How can I select different version of TLS for secure client connection to Apache Cassandra cluster. The cluster is running Cassandra version 4.0. The client application is using Datastax driver for C#. My cluster builder code looks similar to this (I've cleaned-up real user, password, IPs etc.):
Cluster.Builder().WithCredentials("keyspaceUser", "keyspacePassword")
.AddContactPoints("127.0.0.1, 128.0.0.1, 129.0.0.1")
.WithSSL(new SSLOptions()
.SetCertificateCollection(new X509Certificate2Collection
{
new X509Certificate2(certPath, "certificatePassword")
}
)
.SetRemoteCertValidationCallback(
(sender, certificate, chain, errors) => { return true; }
)
)
.WithLoadBalancingPolicy(new RoundRobinPolicy())
.Build();
The problem I am facing which I can see in Cassandra's system.log is:
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:100000f0:SSL routines:OPENSSL_internal:UNSUPPORTED_PROTOCOL
After further analysis I could find that the client is trying to use TLSv1 which is obsolete and by default disabled in Java 1.8.
So my question is how I can set in the builder to use different TLS version?
Thanks
The SSLOptions type has a constructor that allows you to specify which ssl protocol to use.
This follows on from "How to access JMX interface in docker from outside?" which talks about setting up unencrypted JMX connections.
I could use either RMI or JMXMP which Glassfish uses.
There is a set of JVM options that are required and I'm looking for the changes I need to set up JMX with SSL:
com.sun.management.jmxremote=true
com.sun.management.jmxremote.local.only=false
com.sun.management.jmxremote.ssl=true
com.sun.management.jmxremote.authenticate=true
com.sun.management.jmxremote.port=12345
com.sun.management.jmxremote.rmi.port=12346
java.rmi.server.hostname=10.11.12.176
com.sun.management.jmxremote.access.file=/.secure/jmxremote.access
com.sun.management.jmxremote.password.file=/.secure/jmxremote.pass
com.sun.management.jmxremote.login.config=ldap-ad-config
java.net.preferIPv4Stack=true
com.sun.management.jmxremote.ssl.config.file=/.secure/jmxremotessl.properties
javax.net.ssl.keyStore=/config/app.jks
javax.net.ssl.keyStorePassword=teabag
javax.net.ssl.trustStore=/config/cacerts
javax.net.ssl.trustStorePassword=milk
The problem is the same:
java.rmi.ConnectException: Connection refused to host: 172.0.0.85; nested exception is
java.net.ConnectException: Operation timed out
That IP address is the internal IP address of the docker container. I assume that this is happening despite the java.rmi.server.hostname solution because it's on SSL.
I tried to reverse proxy the SSL to non-SSL with nginx but that failed with the error
java.rmi.ConnectIOException: non-JRMP server at remote endpoint
so I guess I should be forwarding extra headers in nginx.
I'm now attempting to set up JMXMP but the documentation on how to do it is pretty thin on the ground. There's a Spring implementation and a Glassfish implementation but not with findable docs (as yet) - so I'm adding the glassfish tag.
The answer is that I can set up my app to use JMXMP and configure it to implement TLS connections using these JVM options:
-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.local.only=false
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.access.file=C:/dev/.secure/jmxremote.access
-Dcom.sun.management.jmxremote.password.file=C:/dev/.secure/jmxremote.pass
-Dcom.sun.management.jmxremote.login.config=spnego-server
-Djava.net.preferIPv4Stack=true
-Dcom.sun.management.jmxremote.ssl.config.file=/.secure/jmxremotessl.properties
however I have to code up a configuration class to launch the JMXConnectorServer like so:
#Configuration
public class JmxServer {
public JmxServer(
#Value("${jmx.remote.hostname}") final String hostname,
#Value("${jmx.remote.port}") final String port) {
try {
Map<String, Object> env = new HashMap<>();
env.put("jmx.remote.profiles", "TLS SASL/PLAIN");
env.put(JMXConnector.CREDENTIALS,
new String[] {"myusername", "password"});
JMXConnectorServerFactory.newJMXConnectorServer(
new JMXServiceURL(
String.format("service:jmx:jmxmp://%s:%s",
hostname, port)),
env,
ManagementFactory.getPlatformMBeanServer()
).start();
} catch (IOException e) {
e.printStackTrace();
}
}
}
But this is only half of it. I am now wrangling with JConsole to get it to do JMXMP with TLS.
For that I'm following this fossil question from 2007 on the Oracle forums:
Can JConsole connect to a remote JMX agent using JMXMP and TLS?
but still struggling...
ActiveMQ, as per line 151 in AmqpWireFormat, refuses connections with a AMQP protocol version other than 1.0.0.
AMQP .NET Lite, as per line 411 in Connection, sends 0.1.0.0. At the same time it claims to do Full control of AMQP 1.0 protocol behavior.
Obviously ActiveMQ refuses connections from AMQP .NET Lite with "Connection attempt from non AMQP v1.0 client. AMQP,0,1,0,0".
The client does:
Address address = new Address("amqp://localhost:5672");
Connection connection = new Connection(address);
Session session = new Session(connection);
And ActiveMQ logs:
2017-03-28 09:11:28,403 | DEBUG | Transport Connection to: tcp://0:0:0:0:0:0:0:1:54352 failed: org.apache.activemq.transport.amqp.AmqpProtocolException: Connection from client using unsupported AMQP attempted | org.apache.activemq.broker.TransportConnection.Transport | ActiveMQ Transport: tcp:///0:0:0:0:0:0:0:1:54352#5672
org.apache.activemq.transport.amqp.AmqpProtocolException: Connection from client using unsupported AMQP attempted
at org.apache.activemq.transport.amqp.protocol.AmqpConnection.onAMQPData(AmqpConnection.java:339)[activemq-amqp-5.14.4.jar:5.14.4]
at org.apache.activemq.transport.amqp.AmqpProtocolDiscriminator.onAMQPData(AmqpProtocolDiscriminator.java:96)[activemq-amqp-5.14.4.jar:5.14.4]
at org.apache.activemq.transport.amqp.AmqpTransportFilter.onCommand(AmqpTransportFilter.java:107)[activemq-amqp-5.14.4.jar:5.14.4]
at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)[activemq-client-5.14.4.jar:5.14.4]
at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)[activemq-client-5.14.4.jar:5.14.4]
at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)[activemq-client-5.14.4.jar:5.14.4]
at java.lang.Thread.run(Thread.java:745)[:1.8.0_112]
On the command line it says:
WARN | Connection attempt from non AMQP v1.0 client. AMQP,0,1,0,0
ActiveMQ then aborts the connection.
The ActiveMQ configuration includes:
<transportConnectors>
<transportConnector name="amqp" uri="amqp://0.0.0.0:5672" />
</transportConnectors>
This all looks to me like ActiveMQ expects version 1.0.0.0 and amqpnetlite sends 0.1.0.0.
Where to, from here?
By default ActiveMQ requires authentication. try
string queueName = "q1";
Connection connection = new Connection(new Address("amqp://user:pwd#localhost:5672"));
Session session = new Session(connection);
SenderLink sender = new SenderLink(session, "sender", queueName);
Message message = new Message("Hello World");
sender.Send(message);
connection.Close();
The user name and password should be in users.properties config file. Also it is recommended to use async API to avoid blocking I/O calls.
Both ActiveMQ and AMQP .NET Lite support the ISO/IEC Standard 1.0 version of AMQP. The protocol header "AMQP0100" indicates version 1.0 of the protocol. AMQP .NET Lite is known to work with ActiveMQ so I suspect you have some other configuration issue.
My assumption is that you haven't turned off the broker's enforcement of requiring the client to connect via a SASL handshake either via SASL anonymous or SASL plain depending on whether you've configured a real authentication plugin or not. I would bet that if you configured the broker by adding the options wireFormat.allowNonSaslConnections=true that it would probably work.
From the information you've provided the .NET client is not using SASL so the broker is rejecting it. The SASL header would be "AMQP3100"
We use an embedded ActiveMQ broker and create it like this(a bit simplified) :
BrokerService brokerService = new BrokerService();
brokerService.addConnector("tcp://1.2.3.4:61610");
brokerService.start();
The problem we have is that the broker is listening to the hostname instead of the IP-address and this does not work in our case. How can I force the brokerService to listen on the IP address instead of the hostname.
Here is what the log says when starting the broker:
2015-01-20 15:16:03,414 qtp833534789-27 INFO BrokerService - Apache ActiveMQ 5.10.0 (b1653842572, ID:ABC123-59162-1421763362756-0:1) is starting
2015-01-20 15:16:04,948 qtp833534789-27 INFO TransportServerThreadSupport - Listening for connections at: tcp://myhostname.mydomain.local:61610
2015-01-20 15:16:04,948 qtp833534789-27 INFO TransportConnector - Connector tcp://myhostname.mydomain.local:61610 started
A TCP listener can never listen to a DNS name. It's always bound to one or many interface(s)/IP address(es).
In this case, ActiveMQ helps you out by reverse resolving the DNS name from the IP because it's easier to understand what's going on in the logs when you read a logical DNS name rather than some number.
ActiveMQ has some code like this
protected String resolveHostName(ServerSocket socket, InetAddress bindAddress) throws UnknownHostException {
String result = null;
if (socket.isBound()) {
if (socket.getInetAddress().isAnyLocalAddress()) {
// make it more human readable and useful, an alternative to 0.0.0.0
result = InetAddressUtil.getLocalHostName();
} else {
result = socket.getInetAddress().getCanonicalHostName();
}
} else {
result = bindAddress.getCanonicalHostName();
}
return result;
}
To replace the IP with a DNS once the socket is indeed bound. I guess you have not even tried using the IP address, since it should work.
Try this:
brokerService.addConnector("tcp://0.0.0.0:61610");
I am getting below exception
org.springframework.amqp.AmqpAuthenticationException: com.rabbitmq.client.AuthenticationFailureException: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.
Configuration: RabbitMQ 3.3.5 on windows
On Config file in %APPDATA%\RabbitMQ\rabbit.config
I have done below change as per https://www.rabbitmq.com/access-control.html
[{rabbit, [{loopback_users, []}]}].
I also tried creating a user/pwd - test/test doesn't seem to make it work.
Tried the Steps from this post.
Other Configuration Details are as below:
Tomcat hosted Spring Application Context:
<!-- Rabbit MQ configuration Start -->
<!-- Connection Factory -->
<rabbit:connection-factory id="rabbitConnFactory" virtual-host="/" username="guest" password="guest" port="5672"/>
<!-- Spring AMQP Template -->
<rabbit:template id="rabbitTemplate" connection-factory="rabbitConnFactory" routing-key="ecl.down.queue" queue="ecl.down.queue" />
<!-- Spring AMQP Admin -->
<rabbit:admin id="admin" connection-factory="rabbitConnFactory"/>
<rabbit:queue id="ecl.down.queue" name="ecl.down.queue" />
<rabbit:direct-exchange name="ecl.down.exchange">
<rabbit:bindings>
<rabbit:binding key="ecl.down.key" queue="ecl.down.queue"/>
</rabbit:bindings>
</rabbit:direct-exchange>
In my Controller Class
#Autowired
RmqMessageSender rmqMessageSender;
//Inside a method
rmqMessageSender.submitToECLDown(orderInSession.getOrderNo());
In My Message sender:
import org.springframework.amqp.core.AmqpTemplate;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
#Component("messageSender")
public class RmqMessageSender {
#Autowired
AmqpTemplate rabbitTemplate;
public void submitToRMQ(String orderId){
try{
rabbitTemplate.convertAndSend("Hello World");
} catch (Exception e){
LOGGER.error(e.getMessage());
}
}
}
Above exception Block gives below Exception
org.springframework.amqp.AmqpAuthenticationException: com.rabbitmq.client.AuthenticationFailureException: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.
Error Log
=ERROR REPORT==== 7-Nov-2014::18:04:37 ===
closing AMQP connection <0.489.0> (10.1.XX.2XX:52298 -> 10.1.XX.2XX:5672):
{handshake_error,starting,0,
{amqp_error,access_refused,
"PLAIN login refused: user 'guest' can only connect via localhost",
'connection.start_ok'}}
Pls find below the pom.xml entry
<dependency>
<groupId>org.springframework.amqp</groupId>
<artifactId>spring-rabbit</artifactId>
<version>1.3.6.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.integration</groupId>
<artifactId>spring-integration-amqp</artifactId>
<version>4.0.4.RELEASE</version>
</dependency>
Please let me know if you have any thoughts/suggestions
I am sure what Artem Bilan has explained here might be one of the reasons for this error:
Caused by: com.rabbitmq.client.AuthenticationFailureException:
ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN.
For details see the
but the solution for me was that I logged in to rabbitMQ admin page (http://localhost:15672/#/users) with the default user name and password which is guest/guest then added a new user and for that new user I enabled the permission to access it from virtual host and then used the new user name and password instead of default guest and that cleared the error.
To complete #cpu-100 answer,
in case you don't want to enable/use web interface, you can create a new credentials using command line like below and use it in your code to connect to RabbitMQ.
$ rabbitmqctl add_user YOUR_USERNAME YOUR_PASSWORD
$ rabbitmqctl set_user_tags YOUR_USERNAME administrator
$ rabbitmqctl set_permissions -p / YOUR_USERNAME ".*" ".*" ".*"
user 'guest' can only connect via localhost
That's true since RabbitMQ 3.3.x. Hence you should upgrade to the same version the client library, or just upgrade Spring AMQP to the latest version (if you use dependency managent system).
Previous version of client used 127.0.0.1 as default value for the host option of ConnectionFactory.
The error
ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.
can occur if the credentials that your application is trying to use to connect to RabbitMQ are incorrect or missing.
I had this happen when the RabbitMQ credentials stored in my ASP.NET application's web.config file had a value of "" for the password instead of the actual password string value.
To allow guest access remotely, write this
[{rabbit, [{loopback_users, []}]}].
to here
c:\Users\[your user name]\AppData\Roaming\RabbitMQ\rabbitmq.config
then restart the rabbitmq windows service (Source https://www.rabbitmq.com/access-control.html)
On localhost , By default use 'amqp://guest:guest#localhost:5672'
So on a remote or hosted RabbitMQ. Let's say you have the following credentials
username: niceboy
password: notnice
host: goxha.com
port : 1597
then the uri you should pass will be
amqp://niceboy:notnice#goxha.com:1597
following the template amqp://user:pass#host:10000
if you have a vhost you can do amqp://user:pass#host:10000/vhost where the trailing vhost will be the name of your vhost
New solution:
The node module can't handle : in a password properly. Even url encoded, like it would work normally, it does not work.
Don't use typicalspecial characters from an URL in the password!
Like one of the following: : . ? + %
Original, wrong answer:
The error message clearly complains about using PLAIN, it does not mean the crendentials are wrong, it means you must use encrypted data delivery (TLS) instead of plaintext.
Changing amqp:// in the connection string to amqps:// (note the s) solves this.
just add login password to connect to RabbitMq
CachingConnectionFactory connectionFactory =
new CachingConnectionFactory("rabbit_host");
connectionFactory.setUsername("login");
connectionFactory.setPassword("password");
For me the solution was simple: the user name is case sensitive. Failing to use the correct caps will also lead to the error.
if you use the number as your password, maybe you should try to change your password using string.
I can login using deltaqin:000000 on the website, but had this while running the program. then change the password to deltaiqn. and it works.
I made exactly what #grepit made.
But I had to made some changes in my Java code:
In Producer and Receiver project I altered:
ConnectionFactory factory = new ConnectionFactory();
factory.setHost("your-host-ip");
factory.setUsername("username-you-created");
factory.setPassword("username-password");
Doing that, you are connecting an specific host as the user you have created.
It works for me!
In my case I had this error, cuz of wrongly set password (I tried to use 5672, when the actual one in my system was 5676).
Maybe this will help someone to double check ports...
I was facing this issue due to empty space at the end of the password(spring.rabbitmq.password=rabbit ) in spring boot application.properties got resolved on removing the empty space. Hope this checklist helps some one facing this issue.
For C# coder, I tried below code and It worked, may be this can help someone so posting here.
scenario- RabbitMQ queue is running on another system in local area network but I was having same error.
by default there is a "guest" user exists. but you can not access remote server's queue (rabbitMq) using "guest" user so you need to create new user, Here I created "tester001" user to access data of remote server's queue.
ConnectionFactory factory = new ConnectionFactory();
factory.UserName = "tester001";
factory.Password = "testing";
factory.VirtualHost = "/";
factory.HostName = "192.168.1.101";
factory.Port = AmqpTcpEndpoint.UseDefaultPort;
If you tried all of these answers for your issue but you still got "ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN", maybe you should remove rabbitmq and install it with a newer version.
Newer version worked for me.
Add one user and pass and connect to them. You can add 1 user via env variables (e.g., useful when Rabbit initializes in a Docker): RABBITMQ_DEFAULT_USER and RABBITMQ_DEFAULT_PASS. See more details here:
https://stackoverflow.com/a/70676040/1200914
set ConnectionFactory or Connection hostname to localhost