Securing activemq on Wildfly 10

Question

I'm trying to configure the messaging-activemq subsystem to use https instead of http (to completely eliminate use of http).

I've read: https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/7.0/single/configuring-messaging/#securing-remote-connections-jms-server

In the Wildfly configuration file, the messaging-activemq subsystem, I've updated the http-connector, http-connector-throughput, http-acceptor, and http-acceptor-throughput to use https. The Wildfly server starts up without errors. However, when I try to connect from a client, I get client errors like "javax.jms.JMSException: Failed to create session factory". And at the server, I get messages like "UT005013: An IOException occurred: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?".

I've searched RedHat and JBoss documentation (and more) and have not found a solution to how to configure the client and connection to talk to the Wildfly 10 activemq using https .

Server configuration:

(http-listener removed from undertow, http-listener attributes of http-acceptor changed from "default" to "https", socket-bindings in http-acceptor(s) changed to "https")

    <subsystem xmlns="urn:jboss:domain:messaging-activemq:1.0">
        <server name="default">
            <security enabled="false"/>
            <security-setting name="#">
                <role name="guest" delete-non-durable-queue="true" create-non-durable-queue="true" consume="true" send="true"/>
            </security-setting>
            <address-setting name="#" message-counter-history-day-limit="10" page-size-bytes="2097152" max-size-bytes="10485760" expiry-address="jms.queue.ExpiryQueue" dead-letter-address="jms.queue.DLQ"/>
            <http-connector name="http-connector" endpoint="http-acceptor" socket-binding="https"/>
            <http-connector name="http-connector-throughput" endpoint="http-acceptor-throughput" socket-binding="https">
                <param name="batch-delay" value="50"/>
            </http-connector>
            <in-vm-connector name="in-vm" server-id="0"/>
            <http-acceptor name="http-acceptor" http-listener="https"/>
            <http-acceptor name="http-acceptor-throughput" http-listener="https">
                <param name="batch-delay" value="50"/>
                <param name="direct-deliver" value="false"/>
            </http-acceptor>
            <in-vm-acceptor name="in-vm" server-id="0"/>
            <jms-queue name="ExpiryQueue" entries="java:/jms/queue/ExpiryQueue"/>
            <jms-queue name="DLQ" entries="java:/jms/queue/DLQ"/>
            <connection-factory name="InVmConnectionFactory" entries="java:/ConnectionFactory" connectors="in-vm"/>
            <connection-factory name="RemoteConnectionFactory" consumer-window-size="0" entries="java:jboss/exported/jms/RemoteConnectionFactory" connectors="http-connector"/>
            <pooled-connection-factory name="activemq-ra" transaction="xa" entries="java:/JmsXA java:jboss/DefaultJMSConnectionFactory" connectors="in-vm"/>
        </server>
    </subsystem>

More server configuration:

    <subsystem xmlns="urn:jboss:domain:undertow:3.0">
        <buffer-cache name="default"/>
        <server name="default-server">
            (REMOVED THIS) <http-listener name="default" max-post-size="104857600" socket-binding="http" redirect-socket="https"/> (REMOVED THIS)

            <https-listener name="https" max-post-size="104857600" security-realm="BISRealm" socket-binding="https"/>
            <host name="default-host" alias="localhost"/>
        </server>
        <servlet-container name="default">
            <jsp-config display-source-fragment="false"/>
            <websockets/>
        </servlet-container>
    </subsystem>

Server error message when client attempts to connect:

2017-01-12 14:03:47,283 DEBUG [io.undertow.request] (default I/O-11) UT005013: An IOException occurred: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
        at sun.security.ssl.EngineInputRecord.bytesInCompletePacket(EngineInputRecord.java:156) [jsse.jar:1.8.0_71]
        at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:868) [jsse.jar:1.8.0_71]
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) [jsse.jar:1.8.0_71]
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) [rt.jar:1.8.0_71]
        at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:705)
        at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:608)
        at io.undertow.protocols.ssl.SslConduit.access$600(SslConduit.java:63)
        at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1034)
        at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) [xnio-nio-3.3.4.Final.jar:3.3.4.Final]
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) [xnio-nio-3.3.4.Final.jar:3.3.4.Final]

2017-01-12 14:03:47,284 DEBUG [io.undertow.request.io] (default I/O-11) UT005013: An IOException occurred: java.io.IOException: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
        at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:577)
        at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:668)
        at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:530)
        at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) [xnio-api-3.3.4.Final.jar:3.3.4.Final]
        at io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:152)
        at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130)
        at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) [xnio-api-3.3.4.Final.jar:3.3.4.Final]
        at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) [xnio-api-3.3.4.Final.jar:3.3.4.Final]
        at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1059)
        at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) [xnio-nio-3.3.4.Final.jar:3.3.4.Final]
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) [xnio-nio-3.3.4.Final.jar:3.3.4.Final]
Caused by: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) [jsse.jar:1.8.0_71]
        at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) [jsse.jar:1.8.0_71]
        at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) [jsse.jar:1.8.0_71]
        at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) [jsse.jar:1.8.0_71]
        at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:575)
        ... 11 more

Client error message when client attempts to read JMS message:

2017-01-12 16:09:19.601   DEBUG  org.apache.activemq.artemis.core.client.getConnectionWithRetry(750)) #() #() Trying reconnection attempt 0/1
2017-01-12 16:09:19.601   DEBUG  org.apache.activemq.artemis.core.client.createTransportConnection(1025)) #() #() Trying to connect with connector = org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnectorFactory@2714d74c, parameters = {httpUpgradeEnabled=true, port=8443, httpPpgradeEndpoint=http-acceptor, host=bisdb} connector = null
2017-01-12 16:09:19.601   DEBUG  org.apache.activemq.artemis.core.client.start(528)) #() #() Started Netty Connector version 4.0.32.Final
2017-01-12 16:09:19.602   DEBUG  org.apache.activemq.artemis.core.client.createConnection(586)) #() #() Remote destination: bisdb/10.134.141.92:8443
2017-01-12 16:09:19.604   DEBUG  org.apache.activemq.artemis.core.client.createConnection(656)) #() #() Sending HTTP request DefaultHttpRequest(decodeResult: success, version: HTTP/1.1)
GET  HTTP/1.1
Host: bisdb
Upgrade: activemq-remoting
Connection: Upgrade
httpPpgradeEndpoint: http-acceptor
Sec-ActiveMQRemoting-Key: EVEoDiZ+Sv4Xe8QYk9X4PQ==
2017-01-12 16:09:25.311   DEBUG  org.jboss.ejb.client.EJBClientContext.getEJBReceiver(758)) #() #() org.jboss.ejb.client.RandomDeploymentNodeSelector@d536e70 deployment node selector selected bisdb node for appname=MorphoBIS,modulename=Wfm,distinctname=
2017-01-12 16:09:25.311   DEBUG  org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(136)) #() #() Sending invocation to node bisdb
2017-01-12 16:09:35.318   DEBUG  org.jboss.ejb.client.EJBClientContext.getEJBReceiver(758)) #() #() org.jboss.ejb.client.RandomDeploymentNodeSelector@d536e70 deployment node selector selected bisdb node for appname=MorphoBIS,modulename=Wfm,distinctname=
2017-01-12 16:09:35.318   DEBUG  org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(136)) #() #() Sending invocation to node bisdb
2017-01-12 16:09:45.321   DEBUG  org.jboss.ejb.client.EJBClientContext.getEJBReceiver(758)) #() #() org.jboss.ejb.client.RandomDeploymentNodeSelector@d536e70 deployment node selector selected bisdb node for appname=MorphoBIS,modulename=Wfm,distinctname=
2017-01-12 16:09:45.321   DEBUG  org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(136)) #() #() Sending invocation to node bisdb
2017-01-12 16:09:49.604   DEBUG  org.apache.activemq.artemis.core.client.openTransportConnection(994)) #() #() Connector towards NettyConnector [host=bisdb, port=8443, httpEnabled=false, httpUpgradeEnabled=true, useServlet=false, servletPath=/messaging/ActiveMQServlet, sslEnabled=false, useNio=true] failed
2017-01-12 16:09:49.605   WARN   Received exception jndiEnv  : {java.naming.provider.url=https-remoting://bisapp:8443, java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory, UrlPkgPrefixes=org.jboss.naming:org.jnp.interfaces}
javax.jms.JMSException: Failed to create session factory
        at org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createConnectionInternal(ActiveMQConnectionFactory.java:727) ~[jboss-client.jar:10.0.0.Final]
        at org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createQueueConnection(ActiveMQConnectionFactory.java:284) ~[jboss-client.jar:10.0.0.Final]
        at org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createQueueConnection(ActiveMQConnectionFactory.java:280) ~[jboss-client.jar:10.0.0.Final]
...
        at java.lang.Thread.run(Thread.java:745) [na:1.8.0_71]
Caused by: org.apache.activemq.artemis.api.core.ActiveMQNotConnectedException: AMQ119007: Cannot connect to server(s). Tried with all available servers.
        at org.apache.activemq.artemis.core.client.impl.ServerLocatorImpl.createSessionFactory(ServerLocatorImpl.java:777) ~[jboss-client.jar:10.0.0.Final]
        at org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createConnectionInternal(ActiveMQConnectionFactory.java:724) ~[jboss-client.jar:10.0.0.Final]
        ... 10 common frames omitted

It looks like the client is attempting to communicate via HTTP but I cannot figure out how to configure the connection to use HTTPS.

How do I configure the Wildfly 10 server (and clients) to use messaging-activemq over https?

Answer 1

回复较晚，但是您在两个http-connector元素内都缺少<param name="ssl-enabled" value="true" /> 。