/>
            <permission type="send" roles="amq"/>
            <!-- we need this otherwise ./artemis data imp wouldn't work -->
            <permission type="manage" roles="amq"/>
         </security-setting>
      </security-settings>

      <addresses>
         <address name="exampleQueue">
            <anycast>
               <queue name="exampleQueue"/>
            </anycast>
         </address>
         <address name="DLQ">
            <anycast>
               <queue name="DLQ" />
            </anycast>
         </address>
         <address name="ExpiryQueue">
            <anycast>
               <queue name="ExpiryQueue" />
            </anycast>
         </address>
      </addresses>

      <address-settings>
         <!-- if you define auto-create on certain queues, management has to be auto-create -->
         <address-setting match="activemq.management#">
            <dead-letter-address>DLQ</dead-letter-address>
            <expiry-address>ExpiryQueue</expiry-address>
            <redelivery-delay>0</redelivery-delay>
            <!-- with -1 only the global-max-size is in use for limiting -->
            <max-size-bytes>-1</max-size-bytes>
            <message-counter-history-day-limit>10</message-counter-history-day-limit>
            <address-full-policy>PAGE</address-full-policy>
            <auto-create-queues>true</auto-create-queues>
            <auto-create-addresses>true</auto-create-addresses>
            <auto-create-jms-queues>true</auto-create-jms-queues>
            <auto-create-jms-topics>true</auto-create-jms-topics>
         </address-setting>
         <!--default for catch all-->
         <address-setting match="#">
            <dead-letter-address>DLQ</dead-letter-address>
            <expiry-address>ExpiryQueue</expiry-address>
            <redelivery-delay>0</redelivery-delay>
            <!-- with -1 only the global-max-size is in use for limiting -->
            <max-size-bytes>-1</max-size-bytes>
            <message-counter-history-day-limit>10</message-counter-history-day-limit>
            <address-full-policy>PAGE</address-full-policy>
            <auto-create-queues>true</auto-create-queues>
            <auto-create-addresses>true</auto-create-addresses>
            <auto-create-jms-queues>true</auto-create-jms-queues>
            <auto-create-jms-topics>true</auto-create-jms-topics>
         </address-setting>
         <address-setting match="exampleQueue">            
            <dead-letter-address>DLQ</dead-letter-address>                      
            <redelivery-delay>1000</redelivery-delay>    
            <max-delivery-attempts>3</max-delivery-attempts>
            <max-size-bytes>-1</max-size-bytes>
            <page-size-bytes>1048576</page-size-bytes>
            <message-counter-history-day-limit>10</message-counter-history-day-limit>
            <address-full-policy>PAGE</address-full-policy>
        </address-setting>
      </address-settings>
   </core>
</configuration>

bootstrap.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<broker xmlns="http://activemq.org/schema">
   <jaas-security domain="activemq"/>
   <server configuration="file:/home/artemis-broker/etc//broker.xml"/>

   <web bind="https://0.0.0.0:8161" path="web" keyStorePath="/home/artemis_certs/broker_ks.p12" keyStorePassword="keyStorePassword" trustStorePath="/home/artemis_certs/client_ts.p12" trustStorePassword="trustStorePassword">
       <app url="activemq-branding" war="activemq-branding.war"/>
       <app url="artemis-plugin" war="artemis-plugin.war"/>
       <app url="console" war="console.war"/>
   </web>
</broker>

My Java Client trying to get connection with Artemis bad I'm getting error Invalid keystore format jms configuration looks like this

jms.artemis.broker.url=tcp://hostname:61616?sslEnabled=true&trustStorePath=./certs/client_ts.p12&trustStorePassword=trustStorePassword
jms.artemis.user=admin
jms.artemis.password=admin

Can someone please help me to solve this issue? May be I configured something wrong ?

Justin Bertram
  • 29,372
  • 4
  • 21
  • 43
LDropl
  • 846
  • 3
  • 9
  • 25
  • 1
    This configuration LGTM maybe the relative trust store path is invalid I would use an absolute path ie: `trustStorePath=/home/artemis/client_ts.p12` in `jms.artemis.broker.url`. – Domenico Francesco Bruscino Jun 20 '20 at 08:30
  • but it says that ```Invalid keystore format``` ? I think if the path was wrong it would say ```"Can't find keystore"``` or something. I already tested it, I changed path to the wrong one with purpose and it was another error message with Wrong path – LDropl Jun 22 '20 at 08:05
  • I checked successful your configuration on ActiveMQ Artemis 2.13 using the `OpenSSLExample` at https://github.com/apache/activemq-artemis/tree/2.13.0/examples/features/standard/netty-openssl. What version are you using? – Domenico Francesco Bruscino Jun 22 '20 at 10:48
  • I'm using Artemis 2.11. I will try to update it to 2.13. Btw does my ```jms.artemis.broker.url=tcp://hostname:61616?ha=true&sslEnabled=true&trustStorePath=/home/artemis/client_ts.p12&trustStorePassword=trustStorePassword``` looks fine ? – LDropl Jun 22 '20 at 11:30
  • @DomenicoFrancescoBruscino I just updated my Artemis to 2.13.0 and it's still the same error: Invalid keystore format – LDropl Jun 22 '20 at 12:48
  • It could be an issue with your JVM. What JVM are you using `$ java -version`? Can you reproduce this issue using the `JMS OpenSSL Example` at https://github.com/apache/activemq-artemis/tree/2.13.0/examples/features/standard/netty-openssl ? – Domenico Francesco Bruscino Jun 22 '20 at 16:00
  • Actually I make it work if I'm running my java client on the same machine where Artemis installed with absolute path to the trustStore. But if I'm trying to run java client from my local machine then I'm getting error ```Illegal character in broker url "tcp://hostname:61616?ha=true&sslEnabled=true&trustStorePath=C:\Users\my_username\certs\client_ts.p12&trustStorePassword=trustStorePassword" ``` Looks like something wrong with the path to trustStore on my local machine – LDropl Jun 23 '20 at 11:11
  • 1
    You should replace the characters : and \ with `%3A` and `%5C` because they are illegal characters for the url query, ie `tcp://hostname:61616?ha=true&sslEnabled=true&trustStorePath=C%3A%5CUsers%5Cmy_username%5Ccerts%5Cclient_ts.p12&trustStorePassword=trustStorePassword` – Domenico Francesco Bruscino Jun 23 '20 at 22:34

1 Answers1

1

We have a docker-container running with artemis. We have generated the Keystore with Java-Version OpenJDK 11.0.12 (A). In our docker container we had the version 1.8.0._302 (B).

The generated keystore from Version A does not match with Version B. After we found this out, we generated the keystore in the Dock-Container with Version B and everything is running fine.

This Answer helped us: https://stackoverflow.com/a/65784061/4578611

Tobias Münch
  • 829
  • 4
  • 13