0

I am using stomp.py to establish a Stomp1.2 SSL connection to a ActiveMQ-Artemis/2.7.0.redhat-00056 ActiveMQ Artemis Messaging Engine. I have no control over the server and I was given the following instructions. (I am the Subscriber referred to below.)

Other party will provide a Trust Store file, a Certificate file and a pair of User ID and Password to each Subscriber. Depending on the subscriber system’s requirement, the subscriber might need to import the Certificate file into its server Certificate Store or Subscriber might need to embed the Trust Store file into its connection coding.

  1. Do I need any AMQ/Artemis configurations to embed the certificates? Or can I just pass in the required files through the set_ssl method found in http://jasonrbriggs.github.io/stomp.py/stomp.html#module-stomp.connect?
  2. The files I received were broker_cert.cer.txt and client.ts. I am not sure how to use them. I have seen the answer in https://stackoverflow.com/a/50774783/16235794 and it make it sound like I would need to generate the .key and .pem files. But if I am generating the files, how exactly is the other party supposed to verify them? What files should I be receiving from the other party for authentication purposes?
humaira.anjumi
  • 47
  • 5

1 Answers1

0

The stomp.py library doesn't validate the server certificate by default so invoking the set_ssl method just with the server address should work, ie:

conn.set_ssl([('127.0.0.1', 62614)])

Invoke the set_ssl method with the PEM server certificate to validate the server certificate, ie:

conn.set_ssl([('localhost', 62614)], ca_certs='broker_cert.pem')

Use the keytoot tool to export the PEM server certificate from the client.ts trust store or request it to the other party.

keytool -keystore server-client.ts -storepass <STORE_PASSWORD> -alias <ALIAS> -exportcert -rfc > broker_cert.pem

See test_ssl.py for further details.

Domenico Francesco Bruscino
  • 1,775
  • 7
  • 9
  • So setting `ca_certs` didn't work. I am seeing this error - ` Could not connect to host HOST, port PORT`. Also, `broker_cert.cer.txt` is columns of alphanumeric text. That's different from a `.pem` file. Should the other party give me a `.pem` file? – humaira.anjumi Aug 05 '21 at 02:49
  • I guess `broker_cert.cer.txt` file is not a PEM certificate. Use the keytoot tool to export the PEM server certificate from the client.ts trust store or request it to the other party. See my updated answer for further details. – Domenico Francesco Bruscino Aug 05 '21 at 09:54
  • Thanks for the command. Is the `-storepass` supposed to be given by the other party? And I am not sure what the `alias` should be in this case. Can I choose any `alias` I want? – humaira.anjumi Aug 05 '21 at 21:38
  • The stores can include multiple certificates so you need an alias to identify them. The other party should provide the alias and the password used to create the `client.ts` trust store. Maybe your store has no password so remove the `-storepass` parameter and use the `-list` command to see the aliases and certificates included in the store, ie `keytool -v -list -keystore client.ts`. An alternative tool with the GUI is [KeyStore Explorer][https://keystore-explorer.org/]. – Domenico Francesco Bruscino Aug 06 '21 at 04:17
  • Thanks! I will explore these options. – humaira.anjumi Aug 06 '21 at 15:18
  • Hi. Sorry no updates yet. Will probably not get to it for a couple more weeks. – humaira.anjumi Aug 23 '21 at 19:42