I have a Java application configured with some self signed certificates that communicates with ActiveMQ version 5.13.0 over SSL/TLS version 1.2. The relevant self signed certificates reside in their respective keystores and truststores. This connection over TLS works just fine on my local Windows machine, clients without the proper certificates are unable to communicate with the broker and clients with the proper certificates can.
However, this does not work when the same code and keystores are used on an AWS EC2 instance. I have the same version of ActiveMQ installed there and am using the very same keystores and truststores on the broker and client side. Clients without any certificates configured are able to connect to the broker and communicate.
I would like to understand if SSL/TLS for ActiveMQ must be configured differently on a Linux machine or if there is something else that I am missing.
Snippets from the activemq.xml file that enable activemq to use SSL/TLS:
<managementContext>
<managementContext createConnector="false"/>
</managementContext>
<sslContext>
<sslContext keyStore="file:${activemq.base}/conf/broker.ks"
keyStorePassword="changeit" trustStore="file:${activemq.base}/conf/broker.ts"
trustStorePassword="changeit"/>
</sslContext>
<transportConnectors>
<!-- DOS protection, limit concurrent connections to 1000 and frame size to 100MB -->
<transportConnector name="openwire" uri="tcp://0.0.0.0:61616?maximumConnections=1000&wireFormat.maxInactivityDuration=300000&wireFormat.maxFrameSize=104857600&jms.messagePrioritySupported=false"/>
<transportConnector name ="ssl" uri="ssl://0.0.0.0:61714?transport.enabledProtocols=TLSv1.2"/>
<transportConnector name="amqp" uri="amqp://0.0.0.0:5672?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
<transportConnector name="stomp" uri="stomp://0.0.0.0:61613?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
<transportConnector name="mqtt" uri="mqtt://0.0.0.0:1883?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
<transportConnector name="ws" uri="ws://0.0.0.0:61614?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
</transportConnectors>
Answering my own query.
I handle the Java client and that client connects to port 61714 that is designated for SSL.
The folks dealing with the IoT device side told me that these devices default to port 1883 for MQTT connections and port 8883 for secure MQTT connections.
This can be configured by adding the below line to the transport connectors :
<transportConnector name="mqtt+ssl" uri="mqtt+ssl://0.0.0.0:8883?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
The device has some constraints due to which it cannot connect to an SSL port and publish MQTT messages. The Java client on the other hand has no issues connecting to the SSL port and publishing and consuming MQTT messages, so adding the above line resolved this.
If needed, one could comment out the transport connector for port 1883 so that no clients without the needed certificates are able to connect to the MQTT broker.
Related
In MSK to communicate with brokers by using TLS(SSL) we have used 9094 port and able to communicate MSK cluster with the required keystore and truststore configurations.
And to communicate with brokers by using SASL_SCRAM we have used 9096 port and able to communicate MSK cluster with username and password configurations.
And now we want to configure both SASL_SSL to authenticate client while connecting to broker nodes as a mandatory configurations at client side.
NOTE: We are able to configure both SASL_SSL security protocol on 9096 port but the client configuration considered as the TLS configurations are optional because if we remove TLS properties, still it is able to connect broker nodes.
Im testing this connection with kafka console producer like below:
./bin/kafka-console-producer.sh --broker-list b-1.xxx:9096,b-2xx:9096 --producer.config ./bin/client_sasl_ssl.properties --topic TestTopicSASLSSL
File: client_sasl_ssl.properties
security.protocol=SASL_SSL
sasl.mechanism=SCRAM-SHA-512
#ssl.truststore.location=/path/to/kafka.client.truststore.jks
#ssl.keystore.location=/path/to/kafka.client.keystore.jks
#ssl.keystore.password=psswd
#ssl.key.password=psswd
Please note that im able to produce data with or without the above commented ssl properties, which seems optional.
Any option to mandate both SASL and TLS auth protocol to restrict client connection.
I have created one broker on Amazon MQ and got a SSL endpoint on port 61617. I was looking for one non SSL endpoint as well (like we can have tcp on 61616 on Active MQ). Does Amazon MQ provides only SSL? Is there anyway, we can get the TCP endpoint as well?
AmazonMQ only provides SSL endpoint, it does not expose and TCP endpoint like activeMQ. But it works and connect equally well when you switch from activeMQ tcp endpoint to amazonMQ SSL.
For example:
activemq.broker.url =
failover:(tcp://abc1.gogole.com:61616,tcp://abc1.gogole.com:61616)?randomize=false&maxReconnectAttempts=10
amazonmq.broker.url =
failover:(ssl://efg-1.mq.us-west-2.amazonaws.com:61617,ssl://efg-2.mq.us-west-2.amazonaws.com:61617)?randomize=false&maxReconnectAttempts=5
Any specific use case on why are you looking for TCP endpoint?
I have a bareos client trying to communicate with aws s3 server.
As per http://doc.bareos.org/master/html/bareos-manual-main-reference.html#x1-400006
I can use TLS Enable & TLS Require options to enable TLS in client also in inter daemon communication.
I want to disable inter daemon TLS communication but enable TLS in bareos client communicating with s3 server.
Also this TLS config
https://github.com/scality/Droplet/wiki/Configuration-File for droplet file doesn't seems to be working.
Is there any way to configure this???
I have installed mosquitto MQTT broker on Amazon EC2 windows server.
How can I publish and subscribe messages from Eclipse Paho which is installed in another computer?
Mainly what to write in place of localhost in Eclipse Paho?
I have also configured security groups for HTTP, HTTPS, SSH, MQTT (custom TCP port 8000,1883,8883).
You will need to use the public IP address of your EC2 instance instead of localhost.
Details on finding the IP addresses of your EC2 instance can be found here:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html
I an building a Java EE application with Netbeans 7.3.2 using Javafx as a client to be served by web services from the EJB. I want to add SSL to secure the web services communication with the client over the network. I tried to add security to the web services but getting the following errors
SEVERE: WSS1601: Security Requirements not met - Transport binding configured in policy but incoming message was not SSL enabled
SEVERE: WSITPVD0035: Error in Verifying Security in Inbound Message.
com.sun.xml.wss.impl.XWSSecurityRuntimeException: WSS1601: Security Requirements not met - Transport binding configured in policy but incoming message was not SSL enabled
I have tried all means to get a tutorials online to help me do this since I am new to web services security and more so to configuring SSL for this.
Please can someone please help me with some tutorials or solution to this. Thanks in advance.
Web services are usually normal web applications in the background. So usually it is enough enabling SSL and assigning an SSL port at server side. For example in WebLogic open WebLogic admin console and set the followings:
Environment/Servers/AdminServer/Configuration/SSL Listen Port Enabled
Environment/Servers/AdminServer/Configuration/SSL Listen Port: 7004
Then at client side just change http to https and the non-SSL port to the SSL port in the URL of the web service.