ActiveMQ javax.net.ssl.sslhandshakeexception空证书链 [英] ActiveMQ javax.net.ssl.sslhandshakeexception null cert chain
问题描述
尽管这些链接用于为MosquittoMQ设置SSL,而我的用例是针对ActiveMQ,但我相信两种情况下的证书生成过程都相同.
Although the links are for setting up SSL for MosquittoMQ and my use case is for ActiveMQ, I believe the certificate generation procedure remains the same for either case.
我正在使用的客户端是Java客户端. 代理密钥库包含根证书,并根据密钥库的要求将其捆绑到PKCS12文件中的服务器公钥和私钥,代理信任库包含客户端的公钥.客户端密钥库包含捆绑到PKCS12文件中的客户端公钥和私钥,并且客户端信任库包含根证书. Java客户端使用端口61714连接到代理.通过密钥库和信任库的上述配置,我得到了空证书链异常.有人可以告诉我这是否是配置密钥和信任库的正确方法吗?根证书和服务器证书是否应该链接在一起,而不是在代理密钥库中单独存在? 我对此很陌生,有点迷路.
The clients I'm using are Java clients. The broker keystore contains the root certificate and server public and private key bundled into a PKCS12 file, as required by the keystore, and the broker truststore contains the public key of the client. The client keystore contains the client public and private key bundled into a PKCS12 file and the client truststore contains the root certificate. The Java clients use port 61714 to connect to the broker. With above configuration of keystores and truststores I get the null cert chain exception. Could someone please tell me if this is the right way to configure the key and trust stores? Should the root certificate and server certificate be chained instead of being present separately within the broker keystore? I'm fairly new to this and am a bit lost.
ActiveMQ代理的传输连接器配置如下所示
The transport connector configuration of the ActiveMQ broker is shown below
<managementContext>
<managementContext createConnector="false"/>
</managementContext>
<sslContext>
<sslContext keyStore="file:${activemq.base}/conf/broker.ks"
keyStorePassword="changeit" trustStore="file:${activemq.base}/conf/broker.ts"
trustStorePassword="changeit"/>
</sslContext>
<transportConnectors>
<!-- DOS protection, limit concurrent connections to 1000 and frame size to 100MB -->
<transportConnector name="openwire" uri="tcp://0.0.0.0:61616?maximumConnections=1000&wireFormat.maxInactivityDuration=300000&wireFormat.maxFrameSize=104857600&jms.messagePrioritySupported=false"/>
<transportConnector name="ssl" uri="ssl://0.0.0.0:61714?trace=true&needClientAuth=true&transport.enabledProtocols=TLSv1.2"/>
<transportConnector name="amqp" uri="amqp://0.0.0.0:5672?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
<transportConnector name="stomp" uri="stomp://0.0.0.0:61613?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
<transportConnector name="mqtt" uri="mqtt://0.0.0.0:1883?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
<transportConnector name="mqtt+ssl" uri="mqtt+ssl://0.0.0.0:8883?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
<transportConnector name="ws" uri="ws://0.0.0.0:61614?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
</transportConnectors>
Java客户端上的
application.properties文件
application.properties file on the Java client
# Embedded ActiveMQ Configuration
spring.activemq.in-memory=false
spring.activemq.pool.enabled=false
activemq.broker-url=tcp://localhost:61616
activemq.ssl-url=ssl://localhost:61714
# Spring JMS Settings
#spring.jms.pub-sub-domain=true
# Truststore used by client.
JMS_BROKER_TRUSTSTORE=E:\\apacheActiveMQ\\apache-activemq-5.13.0\\conf\\client.ts
JMS_BROKER_TRUSTSTORE_TYPE=JKS
JMS_BROKER_TRUSTSTORE_PASSWORD=changeit
# Keystore used by client.
JMS_BROKER_KEYSTORE=E:\\apacheActiveMQ\\apache-activemq- 5.13.0\\conf\\client.ks
JMS_BROKER_KEYSTORE_TYPE=JKS
JMS_BROKER_KEYSTORE_PASSWORD=changeit
用于在Java客户端上配置ActiveMQ连接工厂的文件
File that deals with configuring the ActiveMQ connection factory on the Java client
@Bean
public ActiveMQSslConnectionFactory activeMQSslConnectionFactory() {
ActiveMQSslConnectionFactory connectionFactory = new ActiveMQSslConnectionFactory(sslUrl);
try {
connectionFactory.setTrustStore(pathToTrustStore);
connectionFactory.setTrustStorePassword(truststorePassword);
connectionFactory.setKeyStore(pathToKeystore);
connectionFactory.setKeyStorePassword(keystorePassword);
} catch (Exception e) {
System.out.println("Error");
}
return connectionFactory;
}
/**
* Initialise {@link JmsTemplate} as required
*/
@Bean
public JmsTemplate jmsTemplate() {
JmsTemplate jmsTemplate = new JmsTemplate();
jmsTemplate.setConnectionFactory(activeMQSslConnectionFactory());
jmsTemplate.setExplicitQosEnabled(true);
//setting PuSubDomain to true configures JmsTemplate to work with topics instead of queues
jmsTemplate.setPubSubDomain(true);
jmsTemplate.setDeliveryMode(DeliveryMode.NON_PERSISTENT);
return jmsTemplate;
}
/**
* Initialise {@link DefaultJmsListenerContainerFactory} as required
*/
@Bean
public DefaultJmsListenerContainerFactory jmsListenerContainerFactory() {
DefaultJmsListenerContainerFactory factory = new DefaultJmsListenerContainerFactory();
factory.setConnectionFactory(activeMQSslConnectionFactory());
//setting PuSubDomain to true configures the DefaultJmsListenerContainerFactory to work with topics instead of queues
factory.setPubSubDomain(true);
return factory;
}
推荐答案
回答我自己的问题. 下面是密钥库/信任库及其内容的映射
Answering my own question. Below is the mapping of the keystore/truststore and its contents
- 经纪人密钥库:捆绑到PKCS12文件中的服务器密钥对
- 经纪人信任库:根证书
- 客户端密钥库:捆绑到PKCS12文件中的客户端密钥对
- 客户端信任库:根证书
这是正确的配置,现在一切正常. 不能完全确定为什么为MQTT配置证书的地方很少.我查看了许多HTTPS示例,并了解到必须将证书添加到密钥库和信任库中,如上所示.
This is the correct configuration and things are working fine now. Not entirely sure why there's so little out there about configuring certificates for MQTT. I looked at a bunch of HTTPS examples and learnt that the certificates must be added into the keystores and truststores as shown above.
这篇关于ActiveMQ javax.net.ssl.sslhandshakeexception空证书链的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
