0

I am trying to implement certificate base authentication for Jboss AMQ 7.0.1 I have setup client and broker side according to AMQ example "ssl-enabled-dual-authentication" But I am getting following error

[org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager] Couldn't validate user: javax.security.auth.login.FailedLoginException: User is null

I am trying using Apache Qpid AMQP1.0 client. Though I have configured cert base login configuration, but it seems jaas

PropertiesLoginModule

is being invoked.

Following is server stack trace.

14:24:03,324 DEBUG [org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager] Couldn't validate user: javax.security.auth.login.FailedLoginException: User is null at org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule.login(PropertiesLoginModule.java:89) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_131] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_131] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_131] at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_131] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) [rt.jar:1.8.0_131] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) [rt.jar:1.8.0_131] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) [rt.jar:1.8.0_131] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) [rt.jar:1.8.0_131] at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_131] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.8.0_131] at javax.security.auth.login.LoginContext.login(LoginContext.java:587) [rt.jar:1.8.0_131] at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.getAuthenticatedSubject(ActiveMQJAASSecurityManager.java:185) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2] at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.validateUser(ActiveMQJAASSecurityManager.java:94) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2] at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:128) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2] at org.apache.activemq.artemis.protocol.amqp.broker.AMQPConnectionCallback.isSupportsAnonymous(AMQPConnectionCallback.java:104) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:] at org.apache.activemq.artemis.protocol.amqp.broker.AMQPConnectionCallback.getSASLMechnisms(AMQPConnectionCallback.java:92) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:] at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onAuthInit(AMQPConnectionContext.java:315) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:] at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatchAuth(ProtonHandler.java:309) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:] at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:204) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:] at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:120) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:] at org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:138) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:] at org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:628) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2] at org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:69) [artemis-core-client-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:350) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.handler.codec.ByteToMessageDecoder.handlerRemoved(ByteToMessageDecoder.java:219) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.channel.DefaultChannelPipeline.callHandlerRemoved0(DefaultChannelPipeline.java:631) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.channel.DefaultChannelPipeline.remove(DefaultChannelPipeline.java:468) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.channel.DefaultChannelPipeline.remove(DefaultChannelPipeline.java:428) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at org.apache.activemq.artemis.core.protocol.ProtocolHandler$ProtocolDecoder.decode(ProtocolHandler.java:185) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at org.apache.activemq.artemis.core.protocol.ProtocolHandler$ProtocolDecoder.channelRead(ProtocolHandler.java:128) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:350) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1066) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:900) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:350) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:972) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:386) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:302) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1] at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_131]

greja
  • 134
  • 10

1 Answers1

1

Certificate based authentication is not implemented for AMQP clients. Authentication for AMQP clients is implemented via SASL and the only implemented SASL mechanisms are PLAIN and ANONYMOUS. I'm not aware of a SASL mechanism that supports authentication via SSL certificate.

To be clear, certificate based authentication is currently implemented for "core", OpenWire, STOMP, & MQTT clients (none of which use SASL).

Justin Bertram
  • 29,372
  • 4
  • 21
  • 43
  • Can you please add tag 'jbossamq', as it is not available here. – greja Sep 13 '17 at 14:56
  • Your question is already tagged with "jboss-amq". The tag "jbossamq" is completely inactive. I'm not clear on what you're requesting. – Justin Bertram Sep 13 '17 at 19:09
  • This link :https://developer.jboss.org/thread/275959 mention to post question in with proper tag. And this link :https://developers.redhat.com/articles/how-to-post-tag-question-stack-overflow/ tells proper tag for for Jboss AMQ is 'jbossamq' – greja Sep 14 '17 at 03:12