activemq-artemisjboss-amq

Red Hat AMQ 7.0.1 certificate based authentication failed


I am trying to implement certificate based authentication for Red Hat AMQ 7.0.1. I have setup client and broker side according to AMQ example "ssl-enabled-dual-authentication," but I am getting following error:

[org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager] Couldn't validate user:
javax.security.auth.login.FailedLoginException: User is null

I am trying using Apache Qpid AMQP1.0 client. Though I have configured cert base login configuration, but it seems jaas PropertiesLoginModule is being invoked.

Following is server stack trace.

14:24:03,324 DEBUG [org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager] Couldn't validate user:
javax.security.auth.login.FailedLoginException: User is null
     at org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule.login(PropertiesLoginModule.java:89) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_131]
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_131]
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_131]
     at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_131]
     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) [rt.jar:1.8.0_131]
     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) [rt.jar:1.8.0_131]
     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) [rt.jar:1.8.0_131]
     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) [rt.jar:1.8.0_131]
     at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_131]
     at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.8.0_131]
     at javax.security.auth.login.LoginContext.login(LoginContext.java:587) [rt.jar:1.8.0_131]
     at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.getAuthenticatedSubject(ActiveMQJAASSecurityManager.java:185) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]
     at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.validateUser(ActiveMQJAASSecurityManager.java:94) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]
     at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:128) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]
     at org.apache.activemq.artemis.protocol.amqp.broker.AMQPConnectionCallback.isSupportsAnonymous(AMQPConnectionCallback.java:104) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:]
     at org.apache.activemq.artemis.protocol.amqp.broker.AMQPConnectionCallback.getSASLMechnisms(AMQPConnectionCallback.java:92) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:]
     at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onAuthInit(AMQPConnectionContext.java:315) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:]
     at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatchAuth(ProtonHandler.java:309) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:]
     at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:204) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:]
     at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:120) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:]
     at org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:138) [artemis-amqp-protocol-2.0.0.amq-700008-redhat-2.jar:]
     at org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:628) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]
     at org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:69) [artemis-core-client-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]
     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:350) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.handler.codec.ByteToMessageDecoder.handlerRemoved(ByteToMessageDecoder.java:219) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.DefaultChannelPipeline.callHandlerRemoved0(DefaultChannelPipeline.java:631) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.DefaultChannelPipeline.remove(DefaultChannelPipeline.java:468) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.DefaultChannelPipeline.remove(DefaultChannelPipeline.java:428) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at org.apache.activemq.artemis.core.protocol.ProtocolHandler$ProtocolDecoder.decode(ProtocolHandler.java:185) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]
     at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at org.apache.activemq.artemis.core.protocol.ProtocolHandler$ProtocolDecoder.channelRead(ProtocolHandler.java:128) [artemis-server-2.0.0.amq-700008-redhat-2.jar:2.0.0.amq-700008-redhat-2]
     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:350) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1066) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:900) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:350) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:972) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:386) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:302) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873) [netty-all-4.1.5.Final-redhat-1.jar:4.1.5.Final-redhat-1]
     at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_131]

Solution

  • Certificate based authentication is not implemented for AMQP clients. Authentication for AMQP clients is implemented via SASL and the only implemented SASL mechanisms are PLAIN and ANONYMOUS. I'm not aware of a SASL mechanism that supports authentication via SSL certificate.

    To be clear, certificate based authentication is currently implemented for "core", OpenWire, STOMP, & MQTT clients (none of which use SASL).