How to configure SSL on ActiveMQ Artemis Cluster

Question

I have a cluster where the connectors and acceptors are configured like this:

Server1:

      <connectors>
         <connector name="netty-connector">tcp://server1:61616</connector>
      </connectors>
        
      <acceptors>
         <acceptor name="artemis">tcp://0.0.0.0:61616?protocols=CORE,AMQP,STOMP,HORNETQ,OPENWIRE</acceptor>
      </acceptors>

Server 2:

     <connectors>
        <connector name="netty-connector">tcp://server2:61616</connector>
     </connectors>
        
     <acceptors>
        <acceptor name="artemis">tcp://0.0.0.0:61616?protocols=CORE,AMQP,STOMP,HORNETQ,OPENWIRE</acceptor>
     </acceptors>

Now I create for each server a (Self-Signed) server-certificate. Do I need to set both keystorePath and truststorePath for both connector and acceptor? Or do I only need a keystorePath for the acceptor and truststorePath for the connector?

I saw several examples, but none that works well (got handshake errors). What is a correct setup?

I tried this setup:

Server1:

      <connectors>
         <connector name="netty-connector">tcp://server1:61616?enabledProtocols=TLSv1.2;sslEnabled=true;trustStorePath=client-ca-truststore.jks;trustStorePassword=securepass</connector>
      </connectors>
        
      <acceptors>
         <acceptor name="artemis">tcp://0.0.0.0:61616?protocols=CORE,AMQP,STOMP,HORNETQ,OPENWIRE;sslEnabled=true;needClientAuth=true;keyStorePath=server1-keystore.jks;keyStorePassword=securepass</acceptor>
      </acceptors>

Server 2:

     <connectors>
        <connector name="netty-connector">tcp://server2:61616?enabledProtocols=TLSv1.2;sslEnabled=true;trustStorePath=client-ca-truststore.jks;trustStorePassword=securepass</connector>
     </connectors>
        
     <acceptors>
         <acceptor name="artemis">tcp://0.0.0.0:61616?protocols=CORE,AMQP,STOMP,HORNETQ,OPENWIRE;sslEnabled=true;needClientAuth=true;keyStorePath=server2-keystore.jks;keyStorePassword=securepass</acceptor>
     </acceptors>

On server1 I get this error:

WARN 57399 --- [Thread-7 (activemq-netty-threads)] org.apache.activemq.artemis.core.server : AMQ222208: SSL handshake failed for client from /10.96.1.102:35944: javax.net.ssl.SSLHandshakeException: Empty client certificate chain.

And on server 2

ERROR 60482 --- [Thread-0 (ActiveMQ-server-org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl$6@7b3af62e)] org.apache.activemq.artemis.core.client : AMQ214016: Failed to create netty connection
java.lang.IllegalStateException: No ActiveMQChannelHandler has been found while connecting to server1/10.96.1.6:61616 from Channel with id = b4c31575
WARN 60482 --- [Thread-1 (ActiveMQ-server-org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl$6@7b3af62e)] org.apache.activemq.artemis.core.server : AMQ222186: unable to authorise cluster control: AMQ219016: Connection failure detected. Unblocking a blocking call that will never get a response

When I start one of the brokers, it start normally. The errors occur when the other node is online. Server1 and server2 always have the same errors despite starting order.

Certificates were created with keytool (seems fine in keystore explorer).

Is the setup incorrect, or is there something wrong with the certificates?

The previous setup of Artemis at the organization had mutual SSL, but there's no benefit in two-way authentication for my use case. As my setup wasn't working I added it again, but I thought it only enforced clients to authenticate through user/password.

Answer 1

Since you're using self-signed certificates then you need to specify keyStorePath and keyStorePassword on the acceptor and trustStorePath and trustStorePassword on the connector. Of course both will need sslEnabled=true.

The broker ships with an example that uses self-signed certificates in the examples/features/standard/ssl-enabled directory. This essentially demonstrates what is necessary for this use-case although in a slightly different way than what you're doing. Just think of the client in the example as the connector in the clustered use-case because that is exactly what it is. There are even commands in the documentation for how to generate all the SSL resources.

In the configuration you attempted you specified needClientAuth=true on your acceptor which is almost certainly causing problems. This setting is for enabling "mutual" (i.e. 2-way) SSL, but your question says nothing about this. I don't believe you need this. I recommend you remove it.