tag:blogger.com,1999:blog-1000597103989045457.post4226129639021091690..comments2022-04-01T00:45:06.103-07:00Comments on Thoughts of Tim Bish: Ussing SSL in NMS.ActiveMQTimhttp://www.blogger.com/profile/03370927021680126470noreply@blogger.comBlogger37125tag:blogger.com,1999:blog-1000597103989045457.post-70268657906933242272020-07-21T06:04:01.825-07:002020-07-21T06:04:01.825-07:00Hello Tim
I hope you are doing well.
Thanks for y...Hello Tim<br /><br />I hope you are doing well.<br />Thanks for your post.<br /><br />I have client.ts and client.ks files. I converted those into .cer files and tried both files for SSLTransportFactory but problem is everytime getting call to Sspi failed exception in StartSendAuthResetSignal method.<br /><br />Can you please help. <br />Which file I should use to create certificate for .net client. If you provide any link then that will be great.<br /><br />Thanks in advance.<br />Anonymoushttps://www.blogger.com/profile/09073999761737136884noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-6326244382200947602017-04-21T02:15:20.469-07:002017-04-21T02:15:20.469-07:00A sample application would be awesome. Getting th...A sample application would be awesome. Getting this working is problematic and I know I'm probably missing some little detail. Any help would be fantastic.Anonymoushttps://www.blogger.com/profile/04633514700062866779noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-45686532994774142682016-07-16T13:34:52.895-07:002016-07-16T13:34:52.895-07:00I hae the same issue. I have the .ts and .ks clien...I hae the same issue. I have the .ts and .ks client certificates but I just cannot get it to work on SSL with NMS. Can you please provide a sample app that connects to ActiveMQ on SSL with certificates?flohttps://www.blogger.com/profile/02095078264309005561noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-8415543919994420952016-06-14T02:23:23.896-07:002016-06-14T02:23:23.896-07:00Hi Tim,
I am trying to connect ActiveMQ by .Net c...Hi Tim,<br /><br />I am trying to connect ActiveMQ by .Net client by NMS<br />I am able to call factory.CreateConnection()<br /><br />While calling connection.Start() it throws<br /> InnerException "{"An unknown error occurred while processing the certificate"}"<br /><br />I have got client.ts and client.ks certificate from server.<br />Kindly advise how can I add these certificates so that to able to start ActiveMQ connection?<br /><br />ThanksAnonymoushttps://www.blogger.com/profile/08580966329701165339noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-69352286862944677082016-01-18T10:16:37.111-08:002016-01-18T10:16:37.111-08:00Ah - thank you!Ah - thank you!Anonymoushttps://www.blogger.com/profile/15921829795576146417noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-57996156503119838012016-01-15T12:28:32.774-08:002016-01-15T12:28:32.774-08:00I believe that you just need to add the "tran...I believe that you just need to add the "transport.X" prefix to your URI with the correct option, "stomp:ssl://10.10.10.176:61612?transport.clientCertFileName=". Been awhile though since I used it so you might have to debug that more to ensure that is correct. Timhttps://www.blogger.com/profile/03370927021680126470noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-42310450221055682362016-01-15T12:23:11.497-08:002016-01-15T12:23:11.497-08:00I realize this thread is quite old. I'm making...I realize this thread is quite old. I'm making a code switch from PHP/Stomp to using the Apache.NMS.Stomp from a dotNET environment. All went well for the initial pass using User/Pwd credentials to an established broker which is configured and known-to-work with either User/Pwd credentials, or client certs. Now its time to get the dotNet code to also use certs. I'm having a conceptual issue: how do I configure the transport properties when creating the connection? <br /><br />//our broker is on 61612<br />factory = new Apache.NMS.Stomp.ConnectionFactory("stomp:ssl://10.10.10.176:61612");<br />connection = factory.CreateConnection();<br />session = connection.CreateSession(); <br />ClearHeaders();<br />connection.Start();<br /><br />I see that Connection uses a "Transport", and the SSLTransport has the fields for "CertFileName" etc. How do I set them? I have tried setting them as parameters on the URI ("?clientCertFileName=....") and when stepping through the code these values are not being set on the Transport instance thats used when the connection starts. <br /><br />So I assumed they were to be set programatically before the .CreateConnection() call. I am not understanding where/when/how do I get the Transport object to manipulate it? <br /><br />Is there a dumb-simple example that I'm missing?<br /><br /><br />Anonymoushttps://www.blogger.com/profile/15921829795576146417noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-4180114839736452012013-05-13T20:58:01.555-07:002013-05-13T20:58:01.555-07:00more thank this i believe we have to add following...more thank this i believe we have to add following line in <br />activemq.xml as well <br /><br /> <br /> <br /> <br /><br /> <br /><br />but when Add above line i got following issue when I start up ActiveMQ <br /><br />org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 166 in XML document from class path resource [activemq.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 166; columnNumber: 14; cvc-complex-type.2.4.a: Invalid content was found starting with element 'sslContext'. One of '{"http://www.springframework.org/schema/beans":import, "http://www.springframework.org/schema/beans":alias, "http://www.springframework.org/schema/beans":bean, WC[##other:"http://www.springframework.org/schema/beans"], "http://www.springframework.org/schema/beans":beans}' is expected.<br /> at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:396)<br /><br />any idea? Harishttps://www.blogger.com/profile/14508190373318898611noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-74822833860782622792013-04-19T12:47:53.357-07:002013-04-19T12:47:53.357-07:00Mattias, have you enabled the ssl protocol in acti...Mattias, have you enabled the ssl protocol in activemq.xml?Ladislav Lenčuchahttps://www.blogger.com/profile/04437039883305282474noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-88748011734140763182012-09-28T05:01:28.516-07:002012-09-28T05:01:28.516-07:00I know that it is an old thread but are there stil...I know that it is an old thread but are there still somebody here that can help me?<br /><br />I am trying to connect to a HornetQ server with Stomp in .NET but are having problems with the certification validation. I think it is the hostname verification that is the problem and I have read the part about using the serverName option but cannot get it to work. If someone could provide a small sample code where you use the NMSConnectionFactory I would be very greatful.<br /><br />IConnectionFactory factory = new NMSConnectionFactory(stomp:ssl://jms.dev.local:61613?transport.serverName=\"test\"");<br />IConnection connection = factory.CreateConnection();<br /><br />Error! Could not connect to broker URL: ssl://jms.dev.local:61613/?transport.servername="test". Why are there a slash after the port?<br /><br />//MattiasAnonymoushttps://www.blogger.com/profile/14391631617820514099noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-47721243299009160342012-09-28T04:59:14.054-07:002012-09-28T04:59:14.054-07:00I know that it is an old thread but are there stil...I know that it is an old thread but are there still somebody here that can help me?<br /><br />I am trying to connect to a HornetQ server with Stomp in .NET but are having problems with the certification validation. I think it is the hostname verification that is the problem and I have read the part about using the serverName option but cannot get it to work. If someone could provide a small sample code where you use the NMSConnectionFactory I would be very greatful.<br /><br />IConnectionFactory factory = new NMSConnectionFactory(stomp:ssl://jms.dev.local:61613?transport.serverName=\"test\"");<br />IConnection connection = factory.CreateConnection();<br /><br />Error! Could not connect to broker URL: ssl://jms.dev.local:61613/?transport.servername="test".<br /><br />//MattiasAnonymoushttps://www.blogger.com/profile/14391631617820514099noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-18422016515668981362012-02-23T03:33:21.965-08:002012-02-23T03:33:21.965-08:00Thanks Tim!
I'll keep on the look out for the...Thanks Tim!<br /><br />I'll keep on the look out for the next stable release of the API and use my "hack" in the meantime.<br /><br />MarkMarkhttps://www.blogger.com/profile/16699336257103151287noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-4484283019784476372012-02-22T11:46:26.447-08:002012-02-22T11:46:26.447-08:00Don't think there is any way to fix it without...Don't think there is any way to fix it without the code change, which as far as I know is already done in trunk.Timhttps://www.blogger.com/profile/03370927021680126470noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-83132724477308293032012-02-22T10:26:54.542-08:002012-02-22T10:26:54.542-08:00I've been trying to get the SSL Client authent...I've been trying to get the SSL Client authentication to work with my ActiveMQ. The subject of my test client cert is "CN=client".<br />If I pass in that value in the URI like follows, the parser throws an error because of the "=" in the parameter:<br /><br /> string sSslUrl = "ssl://localhost:61617";<br /> sSslUrl += "&transport.clientCertSubject=CN=client";<br /><br />I then tried encoding the "=" like follows:<br /><br /> string sSslUrl = "ssl://localhost:61617";<br /> sSslUrl += "&transport.clientCertSubject= " + HttpUtility.UrlEncode ("CN=client");<br /><br />This made the parser happy because the "=" is changed to "%3d". However, the encoded string <br />"CN%3dclient" is passed into the "SslTransport::SelectLocalCertificate" method.<br />Since the encoded equals is never decoded (i.e. "%3d" was never changed back to "="), the match can't be made.<br />I experimented with a work around by modifying the ClientCertSubject property to decode the value as follows:<br /><br />public string ClientCertSubject<br /> {<br /> get { return this.clientCertSubject; }<br /> set <br /> { <br /> /*MW, 2/22/12, work around for equal sign in URL parameter<br /> this.clientCertSubject = value; <br /> */<br /> //MW, 2/22/12, work around for equal sign in URL parameter<br /> this.clientCertSubject = HttpUtility.UrlDecode (value).Trim(); <br /> }<br /> }<br /> <br />This made all the code happy and client authentication succeeded.<br /><br />Is there a way to pass in the certificate subject name in the Url so the equals ("=") is properly passed to the SelectLocalCertificate call so this change isn't needed?<br /><br />Thanks,<br />MarkMarkhttps://www.blogger.com/profile/16699336257103151287noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-13187037455010459242011-11-28T10:54:19.154-08:002011-11-28T10:54:19.154-08:00Tim,
Thanks for your repaly. What exactly is the ...Tim,<br /><br />Thanks for your repaly. What exactly is the "clientCertFilename" property?<br />I have tried with certificate name but i am getting error "file name speified could not be found".<br /><br />My case , client provided client.ks and client.ts, then i converted them to .cer and storeing in trusted root.<br /><br />What is the "clientCertFilename" name i should specify here?<br /><br />Thanks<br />Sureshchalichamhttps://www.blogger.com/profile/00416180121773549626noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-74043066829600866772011-11-21T13:04:46.405-08:002011-11-21T13:04:46.405-08:00.NET SSL is a real PITA. Best thing to do is to e....NET SSL is a real PITA. Best thing to do is to enable tracing using the NmsTracer Trace setter to log the data from the client and see what's going on. Also running in the debugger and stepping through the SSL Transport code might show you where its going wrong. There's no magic here, just brute force really to get the crappy .NET SSL stream to read in the correct certificates.Timhttps://www.blogger.com/profile/03370927021680126470noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-27247681964205650442011-11-21T12:59:24.040-08:002011-11-21T12:59:24.040-08:00Tim,
Thanks for your repaly. After adding the rig...Tim,<br /><br />Thanks for your repaly. After adding the right property's to URI i am able to connect server using SSSl connectionactory.CreateConnection().<br /><br />However i am getting following error when i strat connection (connection.start())<br /> java.lang.SecurityException : Unable to authenticate transport without SSL certificate.<br /><br />In trace log finally i see following :<br />System.Net.Sockets Verbose: 0 : [3272] Exiting Socket#59191269::Receive() -> 121#121<br />System.Net.Sockets Verbose: 0 : [3272] Socket#59191269::Receive()<br />System.Net.Sockets Verbose: 0 : [5620] Socket#59191269::Shutdown(Both#2)<br />System.Net.Sockets Verbose: 0 : [5620] Exiting Socket#59191269::Shutdown() <br />System.Net.Sockets Verbose: 0 : [5620] Socket#59191269::Close()<br /><br />Appriciate if you could help here.chalichamhttps://www.blogger.com/profile/00416180121773549626noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-41168022396090162822011-11-11T06:47:09.291-08:002011-11-11T06:47:09.291-08:00In general the source code is your best source of ...In general the source code is your best source of truth on the functionality. If you look at the source for the SSL transport you will find three properties, <br /><br />private string clientCertSubject;<br />private string clientCertFilename;<br />private string clientCertPassword;<br /><br />You need to set the values for these on the Uri to tell the client where its Certificate is, and you need to include that certificate or its root in the trust store for the Broker.Timhttps://www.blogger.com/profile/03370927021680126470noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-87480836973704923032011-11-10T11:02:07.486-08:002011-11-10T11:02:07.486-08:00Hello Tim,
thank you for this article that helped ...Hello Tim,<br />thank you for this article that helped me a lot in connecting to a broker listening over an SSL transport connection. Now I have another problem. We have to connect from our NMS client to a broker which needs client authentication. I have'nt found any information about this situation. In the Conclusion of your article you promised a new article about two way Client / Server authentication. Can you help me?<br />vargucvarguchttps://www.blogger.com/profile/12111490614858370100noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-5571888247471852192011-11-01T13:47:40.047-07:002011-11-01T13:47:40.047-07:00Can someone please send me the sample to connect t...Can someone please send me the sample to connect to ActiveMQ vis SSL.<br /><br />I am trying to setup transport.ClientCertFilename in URI but some reason its not working.<br /><br />Thanks<br />Sureshchalichamhttps://www.blogger.com/profile/00416180121773549626noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-42638461503569433682011-09-12T07:20:04.665-07:002011-09-12T07:20:04.665-07:00Hello Tim,
sorry for double post! Anyway, my testi...Hello Tim,<br />sorry for double post! Anyway, my testing C# application is using .NET Framework 4. It's a console application (I've needed to retarget from .NET Framework 4 Client Profile to full .NET Framework 4) and I added both dlls from net-4.0/debug directories so I see them in solution explorer in reference node.<br />Perhaps the problem might be with my code? I think the most problematic (from which exception is thrown) is this:<br />IConnectionFactory factory = new NMSConnectionFactory("ssl://127.0.0.1:61617", "C# test client");<br />--- OK! And this is the issue. When I changed NMSConnnectionFactory to Apache.NMS.ActiveMQ.ConnectionFactory -- it starts working sudenly. :-)<br />Thanks a lot for your help with this!<br />KarelKarel Gardashttps://www.blogger.com/profile/02214964797621436320noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-91366882468786418732011-09-12T07:01:25.474-07:002011-09-12T07:01:25.474-07:00Hello,
thanks for excellent article. The problem I...Hello,<br />thanks for excellent article. The problem I see here is that while using ssl://hostname:61617 scheme, NMS complains about unavailable connection factory implementation for connection URI: ssl://:61617.<br />That's while using NMS 1.5.0 and ActiveMQ NMS 1.5.1 in VS 2010 C# Express.<br />Do you know how to make this working? Thanks! KarelKarel Gardashttps://www.blogger.com/profile/02214964797621436320noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-26568213990698836622011-09-12T06:51:05.931-07:002011-09-12T06:51:05.931-07:00Either you don't have both the NMS and NMS.Act...Either you don't have both the NMS and NMS.ActiveMQ dlls in the applications path, or you are using this on .NET compact framework. Those are my two guesses anyway, would need more info to make any other guesses.Timhttps://www.blogger.com/profile/03370927021680126470noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-89323895619831932342011-09-12T06:46:05.880-07:002011-09-12T06:46:05.880-07:00Hello,
thanks for excellent article. However, I do...Hello,<br />thanks for excellent article. However, I do have some issues getting SSL working with NMS. It looks like I'm not able to use ssl://hostname:61617 as NMS complains about unavailable connection factory implementation. I'm using 1.5.1 ActiveMQ NMS agains 5.5.0 ActiveMQ. Do you know where is the issue with this? Thanks! KarelKarel Gardashttps://www.blogger.com/profile/02214964797621436320noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-89377118434171039562010-10-19T14:51:25.836-07:002010-10-19T14:51:25.836-07:00I think I found solution to the above problem. I n...I think I found solution to the above problem. I need someone from ActiveMQ-CPP peopler to confirm it and update their code as well. <br /><br />In "void OpenSSLSocket::verifyServerCert( const std::string& serverName )" method I made following changes: <br /><br /> method->i2v( method, method->d2i( NULL, &data, extension->value->length ), NULL ); <br /><br />to <br /><br />method->i2v( method, X509_get_ext_d2i(cert, OBJ_obj2nid( X509_EXTENSION_get_object( extension ) ), NULL, NULL) , NULL ); <br /><br /><br />Reference: <br />http://markmail.org/message/sixjgp4rpwm2wg7c#query:+page:1+mid:57sgja3zrc6xhqgz+state:resultschasingNirvanahttps://www.blogger.com/profile/11632085262522464967noreply@blogger.com