How to disable SSL3 for activemq https transport? - ssl

I am trying to disable SSL3 for activemq https transport. (activemq-5.11)
I tried the transport.enabledProtocols option as suggested in How to disable SSLv3 protocol in Apache ActiveMQ?
transport.enabledProtocols is working for ssl:// transport but not for https:// transport.
I do not see a handshake failure when i try to connect with openssl using -ssl3 option.
Thanks

Jetty front's the HTTP aspect of activemq, and uses a spring connector for the config. This lets you add the excludeProtocols property with SSLv3 as the value:
<bean id="SecureConnector" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<property name="port" value="8162" />
<property name="keystore" value="file:${activemq.conf}/broker.ks" />
<property name="password" value="password" />
<property name="excludeProtocols" value="SSL,SSLv2,SSLv3" />
</bean>

You should be on .Net 4.5+ and in your code before calling the service add below:
System.Net.ServicePointManager.SecurityProtocol=SecurityProtocolType.Tls12;
There is an article here:
http://passionatecoder.ca/Posts/Details/47

Related

ActiveMQ & built-in Jetty: how to redirect HTTP to HTTPS? And how to signal which protocol to use?

I have modified the admin console of ActiveMQ, i.e. the built-in Jetty, to use HTTPS instead of plain HTTP. However, two (albeit minor) issues remain:
I only managed to disable the HTTP port and enable the HTTPS port as suggested in the jetty.xml file:
<list>
<!--
Default: Enable this connector if you wish to use http with web console
->
<bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="Server" />
<!- see the jettyPort bean ->
<property name="host" value="#{systemProperties['jetty.host']}" />
<property name="port" value="#{systemProperties['jetty.port']}" />
</bean>
<!- -->
<!--
Enable this connector if you wish to use https with web console
-->
<bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="Server" />
<constructor-arg>
<bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<property name="keyStorePath" value="${activemq.conf}/broker.ks" />
<property name="keyStorePassword" value="password" />
</bean>
</constructor-arg>
<property name="port" value="8162" />
</bean>
I would have preferred to leave the HTTP port active but use it to redirect HTTP calls to HTTPS. Can one do that and if so, how? I found no documentation describing this.
If one looks at the log at startup one gets a line
...
2022-11-23 17:56:04,836 | INFO | ActiveMQ WebConsole available at http://0.0.0.0:8162/ | org.apache.activemq.web.WebConsoleStarter | WrapperSimpleAppMain
2022-11-23 17:56:04,836 | INFO | ActiveMQ Jolokia REST API available at http://0.0.0.0:8162/api/jolokia/ | org.apache.activemq.web.WebConsoleStarter | WrapperSimpleAppMain
...
I.e. the URL displayed obviously picks up the correct port (8162 which I had changed from the default 8161 when switching to HTTPS) but displays the wrong protocol ("http") which is not correct. HTTP is not served any more, only HTTPS.
Can one tweak that as well so that the log also displays the correct protocol, i.e https://0.0.0.0:8162/....
Specify your (http connector) HttpConfiguration properly with regards to securePort and secureScheme.
Then add the SecureRedirectHandler somewhere early in your Jetty Handler tree.

Using TLSv1.2 for connecting to IBM WebSphere JNDI

I have a legacy application which is using Spring 3.2.4 and is connecting to an IBM WebSphere JMS queue resolved via JNDI. Following are the Spring beans for connection factory and the JNDI template.
<bean id="queueConnectionFactory" class="org.springframework.jndi.JndiObjectFactoryBean">
<property name="jndiTemplate" ref="jndi-template-1" />
<property name="jndiName" value="FOO" />
<property name="lookupOnStartup" value="false"/>
<property name="proxyInterface" value="javax.jms.ConnectionFactory"/>
</bean>
<bean id="jndi-template-1" class="org.springframework.jndi.JndiTemplate">
<property name="environment">
<props>
<prop key="java.naming.factory.initial">com.ibm.websphere.naming.WsnInitialContextFactory</prop>
<prop key="java.naming.provider.url">${jndi-url}</prop>
</props>
</property>
</bean>
Recently the WebSphere server has been upgraded and restricted to allow only TLSv1.2 connections. Since the client is currently using TLSv1, connections are rejected.
Is there a way to configure the JNDI template to use TLSv1.2 for client connections?
3 things you need to check for in your legacy application:
Is it running Java 8 or higher
Is it using IBM MQ JAR files v8.0.0.9 or higher
Is the JNDI QCF/TCF entry using a CipherSuite that is TLS 1.2 - you can check out supported TLS v1.2 CipherSuites for IBM MQ here.

Failed to allocate a JMS connection Payara and Websphere MQ

[WebSphere MQ installation subdirectory]
1I installed an IBM resource adapter to a Payara (Glassfish) server using the instructions on the below page from the IBM website:
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q121520_.htm
However when I try to test the Connector Connection Pool using the ping option I get the following error:
'Ping Connection Pool failed for jms/ivt/IVTCF-Connection-Pool. MQJCA1011: Failed to allocate a JMS connection., error code: MQJCA1011 Please check the server.log for more details.'
I am running Payara Server 4.1.2.181 and trying to connect to IBM WebSphere MQ Explorer Version: 8.0.0.5. Below are the relevant connection details from the domain.xml file I am using:
<connector-connection-pool resource-adapter-name="wmq.jmsra" max-pool-size="250" ping="true" steady-pool-size="1" name="jms/ivt/IVTCF-Connection-Pool" connection-definition-name="javax.jms.ConnectionFactory">
<property name="transportType" value="CLIENT"></property>
<property name="queueManager" value="QM"></property>
<property name="channel" value="SYSTEM.DEF.SVRCONN"></property>
<property name="port" value="1418"></property>
<property name="hostName" value="localhost"></property>
</connector-connection-pool>
<connector-resource pool-name="jms/ivt/IVTCF-Connection-Pool" jndi-name="IVTCF"></connector-resource>
<admin-object-resource res-adapter="wmq.jmsra" res-type="javax.jms.Queue" jndi-name="IVTQueue" class-name="com.ibm.mq.connector.outbound.MQQueueProxy">
<property name="baseQueueManagerName" value="QM"></property>
<property name="name" value="IVTQueue"></property>
<property name="CCSID" value="1208"></property>
<property name="failIfQuiesce" value="true"></property>
<property name="messageBodyStyle" value="UNSPECIFIED"></property>
<property name="readAheadClosePolicy" value="ALL"></property>
<property name="encoding" value="NATIVE"></property>
<property name="priority" value="APP"></property>
<property name="putAsyncAllowed" value="DESTINATION"></property>
<property name="readAheadAllowed" value="DESTINATION"></property>
<property name="persistence" value="APP"></property>
<property name="targetClient" value="JMS"></property>
<property name="expiry" value="APP"></property>
</admin-object-resource>
<property name="queueManager" value="QM"></property>
<property name="channel" value="SYSTEM.DEF.SVRCONN"></property>
<property name="port" value="1418"></property>
<property name="hostName" value="localhost"></property>
Do you have a local queue called 'QM'? You are using 'localhost', so is it running on your local PC? And did you configure the MQ listener to use port # 1418?
Finally, do not use the "SYSTEM.DEF.SVRCONN". Create a channel for your own use. i.e. 'TEST.CHL'. Also, you could be blocked from using the SYSTEM.* channel by a CHLAUTH rule.
As #Roger had highlighted, the issue in my case was that the channel was blocked by the CHLAUTH rule. I fixed the issue by disabling authorisation on the channel using the below commands on the IBM Integration Console:
alter QMGR CHLAUTH(DISABLED)
alter AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(none)
REFRESH SECURITY TYPE(CONNAUTH)

Disabling ssl v3 in activemq admin console

How to disable ssl v3 in activemq Admin console (port 8161)? I did not found any document on line.
In my jetty.xml file I can see below lines:
<bean id="SecureConnector" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<property name="port" value="8161" />
<property name="keystore" value="file:${activemq.conf}/broker.ks" />
<property name="password" value="password" />
</bean>
ActiveMQ uses a basic spring wired jetty server for the admin web-gui. Use the methods available in Jetty documentation - or look at this SO.
SslSelectChannelConnector takes a SslContextFactory as constructor arg. That factory has a excludeProtocols property which you can feed with "sslv3".
Wire that up in spring should be straight forward.

Separate Keystore for Spring-WS SSL handshake and Message Encryption

I have a question in regards to
SSLHandshakeException talking to a https Web service using Spring WebServiceTemplate
answerd by borodark
"No need to import keys into keystore."
If we dont provide a keystore then what will Httpclient use for sending the Client certificate for SSL handshake ?
I have a requirement to invoke web services on a bussiness partner -
a) Authenticate using SSL using a public key certificate X
b) Encrypt and Sign SOAP messages using public key certificate Y
I guess I will need to specify certificate Y to the following :
<bean class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
<property name="securementActions" value="Signature"/>
<property name="securementSignatureKeyIdentifier" value="DirectReference"/>
<property name="securementUsername" value="mycert"/>
<property name="securementPassword" value="certpass"/>
<property name="securementSignatureCrypto">
<bean class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
<property name="keyStorePassword" value="123456"/>
<property name="keyStoreLocation" value="classpath:/keystore.jks"/>
</bean>
</property>
</bean>
I am not sure how/where to specify certificate X for SSL handshake. I think its the HttpClient but I dont see it in the XML posted by borodark.
Please help !
in the xml file where you have configured the keystore you should have something like this:
<beans>
<bean id="keyStoreHandler" class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
<property name="keyStore" ref="keyStore"/>
<property name="privateKeyPassword" value="changeit"/>
</bean>
<bean id="keyStore" class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
<property name="location" value="classpath:keystore.jks"/>
<property name="password" value="changeit"/>
</bean>
</beans>
the cue here is
<property name="location" value="classpath:keystore.jks"/>
that is the path to the keystore.. now, possibly you can use a certain alias inside the keystore for ssl handhshake (and that's what you configure here), additionally the security policy leverages on the same file, but then again in the securitypolicy file you can specify a different alias.. and that should do the trick..
Consider that while
<property name="location" value="classpath:keystore.jks"/>
indicates classpath you can use other form to reference resources outside the war itself, and that lets you change the certificate without touching the war at all..