[英]How to configure HermesJMS to use a specific client certificate when connecting via SSL?
I have a Spring Boot Application that I've created instantiates an instance of ActiveMqSslBroker.我创建了一个 Spring 引导应用程序,它实例化了 ActiveMqSslBroker 的一个实例。 I am attempting to connect to this broker using HermesJMS as a client.我正在尝试使用 HermesJMS 作为客户端连接到该代理。
I've configured the connection factory in Hermes as follows:我在 Hermes 中配置了连接工厂如下:
The broker is configured in my spring-boot application as follows:代理在我的 spring-boot 应用程序中配置如下:
The broker is rejecting the connection requests from Hermes with the following error:代理拒绝来自 Hermes 的连接请求,并出现以下错误:
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
So apparently HermesJMS is not sending the client certificate that is contained in its configured keyStore.所以显然 HermesJMS 没有发送包含在其配置的 keyStore 中的客户端证书。 Does the key have to have a specific alias to be picked up and used by Hermes?钥匙是否必须有一个特定的别名才能被 Hermes 拾取和使用? Is there a property I can set to specify the alias from the keyStore to use?我可以设置一个属性来指定要使用的 keyStore 的别名吗?
Turns out it was user error.原来是用户错误。 I had a couple of different session configured, and while flipping back and forth between my IDE and Hermes, I somehow ended up testing on a session that was using the wrong connection factory.我配置了几个不同的 session,在我的 IDE 和 Hermes 之间来回切换时,我不知何故最终在 Z21D6F40CFB511982E4424E0E250A9557 的连接上进行了测试。
After switching to the right session, things started to work.切换到右侧 session 后,事情开始起作用了。
For completeness here is how I got things working:为了完整起见,这是我如何使事情正常进行的:
In my Spring-Boot application I defined my BrokerService bean as follows:在我的 Spring-Boot 应用程序中,我定义了我的 BrokerService bean,如下所示:
@Bean
public BrokerService broker(
@Value("${spring.activemq.broker-url}") String brokerUrl,
@Qualifier("brokerTrustManagerFactory") TrustManagerFactory trustManagerFactory,
@Qualifier("brokerKeyManagerFactory") KeyManagerFactory keyManagerFactory,
@Qualifier("secureRandom") SecureRandom secureRandom
){
SslBrokerService brokerService = new SslBrokerService();
brokerService.addSslConnector(
brokerUrl,
keyManagerFactory.getKeyManagers(),
trustManagerFactory.getTrustManagers(),
secureRandom
);
return brokerService;
}
Here is how a connection factory could be configured in a client application:以下是如何在客户端应用程序中配置连接工厂:
@Bean
ConnectionFactory connectionFactory(
@Value("${spring.activemq.broker-url}") String brokerUrl,
@Value("${spring.activemq.trustStorePath}") String trustStorePath,
@Value("${spring.activemq.trustStorePass}") String trustStorePass,
@Value("${spring.activemq.keyStorePath}") String keyStorePath,
@Value("${spring.activemq.keyStorePass}") String keyStorePass,
@Value("${client.key.pass}") String clientKeyPass
) {
ActiveMQSslConnectionFactory connectionFactory =
new ActiveMQSslConnectionFactory(brokerUrl);
connectionFactory.setTrustStore(trustStorePath);
connectionFactory.setTrustStorePassword(trustStorePass);
connectionFactory.setTrustStoreType("PKCS12");
connectionFactory.setKeyStore(keyStorePath);
connectionFactory.setKeyStorePassword(keyStorePass);
connectionFactory.setKeyStoreKeyPassword(clientKeyPass);
connectionFactory.setKeyStoreType("PKCS12");
return connectionFactory;
}
Hopefully someone will find this answer useful.希望有人会发现这个答案很有用。 Please note, the "spring.activemq.*" property names are not official property names recognized by Spring-Boot.请注意,“spring.activemq.*”属性名称不是 Spring-Boot 认可的官方属性名称。 They're just names that seemed to be used by a lot of the spring-boot activemq tutorials on the web.它们只是 web 上的许多 spring-boot activemq 教程似乎使用的名称。
Thanks, Dave谢谢,戴夫
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.