CODEWITHSUNDEEP
javaactivemq-artemis
LDropl
LDropl

Reputation: 934

Sending messages to ActiveMQ Artemis not working with SSL enabled property

I have 3 pair master/slave Artemis HA cluster setup with replication. They are running on 6 different machines and each of them using their own self signed certificate where CN matches the hostname where the brokers are running. It was new in artemis 2.18.0.

broker.xml and bootstrap.xml with sslEnabled settings looks like this:

<?xml version='1.0'?>
<configuration xmlns="urn:activemq"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xmlns:xi="http://www.w3.org/2001/XInclude"
               xsi:schemaLocation="urn:activemq /schema/artemis-configuration.xsd">

   <core xmlns="urn:activemq:core" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="urn:activemq:core ">

      <name>amq1</name>
      <persistence-enabled>true</persistence-enabled>
      <journal-type>ASYNCIO</journal-type>
      <paging-directory>data/paging</paging-directory>
      <bindings-directory>data/bindings</bindings-directory>
      <journal-directory>data/journal</journal-directory>
      <large-messages-directory>data/large-messages</large-messages-directory>
      <journal-datasync>true</journal-datasync>
      <journal-min-files>2</journal-min-files>
      <journal-pool-files>10</journal-pool-files>
      <journal-device-block-size>4096</journal-device-block-size>
      <journal-file-size>10M</journal-file-size>
      <journal-buffer-timeout>28000</journal-buffer-timeout>
      <journal-max-io>4096</journal-max-io>
      <disk-scan-period>5000</disk-scan-period>
      <max-disk-usage>100</max-disk-usage>
      <critical-analyzer>true</critical-analyzer>
      <critical-analyzer-timeout>150000</critical-analyzer-timeout>
      <critical-analyzer-check-period>60000</critical-analyzer-check-period>
      <critical-analyzer-policy>HALT</critical-analyzer-policy>
      <page-sync-timeout>1628000</page-sync-timeout>
      <global-max-size>204Mb</global-max-size>

      <connectors>
        <connector name="amq1">tcp://amq1:61616?sslEnabled=true;trustStorePath=/home/vagrant/artemis_certs/client_ts.p12;trustStorePassword=0etjq234NCTgBxP8dc4</connector>
        <connector name="amq2">tcp://amq2:61616?sslEnabled=true;trustStorePath=/home/vagrant/artemis_certs/client_ts.p12;trustStorePassword=0etjq234NCTgBxP8dc4</connector>
        <connector name="amq33">tcp://amq33:61616?sslEnabled=true;trustStorePath=/home/vagrant/artemis_certs/client_ts.p12;trustStorePassword=0etjq234NCTgBxP8dc4</connector>
        <connector name="amq44">tcp://amq44:61616?sslEnabled=true;trustStorePath=/home/vagrant/artemis_certs/client_ts.p12;trustStorePassword=0etjq234NCTgBxP8dc4</connector>
        <connector name="amq5">tcp://amq5:61616?sslEnabled=true;trustStorePath=/home/vagrant/artemis_certs/client_ts.p12;trustStorePassword=0etjq234NCTgBxP8dc4</connector>
        <connector name="amq6">tcp://amq6:61616?sslEnabled=true;trustStorePath=/home/vagrant/artemis_certs/client_ts.p12;trustStorePassword=0etjq234NCTgBxP8dc4</connector>
      </connectors>
       <acceptors>
           <acceptor name="artemis">tcp://0.0.0.0:61616?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;amqpMinLargeMessageSize=102400;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;amqpDuplicateDetection=true</acceptor>
           <acceptor name="amqp">tcp://0.0.0.0:5672?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=AMQP;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;amqpMinLargeMessageSize=102400;amqpDuplicateDetection=true</acceptor>
           <acceptor name="stomp">tcp://0.0.0.0:61613?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=STOMP;useEpoll=true</acceptor>
           <acceptor name="hornetq">tcp://0.0.0.0:5445?anycastPrefix=jms.queue.;multicastPrefix=jms.topic.;protocols=HORNETQ,STOMP;useEpoll=true</acceptor>
           <acceptor name="mqtt">tcp://0.0.0.0:1883?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=MQTT;useEpoll=true</acceptor>
       </acceptors>
       <broadcast-groups>
           <broadcast-group name="artemis-broadcast-group">
               <group-address>231.7.7.7</group-address>
               <group-port>9876</group-port>
               <broadcast-period>2000</broadcast-period>
               <connector-ref>amq1</connector-ref>
           </broadcast-group>
       </broadcast-groups>
       <discovery-groups>
           <discovery-group name="artemis-discovery-group">
               <group-address>231.7.7.7</group-address>
               <group-port>9876</group-port>
               <refresh-timeout>10000</refresh-timeout>
           </discovery-group>
       </discovery-groups>
      <cluster-user>admin</cluster-user>
      <cluster-password>admin</cluster-password>
      <cluster-connections>
         <cluster-connection name="artemis-cluster">
            <connector-ref>amq1</connector-ref>
            <retry-interval>1000</retry-interval>
            <retry-interval-multiplier>3</retry-interval-multiplier>
            <max-retry-interval>5000</max-retry-interval>
            <initial-connect-attempts>-1</initial-connect-attempts>
            <reconnect-attempts>-1</reconnect-attempts>
            <use-duplicate-detection>true</use-duplicate-detection>
            <message-load-balancing>STRICT</message-load-balancing>
            <max-hops>1</max-hops>
             <discovery-group-ref discovery-group-name="artemis-discovery-group"/>
         </cluster-connection>
      </cluster-connections>

      <ha-policy>
        <replication>
          <master>
            <group-name>artemis-group-1</group-name>
            <quorum-vote-wait>12</quorum-vote-wait>
            <vote-on-replication-failure>true</vote-on-replication-failure>
            <check-for-live-server>true</check-for-live-server>
          </master>
        </replication>
      </ha-policy>

      <security-settings>
         <security-setting match="#">
            <permission type="createNonDurableQueue" roles="amq"/>
            <permission type="deleteNonDurableQueue" roles="amq"/>
            <permission type="createDurableQueue" roles="amq"/>
            <permission type="deleteDurableQueue" roles="amq"/>
            <permission type="createAddress" roles="amq"/>
            <permission type="deleteAddress" roles="amq"/>
            <permission type="consume" roles="amq"/>
            <permission type="browse" roles="amq"/>
            <permission type="send" roles="amq"/>
            <permission type="manage" roles="amq"/>
         </security-setting>
      </security-settings>
      <addresses>
         <address name="exampleQueue">
            <anycast>
               <queue name="exampleQueue"/>
            </anycast>
         </address>
         <address name="DLQ">
         </address>
         <address name="ExpiryQueue">
            <anycast>
               <queue name="ExpiryQueue" />
            </anycast>
         </address>
      </addresses>
      <address-settings>
         <!-- if you define auto-create on certain queues, management has to be auto-create -->
         <address-setting match="activemq.management#">
            <dead-letter-address>DLQ</dead-letter-address>
            <expiry-address>ExpiryQueue</expiry-address>
            <redelivery-delay>0</redelivery-delay>
            <!-- with -1 only the global-max-size is in use for limiting -->
            <max-size-bytes>-1</max-size-bytes>
            <message-counter-history-day-limit>10</message-counter-history-day-limit>
            <address-full-policy>PAGE</address-full-policy>
            <auto-create-queues>true</auto-create-queues>
            <auto-create-addresses>true</auto-create-addresses>
            <auto-create-jms-queues>true</auto-create-jms-queues>
            <auto-create-jms-topics>true</auto-create-jms-topics>
         </address-setting>
         <!--default for catch all-->
         <address-setting match="#">
            <dead-letter-address>DLQ</dead-letter-address>
            <expiry-address>ExpiryQueue</expiry-address>
            <redelivery-delay>0</redelivery-delay>
            <auto-create-dead-letter-resources>true</auto-create-dead-letter-resources>
            <!-- with -1 only the global-max-size is in use for limiting -->
            <max-size-bytes>-1</max-size-bytes>
            <message-counter-history-day-limit>10</message-counter-history-day-limit>
            <address-full-policy>PAGE</address-full-policy>
            <auto-create-queues>true</auto-create-queues>
            <auto-create-addresses>true</auto-create-addresses>
            <auto-create-jms-queues>true</auto-create-jms-queues>
            <auto-create-jms-topics>true</auto-create-jms-topics>
         </address-setting>
         <address-setting match="exampleQueue">            
            <dead-letter-address>DLQ</dead-letter-address>                      
            <redelivery-delay>1000</redelivery-delay>    
            <max-delivery-attempts>3</max-delivery-attempts>
            <max-size-bytes>-1</max-size-bytes>
            <page-size-bytes>1048576</page-size-bytes>
            <message-counter-history-day-limit>10</message-counter-history-day-limit>
            <address-full-policy>PAGE</address-full-policy>
        </address-setting>
      </address-settings>
   </core>
</configuration>

bootstrap.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<broker xmlns="http://activemq.org/schema">

   <jaas-security domain="activemq"/>

   <server configuration="file:/home/vagrant/artemis-broker/etc//broker.xml"/>
   <web bind="https://0.0.0.0:8161" path="web" keyStorePath="/home/vagrant/artemis_certs/broker_ks.p12" keyStorePassword="Hf316S2m34234VPuhmv9x" trustStorePath="/home/vagrant/artemis_certs/client_ts.p12" trustStorePassword="0etjq234NCTgBxP8dc4">
      <app url="activemq-branding" war="activemq-branding.war"/>
      <app url="artemis-plugin" war="artemis-plugin.war"/>
      <app url="console" war="console.war"/>
   </web>
</broker>

Now I'm trying to send messages to the queue from one client machine which is using also the certificate from one of the artemis broker client.

I configured brokerURL with list of all 6 artemis brokers and sslEnabled property but it doesn't not work when I'm trying to execute it.

    @Bean
    public ActiveMQConnectionFactory jmsFactory() {
        ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(
                "(tcp://amq1:61616,tcp://amq2:61616,tcp://amq33:61616,tcp://amq44:61616,tcp://amq5:61616,tcp://amq6:61616)?ha=true&sslEnabled=true&trustStorePath=/home/vagrant/artemis_certs/client_ts.p12&trustStorePassword=password");
        factory.setRetryInterval(1000);
        factory.setRetryIntervalMultiplier(1.0);
        factory.setReconnectAttempts(-1);
        factory.setConfirmationWindowSize(10);
        return factory;
    }

If I use only property verifyHost=false in broker url then it works fine. the URL looks like this:

(tcp://amq1:61616,tcp://amq2:61616,tcp://amq33:61616,tcp://amq44:61616,tcp://amq5:61616,tcp://amq6:61616)?ha=true&verifyHost=false

I would like to make it work also with sslEnabled property but getting this error:

Started SpringJmsProducerApplication in 1.476 seconds (JVM running for 1.867)
Sending message 0 @ 2021-10-13 09:32:02.379
2021-10-13 09:32:13.236 ERROR 13894 --- [           main] org.apache.activemq.artemis.core.client  : AMQ214016: Failed to create netty connection

javax.net.ssl.SSLException: handshake timed out
        at io.netty.handler.ssl.SslHandler$5.run(SslHandler.java:2003) ~[netty-handler-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.util.concurrent.PromiseTask$RunnableAdapter.call(PromiseTask.java:38) ~[netty-common-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.util.concurrent.ScheduledFutureTask.run(ScheduledFutureTask.java:127) ~[netty-common-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163) ~[netty-common-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:416) ~[netty-common-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:331) ~[netty-transport-native-epoll-4.1.39.Final-linux-x86_64.jar!/:4.1.39.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:918) ~[netty-common-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[netty-common-4.1.39.Final.jar!/:4.1.39.Final]
        at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118) ~[artemis-commons-2.6.4.jar!/:2.6.4]

I added acceptor with sslEnabled in broker.xml file

      <acceptors>
        <acceptor name="netty-acceptor">tcp://amq1:61616?sslEnabled=true;keyStorePath=/home/vagrant/artemis_certs/broker_ks.p12;keyStorePassword=password</acceptor>
      </acceptors>

but now I'm getting this error:

Sending message 0 @ 2021-10-13 11:23:50.816
Failed: Uncategorized exception occurred during JMS processing; nested exception is javax.jms.JMSException: Failed to create session factory; nested exception is ActiveMQNotConnectedException[errorType=NOT_CONNECTED message=AMQ219007: Cannot connect to server(s). Tried with all available servers.]

Upvotes: 0

Views: 1509

Answers (1)

ehsavoie
ehsavoie

Reputation: 3517

You need to configure (or add) your acceptor with sslEnabled and the keystore/truststore to use.

Upvotes: 1

Related Questions