如何通过 localhost 将 SSL 与 ActiveMQ 一起使用

Question

我正在尝试通过 SSL/TLS 在本地连接到 activeMQ 消息代理，但无法使身份验证正常工作。

我已经关注了 activeMQ 站点上关于 SSL 的 instructions，并且我已经关注了这个其他用户解决方案的 example。我已将 activemq.xml 设置如下：

   <transportConnectors>
       <transportConnector name="ssl" uri="ssl://0.0.0.0:61714?trace=true&amp;needClientAuth=true"/>
   </transportConnectors>

和：

   <sslContext>
      <sslContext keyStore="file:/home/tom/apache-activemq-5.15.8/conf/broker.ks" 
            keyStorePassword="password" 
            trustStore="file:/home/tom/apache-activemq-5.15.8/conf/client.ks" 
            trustStorePassword="password" />
   </sslContext>

然后，我将以下代码作为可运行 JAR 文件运行在 activeMQ 基目录中：

    public static void main(String[] args) throws Exception {

        String uri = "ssl://0.0.0.0:61714";
        ActiveMQSslConnectionFactory connectionFactory = new ActiveMQSslConnectionFactory(uri);

        System.out.println("about to create the connection");
        Connection connection = connectionFactory.createConnection();
        System.out.println("about to start the connection");
        connection.start();

    }

使用以下参数，在 activeMQ 基本目录中运行：

java -jar -Djavax.net.ssl.keyStore=conf/client.ks -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=conf/client.ts "App.jar"

同时运行 activemq 控制台。这是来自 JAR 的错误堆栈跟踪的顶部：

about to create the connection 
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.apache.activemq.util.IntrospectionSupport (file:/home/tom/apache-activemq-5.15.8/App_lib/activemq-all-5.15.8.jar) to method sun.security.ssl.SSLSocketImpl.setHost(java.lang.String)
WARNING: Please consider reporting this to the maintainers of org.apache.activemq.util.IntrospectionSupport
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Exception in thread "main" javax.jms.JMSException: Could not connect to broker URL: ssl://0.0.0.0:61714. Reason: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

这是来自 activeMQ 控制台的堆栈顶部：

 INFO | Connector ssl started
 INFO | Apache ActiveMQ 5.15.8 (localhost, ID:toms-HP-Notebook-PC-37849-1548377226145-0:1) started
 INFO | For help or more information please see: http://activemq.apache.org
 INFO | No Spring WebApplicationInitializer types detected on classpath
 INFO | ActiveMQ WebConsole available at http://0.0.0.0:8161/
 INFO | ActiveMQ Jolokia REST API available at http://0.0.0.0:8161/api/jolokia/
 INFO | Initializing Spring FrameworkServlet 'dispatcher'
 INFO | No Spring WebApplicationInitializer types detected on classpath
 INFO | jolokia-agent: Using policy access restrictor classpath:/jolokia-access.xml
ERROR | Could not accept connection from tcp://127.0.0.1:38482 : {}
javax.net.ssl.SSLException: Received fatal alert: internal_error
    at java.base/sun.security.ssl.Alerts.getSSLException(Alerts.java:214)[:]
    at java.base/sun.security.ssl.Alerts.getSSLException(Alerts.java:159)[:]
    at java.base/sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2046)[:]
    at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1207)[:]
    at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074)[:]
    at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)[:]

我不确定我是否对 activeMQ 有根本的误解，或者我在某处遗漏了一个小细节。

Answer 1

在您的 activemq.xml 配置 sslContext 元素中，您在 trustStore 属性中指定了不正确的文件。

它应该在这个属性上指定 broker.ts 而不是 client.ks

此属性用于代理指定其信任的客户端公共证书的信任库。它用于 ssl 相互身份验证，其中代理根据客户端证书是否受信任对客户端连接进行身份验证。