TechQA.

Red Hat AMQ 7.0.1 certificate based authentication failed

259 views Asked by At

I am trying to implement certificate based authentication for Red Hat AMQ 7.0.1. I have setup client and broker side according to AMQ example "ssl-enabled-dual-authentication," but I am getting following error:

[org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager] Couldn't validate user:
javax.security.auth.login.FailedLoginException: User is null

I am trying using Apache Qpid AMQP1.0 client. Though I have configured cert base login configuration, but it seems jaas PropertiesLoginModule is being invoked.

Following is server stack trace.

14:24:03,324 DEBUG [org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager] Couldn't validate user:
javax.security.auth.login.FailedLoginException: User is null
     at org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule.login(PropertiesLoginModule.java:89) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_131]
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_131]
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_131]
     at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_131]
     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) [rt.jar:1.8.0_131]
     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) [rt.jar:1.8.0_131]
     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) [rt.jar:1.8.0_131]
     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) [rt.jar:1.8.0_131]
     at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_131]
     at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.8.0_131]
     at javax.security.auth.login.LoginContext.login(LoginContext.java:587) [rt.jar:1.8.0_131]
     at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.getAuthenticatedSubject(ActiveMQJAASSecurityManager.java:185) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]
     at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.validateUser(ActiveMQJAASSecurityManager.java:94) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]
     at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:128) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]
     at org.apache.activemq.artemis.protocol.amqp.broker.AMQPConnectionCallback.isSupportsAnonymous(AMQPConnectionCallback.java:104) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:]
     at org.apache.activemq.artemis.protocol.amqp.broker.AMQPConnectionCallback.getSASLMechnisms(AMQPConnectionCallback.java:92) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:]
     at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onAuthInit(AMQPConnectionContext.java:315) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:]
     at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatchAuth(ProtonHandler.java:309) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:]
     at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:204) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:]
     at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:120) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:]
     at org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:138) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:]
     at org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:628) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]
     at org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:69) [artemis-core-client-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]
     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:350) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.handler.codec.ByteToMessageDecoder.handlerRemoved(ByteToMessageDecoder.java:219) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.DefaultChannelPipeline.callHandlerRemoved0(DefaultChannelPipeline.java:631) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.DefaultChannelPipeline.remove(DefaultChannelPipeline.java:468) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.DefaultChannelPipeline.remove(DefaultChannelPipeline.java:428) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at org.apache.activemq.artemis.core.protocol.ProtocolHandler$ProtocolDecoder.decode(ProtocolHandler.java:185) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]
     at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at org.apache.activemq.artemis.core.protocol.ProtocolHandler$ProtocolDecoder.channelRead(ProtocolHandler.java:128) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]
     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:350) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1066) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:900) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:350) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:972) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:386) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:302) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_131]
activemq-artemis jboss-amq
Original Q&A
1

There are 1 answers

3
Justin Bertram On BEST ANSWER

Certificate based authentication is not implemented for AMQP clients. Authentication for AMQP clients is implemented via SASL and the only implemented SASL mechanisms are PLAIN and ANONYMOUS. I'm not aware of a SASL mechanism that supports authentication via SSL certificate.

To be clear, certificate based authentication is currently implemented for "core", OpenWire, STOMP, & MQTT clients (none of which use SASL).

Related Questions in ACTIVEMQ-ARTEMIS

Related Questions in JBOSS-AMQ

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions