Wildfly 28.0.1.Final - SSL on messaging-activemq subsystem

[Martin Czakó]

Hi,

I have a question about setting up keystore and truststore for my remote-connector inside messaging-activemq subsystem. 

I am connecting to a remote Artemis broker which has an acceptor defined like this:

<acceptor name="artemis">tcp://0.0.0.0:61616?trustStorePath=/var/lib/artemis-instance/etc/truststore.jks;trustStorePassword=ENC(.....);keyStorePath=/var/lib/artemis-instance/etc/keystore.jks;keyStorePassword=ENC(.....)</acceptor>

It has other values but they are not relevant for this topic.

On my side I have a remote-connector set up like this:

<remote-connector name="artemis-master" socket-binding="remote-artemis-master" ssl-context="artemis-remote-ssl">

I have implemented the newly added option for ssl-context by referencing a client-ssl-context inside the elytron subsystem. The `artemis-remote-ssl` ssl-context consists of both my keystore and truststore deifinitions.

My problem is that even though I have this set up when I try to run it it gives an error:

ERROR [org.apache.activemq.artemis.core.client] (MSC service thread 1-4) AMQ214016: Failed to create netty connection: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)

        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)

        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)

        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)

        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)

        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)

        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)

        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)

        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)

        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)

        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)

        at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)

        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)

        at io.netty.ne...@4.1.87.Final//io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1549)

        at io.netty.ne...@4.1.87.Final//io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1395)

        at io.netty.ne...@4.1.87.Final//io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1236)

        at io.netty.ne...@4.1.87.Final//io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1285)

        at io.netty.n...@4.1.87.Final//io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)

        at io.netty.n...@4.1.87.Final//io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)

        at io.netty.n...@4.1.87.Final//io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)

        at io.netty.net...@4.1.87.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)

        at io.netty.net...@4.1.87.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)

        at io.netty.net...@4.1.87.Final//io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)

        at io.netty.net...@4.1.87.Final//io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)

        at io.netty.net...@4.1.87.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)

        at io.netty.net...@4.1.87.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)

        at io.netty.net...@4.1.87.Final//io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)

        at io.netty.net...@4.1.87.Final//io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)

        at io.netty.net...@4.1.87.Final//io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)

        at io.netty.net...@4.1.87.Final//io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)

        at io.netty.net...@4.1.87.Final//io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)

        at io.netty.net...@4.1.87.Final//io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)

        at io.netty.n...@4.1.87.Final//io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)

        at io.netty.n...@4.1.87.Final//io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)

        at org.apache.activemq.artemis.journal//org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)

        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)

        at java.base/sun.security.validator.Validator.validate(Validator.java:264)

        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)

        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)

        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335)

        ... 30 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

        at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)

        at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)

        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)

        ... 35 more

WARN  [org.jboss.activemq.artemis.wildfly.integration.recovery] (MSC service thread 1-4) AMQ122018: Could not start recovery discovery on XARecoveryConfig [transportConfiguration=[TransportConfiguration(name=, factory=org-apache-activemq-artemis-core-remoting-impl-netty-NettyConnectorFactory) ?port=61616&localAddress=127-0-0-1&sslEnabled=true&host=nn74x045-sos-kb-cz&sslContext=artemis-remote-ssl], discoveryConfiguration=null, username=null, password=****, JNDI_NAME=java:jboss/RemoteConnectionFactory], we will retry every recovery scan until the server is available

It seems the remote-connector is inheriting the paths and passwords set up for the keystore and truststore for the acceptor on the remote broker side. This setting however is not working for me since my keystore path, truststore path and their passwords are completely different.

The only solution I found out is to add this to system-properties:

<system-properties>

        <property name="javax.net.ssl.keyStore" value="${jboss.server.config.dir}/${JMS_KEYSTORE}"/>

        <property name="javax.net.ssl.keyStorePassword" value="${JMS_KEYSTORE_PASSWORD}"/>

        <property name="javax.net.ssl.trustStore" value="${jboss.server.config.dir}/${JMS_TRUSTSTORE}"/>

        <property name="javax.net.ssl.trustStorePassword" value=“${JMS_TRUSTSTORE_PASSWORD}"/>

</system-properties>

I would thought that by adding the ssl-context that this would not be necessary. Am I doing something wrong? Or is this normal and I simple have to specify keystore and truststore parameters in two places - ssl-context definition and system-properties?

Thanks

[Emmanuel Hugonnet]

You could pass the parameter sslContext=artemis-remote-ssl in your connector

Emmanuel

> <mailto:io.netty.ne...@4.1.87.Final//io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1549)>
>
>         at io.netty.ne...@4.1.87.Final//io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1395)
> <mailto:io.netty.ne...@4.1.87.Final//io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1395)>
>
>         at io.netty.ne...@4.1.87.Final//io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1236)
> <mailto:io.netty.ne...@4.1.87.Final//io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1236)>
>
>         at io.netty.ne...@4.1.87.Final//io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1285)
> <mailto:io.netty.ne...@4.1.87.Final//io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1285)>
>
>         at
> io.netty.n...@4.1.87.Final//io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
> <mailto:io.netty.n...@4.1.87.Final//io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)>
>
>         at io.netty.n...@4.1.87.Final//io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
> <mailto:io.netty.n...@4.1.87.Final//io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)>
>
>         at io.netty.n...@4.1.87.Final//io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
> <mailto:io.netty.n...@4.1.87.Final//io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)>
>
>         at
> io.netty.net...@4.1.87.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
> <mailto:io.netty.net...@4.1.87.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)>
>
>         at
> io.netty.net...@4.1.87.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
> <mailto:io.netty.net...@4.1.87.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)>
>
>         at
> io.netty.net...@4.1.87.Final//io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
> <mailto:io.netty.net...@4.1.87.Final//io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)>
>
>         at
> io.netty.net...@4.1.87.Final//io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
> <mailto:io.netty.net...@4.1.87.Final//io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)>
>
>         at
> io.netty.net...@4.1.87.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
> <mailto:io.netty.net...@4.1.87.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)>
>
>         at
> io.netty.net...@4.1.87.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
> <mailto:io.netty.net...@4.1.87.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)>
>
>         at io.netty.net...@4.1.87.Final//io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
> <mailto:io.netty.net...@4.1.87.Final//io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)>
>
>         at
> io.netty.net...@4.1.87.Final//io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
> <mailto:io.netty.net...@4.1.87.Final//io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)>
>
>         at io.netty.net...@4.1.87.Final//io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
> <mailto:io.netty.net...@4.1.87.Final//io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)>
>
>         at io.netty.net...@4.1.87.Final//io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
> <mailto:io.netty.net...@4.1.87.Final//io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)>
>
>         at io.netty.net...@4.1.87.Final//io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
> <mailto:io.netty.net...@4.1.87.Final//io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)>
>
>         at io.netty.net...@4.1.87.Final//io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
> <mailto:io.netty.net...@4.1.87.Final//io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)>
>
>         at
> io.netty.n...@4.1.87.Final//io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
> <mailto:io.netty.n...@4.1.87.Final//io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)>
>
>         at io.netty.n...@4.1.87.Final//io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> <mailto:io.netty.n...@4.1.87.Final//io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)>

> --
> You received this message because you are subscribed to the Google Groups "WildFly" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wildfly/29164117-004f-4ddf-aaa1-2293bcb80203n%40googlegroups.com
> <https://groups.google.com/d/msgid/wildfly/29164117-004f-4ddf-aaa1-2293bcb80203n%40googlegroups.com?utm_medium=email&utm_source=footer>.