ActiveMQ bad certificate when introduce SSL - ssl

I am trying to use openwire+ssl in my ActiveMq. I am using the docker images provided by rmohr/activemq.
What I ran the following commands to generated necessary files since the broker_localhost.cert has expired.
keytool -genkey -alias broker -keyalg RSA -keystore broker.ks
keytool -export -alias broker -keystore broker.ks -file broker_cert
keytool -genkey -alias client -keyalg RSA -keystore client.ks
keytool -import -alias broker -keystore client.ts -file broker_cert
keytool -export -alias client -keystore client.ks -file client_cert
keytool -import -alias client -keystore broker.ts -file client_cert
Then in the activemq.xml I added:
<sslContext keyStore="file:${activemq.base}/certs/ActiveMq/broker.ks"
keyStorePassword="password" trustStore="file:${activemq.base}/certs/ActiveMq/broker.ts"
trustStorePassword="password"/>
as well as:
<transportConnector name="openwire+ssl" uri="ssl://0.0.0.0:61617?transport.enabledProtocols=TLSv1"/>
When I run docker compose to create the ActiveMQ instance I added an environment variable as:
environment:
- ACTIVEMQ_SSL_OPTS="-Djavax.net.ssl.keyStore=/opt/activemq/certs/ActiveMq/broker.ks -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=/opt/activemq/certs/ActiveMq/broker.ts -Djavax.net.ssl.trustStorePassword=password -Djavax.net.debug=ssl,handshake"
After that I import the broker_cert generated in the previous steps in Windows Manage user certificates as Trusted Root Certification Authorities.
Then I build my Asp.Net Core project to access the ActiveMQ broker
var uri = new Uri(#"ssl://localhost:61617?trace=true&needClientAuth=true&transport.serverName='MoveQ Broker'");
ITransportFactory sslTransportFactory = new SslTransportFactory();
((SslTransportFactory)sslTransportFactory).SslProtocol = "Tls";
ITransport transport = sslTransportFactory.CreateTransport(uri);
_connection = new Connection(uri, transport, new IdGenerator());
((Connection)_connection).UserName = "username";
((Connection)_connection).Password = "password";
_session = _connection.CreateSession(AcknowledgementMode.AutoAcknowledge);
However I keep getting
activemq | WARN | Transport Connection to: tcp://172.17.0.1:35356 failed: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
Can anyone help to see what step(s) I may miss?

If you just need 1-way SSL and you're using self-signed certificates then you don't need a truststore on the broker or a keystore on the client. You just need a keystore on the broker and a truststore on the client. Generate these resources like so:
keytool -genkey -keystore broker-keystore.ks
keytool -export -keystore broker-keystore.ks -file broker.cer
keytool -import -keystore client-truststore.ks -file broker.cer
Then use broker-keystore.ks on the broker and client-truststore.ks on the client.

Related

How to enable SSL in ActiveMQ Artemis for MQTT protocol based on keystore and truststore

I have installed ActiveMQ Artemis in Linux and configured broker.xml. I am using a certificate, but ActiveMQ Artemis uses keystore and truststore. How to create those and how to enable SSL for MQTT protocol?
Below shows configuration broker.xml
<acceptor name="mqtt">tcp://0.0.0.0:1883?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=MQTT;useEpoll=true
sslEnabled=true;
keyStorePath=home/certs/server-ks/server1.p12;keyStorePassword=abc#1234;
trustStorePath=home/certs/server-ks/server1.p12;
trustStorePassword=abc#1234;needClientAuth=true
</acceptor>
I have converted a certificate (.pem) to keystore and truststore
keytool -import -alias rootCA -trustcacerts -file certs/ca.pem -keystore certs/activeMQ-truststore.jks
openssl pkcs12 -inkey certs/server-cert/server1.pem -in certs/server-cert/server1.pem -name server1 -export -out certs/server-ks/server1.p12
keytool -importkeystore -deststorepass abc#1234 -destkeystore certs/server-ks/server-keystore1.jks -srckeystore certs/server-ks/server1.p12 -srcstoretype PKCS12
As above same I have created/converted for client keystore.
I need to connect broker using MQTT.FX client with self signed client keystore.
How to achieve this I am getting confused. Please help me if any one have idea.
In a self-signed configuration typically you'll create a certificate for both the broker and the client, export each, and then import the broker's cert into the client's truststore and import the client's cert into the broker's truststore. You can do all this using Java's keytool command.
Take a look at the example that ships with ActiveMQ Artemis in the examples/features/standard/ssl-enabled-dual-authentication directory. It demonstrates how to do this, e.g.:
keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample
keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample
keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
Your acceptor will need both sslEnabled=true and needClientAuth=true.

Connecting Kafka producer/consumer to broker via TLS

I am trying to setup TLS for kafka broker. I have followed the steps here and able to setup the Kafka with TLS. (In log, I see SSL entry for the configured port).
Now I am facing the issue with connecting the producer/consumer.
I created a client keystore using the below command,
keytool -keystore client.keystore.jks -alias localhost -validity 365 -keyalg RSA -genkey
Added the CA cert to the keystore,
keytool -keystore client.keystore.jks -alias CARoot -import -file ca-cert
Ran the below command in the client, where the ca-cert is the certificate used on the server.
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
keytool -keystore client.keystore.jks -alias localhost -validity 365 -keyalg RSA -genkey
keytool -keystore client.keystore.jks -alias CARoot -import -file ca-cert
Added the below config in the producer.properties,
security.protocol=SSL
ssl.truststore.location=path to client.truststore.jks
ssl.truststore.password=<password>
ssl.keystore.location=path to client.keystore.jks
ssl.keystore.password=<password>
ssl.key.password=<password>
Ran kafka-console-producer
kafka-console-producer.sh --broker-list 0.0.0.0:9092 --topic test --producer.config ../config/producer.properties
But I am getting the below error when running the util,
WARN Connection to node -1 terminated during authentication. This may
indicate that authentication failed due to invalid credentials.
(org.apache.kafka.clients.NetworkClient)
Suspecting that I am missing something in the client config. Any help would be greatly appreciated.
Are you trying with client side certificate ? Rather I would recommend, try without client certificate. In that case you only need below entries,
producer.properties file:-
security.protocol=SSL
ssl.truststore.location=/<path-to>/truststore.jks
ssl.truststore.type=JKS
Read more about it here - http://kafka.apache.org/documentation/#security_configclients
For client authentication kafka uses SASL, This part of the document covers it clearly - http://kafka.apache.org/documentation/#security_sasl

Issues with Enabling SSL in IBM Liberty 8.5.5.0 - Invalid keystore format

We have IBM liberty server (8.5.5.0) running in CICS (v5.1) region. I am getting error message listed below when we tried to activate ssl. I deleted default ssl keystore key.jks and key store recreated automatically but keep getting the same message.
I was able to view certificate in same keystore on my pc with keytool.
We also tried converting the file into IBM-1047 and IBM-037 code pages but no luck.
Error Message:
[11/9/15 15:47:15:572 EST] 0000001d com.ibm.ws.ssl.config.WSKeyStore E CWPKI0033E: The keystore located at /xxx/resources/security/key.jks id not load because of the following error: Invalid keystore format.
We are using default ssl provided by IBM
<!-- SSL Feature -->
<featureManager>
<feature>ssl-1.0</feature>
</featureManager>
<!-- Disable SSLv3 -->
<ssl id="defaultSSLConfig"
keyStoreRef="defaultKeyStore"
sslProtocol="TLS" />
<!-- Generate a default keystore -->
<keyStore id="defaultKeyStore" password="defaultPassword" />
Anybody had similar issue ? Could you please help ?
I had a similar problem where the keystore was empty, so I had to create it myself with Verisign CA certs. Here are my notes:
On a mac, see java home via: /usr/libexec/java_home
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
Verisign Class 3 and Class 3 G3 & G5
Aliases:
verisignclass3ca
verisignclass3g5ca
verisignclass3g3ca
keytool -export -alias verisignclass3ca -file verisign_c3.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
keytool -export -alias verisignclass3g3ca -file verisign_c3g3.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
keytool -export -alias verisignclass3g5ca -file verisign_c3g5.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
keytool -import -trustcacerts -file verisign_c3.crt -alias verisign_c3ca -keystore key.jks -storepass worklight
Enter keystore password:
Certificate already exists in system-wide CA keystore under alias
Do you still want to add it to your own keystore? [no]:Y
keytool -import -trustcacerts -file verisign_c3g3.crt -alias verisign_c3g3ca -keystore key.jks -storepass worklight
keytool -import -trustcacerts -file verisign_c3g5.crt -alias verisign_c3g5ca -keystore key.jks -storepass worklight

QuickFIX initiator certificates are not required to establish SSL communication with the acceptor

I've been working on a client API using QuickFIX and I'm planning to use SSL and certificate based authentication. I generated self signed certificates for acceptor and initiator the following way:
1) Generate and export server/acceptor certificate:
keytool -genkeypair -keyalg RSA -keysize 2048 -alias server -keystore server.jks
keytool -export -alias server -file server.cer -keystore server.jks
2) Generate and export client/initiator certificate:
keytool -genkeypair -keyalg RSA -keysize 2048 -alias client -keystore client.jks
keytool -export -alias client -file client.cer -keystore client.jks
3) Import server/acceptor certificate to client keystore:
keytool -import -v -trustcacerts -alias server -file server.cer -keystore client.jks
4) Import client/initiator certificate to server/acceptor keystore:
keytool -import -v -trustcacerts -alias client -file client.cer -keystore server.jks
Acceptor config:
SocketUseSSL=Y
SocketKeyStore=server.jks
SocketKeyStorePassword=password
Initiator config:
SocketUseSSL=Y
SocketKeyStore=client.jks
SocketKeyStorePassword=password
Everything seems to work fine and data is getting encrypted. However, if I remove the initiator's client.jks keystore file, I will get a QuickFIX log entry saying "client.jks: keystore not found, using empty keystore". Strange thing, the initiator is still able to connect and establish a valid FIX session. I would expected the connection to be dropped immediately since no valid certificate is provided. Am I missing something?
The client certificate is not required by default, you must set this:
NeedClientAuth=Y

ssl weblogic with identity keystore

I can't make my weblogic 11g to work on https. The problem is with identity keystore. How should I create identity keystore? I have private key, web server certificate and intermediate certificate in pem format. I import private key and certificates like this:
keytool -import -keystore myIdentity.jks -storepass mypass -storetype JKS -alias myPrivateKey -file mykey.pem -keypass mypass
keytool -import -keystore myIdentity.jks -storepass mypass -storetype JKS -alias mycert -trustcacerts -file certificate.pem -keypass mypass
I am dummy at this and don't know what is wrong
Generate the IdentityStore :
keytool -genkey -keystore myIdentityStore.jks -storepass welcome1 -alias dummy -dname CN="dummy,C=FR" -keypass welcome1
Import certificates in the TrustStore
keytool -import -v -noprompt -trustcacerts -alias myCertificateAliasName -file myCertificateLocation -keystore myTrustStore.jks -storepass welcome1
Configure your weblogic Server :
Environment -> Servers – AdminServer -> Keystores, then
Change Demo Identity and Demo Trust to Custom Identity and Custom Trust.
Also, change those values for Identity
Custom Identity Keystore : $OSB_HOME/vesiKeyStore/vesiIdentityStore.jks,
Custom Identity Keystore Type : JKS,
Confirm Custom Identity Keystore Passphrase :welcome1.
Do the same for Trust.
restart the server.
Found very useful:
This link
I generated keystore with IBM Keyman and solved my problems.