Reputation: 419
Securing ActiveMQ Messaging in JBoss EAP
I have a Java client application which sends JMS messages to another Java server application. Client application is running as a desktop application(not deployed on JBoss) and server application is deployed on JBoss (both on different machines) It works fine over http, and I want to secure it by sending the messages over https instead.
I have created a keystore holding the SSL certificate on server side and I also have a truststore with that certificate on the client side. By following JBoss documentation, I've configured my standalone.xml file as follows;
http-connector and http-acceptors;
<http-connector name="http-connector" socket-binding="https" endpoint="http-acceptor">
<param name="ssl-enabled" value="true"/>
</http-connector>
<http-acceptor name="http-acceptor" http-listener="https">
<param name="ssl-enabled" value="true"/>
<param name="key-store-path" value="path-to-keystore/identity.jks"/>
<param name="key-store-password" value="***"/>
</http-acceptor>
undertow in which my "https" listener is defined;
<subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealmHTTPS" enable-http2="true"/>
...
</server>
</subsystem>
and my "ApplicationRealmHTTPS" security realm definition;
<security-realm name="ApplicationRealmHTTPS">
<server-identities>
<ssl>
<keystore path="identity.jks" relative-to="jboss.server.config.dir" keystore-password="***" alias="appserver"/>
</ssl>
</server-identities>
</security-realm>
When I start my server application on JBoss, I'm getting the following exception;
2022-08-04 08:05:47,208 ERROR [org.apache.activemq.artemis.core.client] (Thread-1 (ActiveMQ-server-org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl$6@6ed9b50a)) AMQ214016: Failed to create netty connection: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:348)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:291)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:286)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:955)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:902)
at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1494)
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1508)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1392)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1219)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1266)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:355)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:792)
at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:475)
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:278)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632)
... 29 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)
... 35 more
I'm trying to figure out if I'm on the right track and missing something else.
NOTE: The documentation that I'm following is Chapter 7.1.2 in here; https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html/configuring_messaging/configuring_messaging_security
Upvotes: 0
Views: 554
Answers (1)
Reputation: 79
The key part will be this:
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)
... 35 more
It seems like there's a problem regarding the certificate itself. I kind of have a mild PTSD from this, but as i recall, you have to have your certificate in your keystore as a PrivateKeyEntry. The DNS part of the CN has to be correct aswell. If you're using an ip instead of a prop. domain name the certificate has to contain it as an extension(i would only suggest doing this in an internal network, it's not too pretty, however i'm not sure about the security aspects of it).
It's also adviseable to check if your Jboss installation is using the right keystore. I had this problem with Tomcat, so not sure about the JBoss side but, tomcat was either using the default .keystore file of the user, or the cacerts keystore of the java installation.
TL;DR:
- Could be a domain name problem in the certificate itself, check it, and if you're using an IP and a domain name to access the site look for "Subject alternative name" (as far as i know you can only add this if it's a cert made by you -> self signed)
- Check if your JBoss instance is really using the keystore you think you're using. It might be using a default .keystore file or the cacerts store that came with your java installation.
Other than this, i'd suggest looking for posts with keywords: unable to find valid certification path to requested target
Upvotes: 1
Related Questions
- Sending messages to ActiveMQ Artemis not working with SSL enabled property
- Connect Tomcat to ActiveMQ embedded in JBoss EAP 7.2 using http-remoting Protocol
- JMS client to ActiveMQ at server on Red Hat JBoss EAP 7.3 in Java
- Artemis ActiveMQ configuration with SSL support
- Configure TLS on ActiveMQ Artemis
- Unable to send message to remote ActiveMQ Artemis embedded in JBoss EAP 7.2
- Securing activemq on Wildfly 10
- How to activemq in ssl
- Configuring authorization for activemq
- ActiveMQ and Client identity through certificate authentication