Forum Home » Fuse Distributions » Fuse ESB

Thread: ESB ActiveMQ-based Message Broker with SSL

 
This question is not answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 9 - Last Post: Jan 26, 2011 10:29 AM Last Post By: wlsi
blablablabla

Posts: 3
Registered: 01/17/11
ESB ActiveMQ-based Message Broker with SSL
Posted: Jan 17, 2011 3:21 PM
 
  Click to reply to this thread Reply
Hi there,

I've been having trouble setting up ssl transportConnector in ActiveMQ-based message broker within Fuse ESB - for some reason I keep getting the following exception:

org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'sslContext'. One of '{"http://activemq.apache.org/schema/core":taskRunnerFactory, "http://activemq.apache.org/schema/core":tempDataStore, "http://activemq.apache.org/schema/core":transportConnectorURIs, "http://activemq.apache.org/schema/core":transportConnectors, WC}' is expected.

The only thing I changed in the {$karaf.home}/etc/activemq-broker.xml file was adding this:

<sslContext>
<SslContext keyStore="/opt/sia/mybroker.ks"
keyStorePassword="test123" trustStore="/opt/sia/myclient.ts"
trustStorePassword="test123"/>
</sslContext>

and modifying this:

<!-- The transport connectors ActiveMQ will listen to -->
<transportConnectors>
<transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
<transportConnector name="stomp" uri="stomp://0.0.0.0:61613"/>
<transportConnector name="ssl" uri="ssl://0.0.0.0:61617"/>
</transportConnectors>

The weirdest thing is that adding ssl transport connector and ssl context like ine the above example works fine in ActiveMQ 5.4, Fuse Message Broker (Standalone) and Apache Servicemix. Still, Fuse ESB won't work. I'm out of ideas, will be grateful for any tips, thanks.

peter

p.s. by the way, the broker namespace seems to be fine:
<broker xmlns="http://activemq.apache.org/schema/core" brokerName="default" dataDirectory="${karaf.base}/data/activemq/default" useShutdownHook="false">

Edited by: blablablabla on Jan 17, 2011 3:22 PM

Edited by: blablablabla on Jan 17, 2011 3:47 PM
davsclaus

Posts: 1,893
Registered: 10/14/08
Re: ESB ActiveMQ-based Message Broker with SSL
Posted: Jan 17, 2011 4:09 PM   in response to: blablablabla in response to: blablablabla
 
  Click to reply to this thread Reply
Hi

You have put it into the right spot. I think the XSD is ordered A..Z. So you gotta insert the xml tags alphabetical.

And what version of Fuse ESB are you using?
blablablabla

Posts: 3
Registered: 01/17/11
Re: ESB ActiveMQ-based Message Broker with SSL
Posted: Jan 18, 2011 9:36 AM   in response to: davsclaus in response to: davsclaus
 
  Click to reply to this thread Reply
You're right, man! It was all about the alphabetical ordering of tags within the <broker>. My current sslContext looks like this:

<sslContext>
<sslContext keyStore="${karaf.base}/etc/mybroker.ks"
keyStorePassword="test123" trustStore="${karaf.base}/etc/myclient.ts"
trustStorePassword="test123"/>
</sslContext>

Howerver, there is still one little problem:

java.io.FileNotFoundException: OSGi resource[/opt/sia/apache-servicemix-4.2.0-fuse/etc/mybroker.ks|bnd.id=68|bnd.sym=activemq-broker.xml] cannot be resolved to URL because it does not exist
at org.springframework.osgi.io.OsgiBundleResource.getURL(OsgiBundleResource.java:228)
at org.springframework.osgi.io.OsgiBundleResource.getInputStream(OsgiBundleResource.java:180)
at org.apache.activemq.spring.SpringSslContext.createKeyManagerKeyStore(SpringSslContext.java:118)
at org.apache.activemq.spring.SpringSslContext.createKeyManagers(SpringSslContext.java:87)
at org.apache.activemq.spring.SpringSslContext.afterPropertiesSet(SpringSslContext.java:64)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleElement.invoke(InitDestroyAnnotationBeanPostProcessor.java:297)
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(InitDestroyAnnotationBeanPostProcessor.java:250

I mean, of course there is no file
/opt/sia/apache-servicemix-4.2.0-fuse/etc/mybroker.ks|bnd.id=68|bnd.sym=activemq-broker.xml
but there is definitely a file called /opt/sia/apache-servicemix-4.2.0-fuse/etc/mybroker.ks

any ideas? thanks in advance,

peter

p.s. I tried different locations of the files already - within and beyond {karaf.home}. unfortunately, it does not seem to make any difference to fuse

Edited by: blablablabla on Jan 18, 2011 9:48 AM
davsclaus

Posts: 1,893
Registered: 10/14/08
Re: ESB ActiveMQ-based Message Broker with SSL
Posted: Jan 18, 2011 11:47 AM   in response to: blablablabla in response to: blablablabla
 
  Click to reply to this thread Reply
Can you try with the latest release of the Fuse ESB as we keep improving the product in each version, especially in terms of OSGi related issues.
muellerc

Posts: 51
Registered: 05/06/09
Re: ESB ActiveMQ-based Message Broker with SSL
Posted: Jan 25, 2011 9:54 PM   in response to: davsclaus in response to: davsclaus
 
  Click to reply to this thread Reply
Hello!

This is still an issue in FUSE ESB 4.3 (see stacktrace) and really bad for my company. We use multiple Brokers located in different countries and we have to secure our connections.
Does anyone have a workaround for this issue? Preferred in FUSE ESB 4.2.

The only possible solution I can imagine is to use the Broker as a standalone Broker (not embedded in FUSE ESB)...

22:41:22,132 | ERROR | rint Extender: 3 | BlueprintContainerImpl           | container.BlueprintContainerImpl  342 | 7 - org.apache.aries.blueprint - 0.2.0.incubating | Unable to start blueprint container for bundle activemq-broker.xml
org.osgi.service.blueprint.container.ComponentDefinitionException: Error setting property: PropertyDescriptor <name: keyStore, getter: public org.springframework.core.io.Resource org.apache.activemq.spring.SpringSslContext.getKeyStore(), setter: [public void org.apache.activemq.spring.SpringSslContext.setKeyStore(org.springframework.core.io.Resource)]
	at org.apache.aries.blueprint.container.BeanRecipe.setProperty(BeanRecipe.java:827)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.container.BeanRecipe.setProperties(BeanRecipe.java:793)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.container.BeanRecipe.setProperties(BeanRecipe.java:774)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.container.BeanRecipe.internalCreate(BeanRecipe.java:740)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.di.AbstractRecipe.create(AbstractRecipe.java:64)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.container.BeanRecipe.setProperty(BeanRecipe.java:819)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.container.BeanRecipe.setProperties(BeanRecipe.java:793)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.container.BeanRecipe.setProperties(BeanRecipe.java:774)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.container.BeanRecipe.internalCreate(BeanRecipe.java:740)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.di.AbstractRecipe.create(AbstractRecipe.java:64)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.container.BlueprintRepository.createInstances(BlueprintRepository.java:219)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.container.BlueprintRepository.createAll(BlueprintRepository.java:147)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.container.BlueprintContainerImpl.instantiateEagerComponents(BlueprintContainerImpl.java:624)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.container.BlueprintContainerImpl.doRun(BlueprintContainerImpl.java:315)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.container.BlueprintContainerImpl.run(BlueprintContainerImpl.java:213)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)[:1.6.0_22]
	at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)[:1.6.0_22]
	at java.util.concurrent.FutureTask.run(FutureTask.java:138)[:1.6.0_22]
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:98)[:1.6.0_22]
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:206)[:1.6.0_22]
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)[:1.6.0_22]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)[:1.6.0_22]
	at java.lang.Thread.run(Thread.java:680)[:1.6.0_22]
Caused by: java.lang.Exception: Unable to convert value /Applications/apache-servicemix-4.3.0-fuse-03-00/etc/mybroker.ks to type interface org.springframework.core.io.Resource. Type interface org.springframework.core.io.Resource is an interface or an abstract class
	at org.apache.aries.blueprint.container.AggregateConverter.createObject(AggregateConverter.java:286)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.container.AggregateConverter.convertFromString(AggregateConverter.java:280)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.container.AggregateConverter.convert(AggregateConverter.java:151)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.container.BlueprintRepository.convert(BlueprintRepository.java:373)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.utils.ReflectionUtils$PropertyDescriptor.convert(ReflectionUtils.java:318)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.utils.ReflectionUtils$MethodPropertyDescriptor.internalSet(ReflectionUtils.java:416)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.utils.ReflectionUtils$PropertyDescriptor.set(ReflectionUtils.java:302)[7:org.apache.aries.blueprint:0.2.0.incubating]
	at org.apache.aries.blueprint.container.BeanRecipe.setProperty(BeanRecipe.java:825)[7:org.apache.aries.blueprint:0.2.0.incubating]
	... 22 more


Thanks in advance,
Christian
muellerc

Posts: 51
Registered: 05/06/09
Re: ESB ActiveMQ-based Message Broker with SSL
Posted: Jan 25, 2011 10:02 PM   in response to: muellerc in response to: muellerc
 
  Click to reply to this thread Reply
I also tryied to prefix the resource with "file:", but got the same exception:

<sslContext>
  <sslContext keyStore="file:${karaf.base}/etc/mybroker.ks"
    keyStorePassword="test123"
    trustStore="file:${karaf.base}/etc/mybroker.ts"
    trustStorePassword="test123" />
</sslContext>


I use the sslContext configuration from the "ActiveMQ in Action" book and copied the broker.ks and broker.ts from my apache-activemq-5.4.2-fuse-00-00 installation.

Christian
muellerc

Posts: 51
Registered: 05/06/09
Re: ESB ActiveMQ-based Message Broker with SSL
Posted: Jan 25, 2011 10:34 PM   in response to: muellerc in response to: muellerc
 
  Click to reply to this thread Reply
I have no luck to configure apache-activemq-5.4.2-fuse-00-00 with ssl. It starts and stops immediately without any log entry. Damm...

My configuration was:

<sslContext>
            <sslContext keyStore="${activemq.base}/etc/mybroker.ks"
                keyStorePassword="test123" />
        </sslContext>
 
        <transportConnectors>
            <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
            <transportConnector name="ssl" uri="ssl://0.0.0.0:61617"/>
        </transportConnectors>


Christian
davsclaus

Posts: 1,893
Registered: 10/14/08
Re: ESB ActiveMQ-based Message Broker with SSL
Posted: Jan 26, 2011 6:50 AM   in response to: muellerc in response to: muellerc
 
  Click to reply to this thread Reply
There is a AMQ security guide
http://fusesource.com/docs/broker/5.4/security/index.html

And an ESB security guide
http://fusesource.com/docs/esb/4.3/esb_security/index.html

There may be details in those that can help.

If you have a FuseSource subscription you can use those channels to get help faster and people active helping you out.
wlsi

Posts: 4
Registered: 08/14/09
Re: ESB ActiveMQ-based Message Broker with SSL
Posted: Jan 26, 2011 10:06 AM   in response to: davsclaus in response to: davsclaus
 
  Click to reply to this thread Reply
Thanks for the links. I used the configuration described in [1] to configure my default activemq-broker.xml to use SSL without any luck. I got the same exception.
I raised a 'private' JIRA for it [2].

[1] http://fusesource.com/docs/esb/4.3/esb_security/SecureBroker-SSL.html
[2] http://fusesource.com/issues/browse/DEV-2921

Christian
wlsi

Posts: 4
Registered: 08/14/09
Re: ESB ActiveMQ-based Message Broker with SSL
Posted: Jan 26, 2011 10:29 AM   in response to: davsclaus in response to: davsclaus
 
  Click to reply to this thread Reply
I had success to configure a standalone ActiveMQ Broker with help from this tutorial [1]:

ActiveMQ Broker configuration:
<beans
  xmlns="http://www.springframework.org/schema/beans"
  xmlns:amq="http://activemq.apache.org/schema/core"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
  http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
 
    <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="locations">
            <value>file:${activemq.base}/conf/credentials.properties</value>
        </property>      
    </bean>
 
    <broker xmlns="http://activemq.apache.org/schema/core" brokerName="localhost" dataDirectory="${activemq.base}/data" destroyApplicationContextOnStop="true">
              
        <destinationPolicy>
            <policyMap>
              <policyEntries>
                <policyEntry topic=">" producerFlowControl="true" memoryLimit="1mb">
                  <pendingSubscriberPolicy>
                    <vmCursor />
                  </pendingSubscriberPolicy>
                </policyEntry>
                <policyEntry queue=">" producerFlowControl="true" memoryLimit="1mb">
                </policyEntry>
              </policyEntries>
            </policyMap>
        </destinationPolicy>         
 
        <managementContext>
            <managementContext createConnector="false"/>
        </managementContext>
 
        <persistenceAdapter>
            <kahaDB directory="${activemq.base}/data/kahadb"/>
        </persistenceAdapter>
 
		
        <sslContext>
            <sslContext keyStore="file:${activemq.base}/conf/broker.ks"
                        keyStorePassword="password"
                        trustStore="file:${activemq.base}/conf/broker.ts"
                        trustStorePassword="password"/>
        </sslContext>
 
        <transportConnectors>
            <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
            <transportConnector name="ssl" uri="ssl://0.0.0.0:61617"/>
        </transportConnectors>
 
    </broker>
 
    <import resource="jetty.xml"/>
    
</beans>


activemq-broker.xml configuration in FUSE ESB 4.3:
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
           xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.0.0"
           xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"
           xmlns:amq="http://activemq.apache.org/schema/core">
 
    <!-- Allows us to use system properties as variables in this configuration file -->
    <ext:property-placeholder />
 
    <bean id="activemqConnectionFactory" class="org.apache.activemq.ActiveMQConnectionFactory">
 
        <property name="brokerURL" value="ssl://localhost:61617" />
    </bean>
 
    <bean id="pooledConnectionFactory" class="org.apache.activemq.pool.PooledConnectionFactory">
        <property name="maxConnections" value="8" />
        <property name="connectionFactory" ref="activemqConnectionFactory" />
    </bean>
 
    <bean id="resourceManager" class="org.apache.activemq.pool.ActiveMQResourceManager" init-method="recoverResource">
          <property name="transactionManager" ref="transactionManager" />
          <property name="connectionFactory" ref="activemqConnectionFactory" />
          <property name="resourceName" value="activemq.default" />
    </bean>
 
    <reference id="transactionManager" interface="javax.transaction.TransactionManager" />
 
    <service ref="pooledConnectionFactory" interface="javax.jms.ConnectionFactory">
        <service-properties>
            <entry key="name" value="localhost"/>
        </service-properties>
    </service>
</blueprint>


I could start the Broker and the ESB without any exceptions.

[1] http://fusesource.com/docs/broker/5.4/security/SSL-Tutorial.html

Christian