引入SSL时ActiveMQ错误证书

时间:2019-12-25 04:48:59

标签: ssl activemq

我正在尝试在ActiveMq中使用openwire + ssl。我正在使用rmohr / activemq提供的docker映像。

由于broker_localhost.cert过期,我运行以下命令来生成必要的文件。

keytool -genkey -alias broker -keyalg RSA -keystore broker.ks
keytool -export -alias broker -keystore broker.ks -file broker_cert
keytool -genkey -alias client -keyalg RSA -keystore client.ks
keytool -import -alias broker -keystore client.ts -file broker_cert
keytool -export -alias client -keystore client.ks -file client_cert
keytool -import -alias client -keystore broker.ts -file client_cert

然后在我添加的activemq.xml中:

<sslContext keyStore="file:${activemq.base}/certs/ActiveMq/broker.ks"
      keyStorePassword="password" trustStore="file:${activemq.base}/certs/ActiveMq/broker.ts"
      trustStorePassword="password"/>

以及:

<transportConnector name="openwire+ssl" uri="ssl://0.0.0.0:61617?transport.enabledProtocols=TLSv1"/>

运行docker compose创建ActiveMQ实例时,我将环境变量添加为:

environment:
      - ACTIVEMQ_SSL_OPTS="-Djavax.net.ssl.keyStore=/opt/activemq/certs/ActiveMq/broker.ks -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=/opt/activemq/certs/ActiveMq/broker.ts -Djavax.net.ssl.trustStorePassword=password -Djavax.net.debug=ssl,handshake"

此后,我将Windows Manage user certificates中在先前步骤中生成的broker_cert导入为Trusted Root Certification Authorities

然后我构建我的Asp.Net Core项目以访问ActiveMQ代理

var uri = new Uri(@"ssl://localhost:61617?trace=true&needClientAuth=true&transport.serverName='MoveQ Broker'");
ITransportFactory sslTransportFactory = new SslTransportFactory();
((SslTransportFactory)sslTransportFactory).SslProtocol = "Tls";
ITransport transport = sslTransportFactory.CreateTransport(uri);
_connection = new Connection(uri, transport, new IdGenerator());
((Connection)_connection).UserName = "username";
((Connection)_connection).Password = "password";
_session = _connection.CreateSession(AcknowledgementMode.AutoAcknowledge);

但是我不断得到

activemq | WARN | Transport Connection to: tcp://172.17.0.1:35356 failed: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

谁能帮我看看我可能错过了哪些步骤?

1 个答案:

答案 0 :(得分:0)

如果您只需要单向SSL,并且使用的是自签名证书,则不需要在代理上使用信任库或在客户端上使用密钥库。您只需要代理上的密钥库和客户端上的信任库。像这样生成这些资源:

keytool -genkey -keystore broker-keystore.ks
keytool -export -keystore broker-keystore.ks -file broker.cer
keytool -import -keystore client-truststore.ks -file broker.cer

然后在代理上使用broker-keystore.ks,在客户端上使用client-truststore.ks

相关问题
最新问题