In my Spring Boot app part of my application.yml is as follows:
spring:
activemq:
broker-url: ssl://10.68.84.40:61617
user: admin
password: admin
packages:
trust-all: true
Where 10.68.84.40:61617 is an endpoint added to activemq.xml:
<transportConnector name="ssl" uri="ssl://0.0.0.0:61617?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
Spring Boot official document is way too brief about usage of ActiveMQ. I dig into org.springframework.boot.autoconfigure.jms.activemq.ActiveMQProperties source code and see that setting spring.activemq.packages.trust-all to true should trust all server certs, but it still gets sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
Then I see another property spring.activemq.packages.trusted , but I wonder what should be put there.
Added: using openssl, sees CN of the server cert is just localhost. The application is calling using an IP.
The setting spring.activemq.packages.trust-all has nothing to do with SSL certificates and Spring's source code gives no indication that it does. It's related to the deserialization of JMS ObjectMessage instances. See more in the ActiveMQ "Classic" documentation.
If you really want the client to trust all SSL certificates then simply add trustAll=true to your broker-url, e.g.:
spring:
activemq:
broker-url: ssl://10.68.84.40:61617?trustAll=true
...
Related
Sending emails from Spring Boot is as easy as possible.
spring:
mail:
host: <servername>
Plus some additional configuration and off you go.
We rely on an internal email provider that offers two mail servers. Instead of setting these up behind a load balancer, the consumer has to manage the failover itself.
So far, we have therefore only used one of the two servers via the Spring configuration mentioned above.
If this server has a problem, such as the current one where the TLS certificate has expired 🤦♂️, the Rediness Check in Spring Actuator floods the log file with error messages.
Does anyone have a solution for using multiple mail servers to provide a fallback scenario?
Tomcat SSL configuration is a heavily queried area in our stackoverflow forums - but still, I feel the least understood despite the supposedly ease of setup that Tomcat claims!
I am using Tomcat 9.0.26 and am having to consume a third party (https) webservice. There started my trouble :).
First was my blissfull ignorance & Tomcat documentation piling it up. I was trying to setup keystoreFile. Only after a few attempts realized the difference between keystore & truststore. In simple terms, keystore is required if you wish your application deployed on your tomcat server to be served over secure HTTPS protocol. TrustStore is required when you wish to consume another secure HTTPs webservice by storing the certificates in your trust store. The default tomcat SSL documentation leads you into keystore and not truststore.
So moved on to setup the truststore
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
truststoreFile="C:\cert\myCert.p12" truststorePass="mypass" truststoreType="PKCS12"
clientAuth="false" sslProtocol="TLS+SSLV3" />
Learnt that SSLConfig element has come into being, but Tomcat 9 still supports the old configuration defined above. My attempts at using SSLConfig were not fruitful as well and this portion seems sparingly documented.
I could not use the runtime parameters as some other service fail with below parameters.
-Djavax.net.ssl.trustStore=C:\cert\myCert.p12 -Djavax.net.ssl.trustStorePassword=mypass -Djavax.net.ssl.trustStoreType=PKCS12
Need help with pointers on what I could try to fix this issue as the above attempts have still not been successful.
Finally resolved the issue. The above understanding of trust store was correct. However during SSL Handshake, my server needs to exchange a client authentication "key". This is where the same certificate store had to be setup as keyStore as well and post that all is working!!
-Djavax.net.ssl.trustStore=C:\cert\myCert.p12
-Djavax.net.ssl.trustStorePassword=mypass
-Djavax.net.ssl.trustStoreType=PKCS12
-Djavax.net.ssl.keyStore=C:\cert\myCert.p12
-Djavax.net.ssl.keyStorePassword=mypass
When we configure the SSL on standalone ActiveMQ, we may need to provide the TrustStore,TrustStore Password, KeyStore and KeyStore password in client code to connect to the Active MQ over SSL protocol but in case of AmazonMQ, though they have provided SSL endpoint, but we can connect to it simply without providing the trust and key related values.
Client code snippet for Simple ActiveMQ over SSL:
ActiveMQSslConnectionFactory connFactory = new ActiveMQSslConnectionFactory("ssl://<someHost>:61617");
String trustStore = "pathTo/client_new.ts";
String keyStore = "PathTo/client_new.ks";
try {
connFactory.setTrustStore(trustStore);
connFactory.setTrustStorePassword("password");
connFactory.setKeyStore(keyStore);
connFactory.setKeyStorePassword("password");
} catch (Exception e) {
e.printStackTrace();
}
Client code snippet for Amazon MQ over SSL:
ActiveMQConnectionFactory connFactory = new ActiveMQConnectionFactory("ssl://xyz.amazonaws.com:61617");
Basically, what make this difference?
Firstly AmazonMQ works on top of the ActiveMQ, amazon has written a wrapper layer over activeMQ so as functionality wise it works pretty much the same. AmazonMQ is managed Message Broker Service for ActiveMQ.
It manages everything related to space, configuring active/passive endpoints in different regions and some benefits mentioned in the below links.
https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/welcome.html
Other benefits of amazonMQ is you can setup alerts and many more as part of using other services of amazon like upgrading activemq version to the latest.
Now coming to you application part, one good thing was the way you have configured activemq was via SSL connection, though activemq exposes tcp endpoint as well which can be connected by simply providing broker URL but in case of amazonMQ it does not exposes any TCP endpoint only way to connect is by providing SSL endpoint and related parameters.
Refer this link on how application is connected to amazonMQ:
https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-connecting-application.html
I'm using Spring Boot 1.3.1 and I can auto-configure my JMS components through application.properties.
As I'm using Artemis as my message broker, I'm using spring-boot-starter-artemis, and as states the documentation in this link, all I have to do is replace the spring.hornetq.* properties and place spring.artemis.* instead.
The problem is that it doesn't show how to configure the username, password and SSL configuration for HornetQ/Artemis. I configured Artemis to use SSL and user/pass authentication like it's shown in here.
Does anyone know what properties can I state to add SSL and user/pass?
Thanks!
Okay, currently the Artemis Spring Boot starter is very basic, it really doesn't support clusters, SSL or client authentication.
Doing a quick look at the starter's source code in GitHub, in the ArtemisConnectionFactoryFactory.java file, at lines 127 and onwards, I will have to add the TransportConstants necessary to configure SSL, authentication, etc.
An example of a more complete connection configuration is in Artemis' test source code, in CoreClientOverTwoWaySSLTest.java, on lines 178 and onwards, there is a really complete connection setup, so to contribute, I have to change the Artemis auto-configuration properties to take the new property options, and add them all to ArtemisConnectionFactoryFactory.java following the example in CoreClientOverTwoWaySSLTest.java
I'll do a fork on the starter, make the modifications, and figure out what bureaucracy is needed to submit a pull request and get it accepted on spring-boot.
Spring Boot does not support such arrangement. Not everything should happen via properties if you ask me but in any case a good way to find out is asking your IDE to auto-complete the keys for that namespace (you'll quickly find out there is nothing related to SSL and security in there). If you don't use an IDE, this appendix should help
I am a beginner with SSL/HTTPS. Hopefully, this isn't a dumb question.
I am writing a web service client that runs on JBOSS 4.3 which communicates with an external web service over https. I have generated the client using the wsimport tool (JAX-WS) that now comes with JDK 1.6. I am sucesfully able to communicate with the web service but I keep getting this warning message in the logs:
WARN [HTTPClientInvoker] Unable to create SSL Socket Factory for client invoker: Error initializing socket factory SSL context: Can not find truststore url.
From what I understand, as long as the JDK recognizes the certificate (CA) that the service provider is using, there should be no problem with the communication over https. I see that the service provider is using Equifax Secure. I checked my jdk and see that it's already there by default. I am also able to communicate with the service provider but I can't figure out why I am getting the warning message. I read elsewhere that I can potentially solve this problem by setting:
javax.net.ssl.keyStore and javax.net.ssl.trustStore in my jboss run.conf
I'm not sure why I need to do this when my jdk already trusts this certificate. Can someone explain to me why I'm getting this warning message even though my communication is going through. Aslo, can someone explain to me when someone should set the two configuration (javax.net.ssl.keyStore and javax.net.ssl.trustStore) above ?
Thanks.
See JBoss JIRA:
Error creating SSL Socket Factory for client invoker: Error initializing socket factory SSL context: Can not find truststore url.
https://issues.jboss.org/browse/TEIID-1133?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel#issue-tabs