Sicherung activemq auf Wildfly 10

Question

Ich versuche, die Messaging-activemq Subsystem zu konfigurieren https zu verwenden statt http (vollständig Gebrauch von http zu beseitigen).

ich gelesen habe: https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/7.0/single/configuring-messaging/#securing-remote-connections-jms-server

In der Wildfly Konfigurationsdatei, der Messaging-activemq Subsystem, ich habe den http-Anschluss aktualisiert, http-connector-Durchsatz, http-Akzeptor und http-akzeptor- Durchsatz, um https zu verwenden. Der Wildfly-Server startet fehlerfrei. Wenn ich versuche, eine Verbindung von einem Client herzustellen, erhalte ich jedoch Clientfehler wie "javax.jms.JMSException: Sitzungsfactory konnte nicht erstellt werden". Und auf dem Server bekomme ich Nachrichten wie "UT005013: Eine IOException aufgetreten: javax.net.ssl.SSLException: Unerkannte SSL-Nachricht, Klartextverbindung?".

Ich habe RedHat und JBoss Dokumentation (und mehr) gesucht und habe keine Lösung gefunden, um den Client und die Verbindung zu konfigurieren, um mit dem Wildfly 10 activemq über https zu sprechen.

Server-Konfiguration:

(HTTP-Listener aus undertow entfernt, HTTP-Listener-Attributen von http-Akzeptor von "default" auf "https" socket-Bindungen in http-Akzeptor (en) auf " https ")

<subsystem xmlns="urn:jboss:domain:messaging-activemq:1.0"> 
     <server name="default"> 
      <security enabled="false"/> 
      <security-setting name="#"> 
       <role name="guest" delete-non-durable-queue="true" create-non-durable-queue="true" consume="true" send="true"/> 
      </security-setting> 
      <address-setting name="#" message-counter-history-day-limit="10" page-size-bytes="2097152" max-size-bytes="10485760" expiry-address="jms.queue.ExpiryQueue" dead-letter-address="jms.queue.DLQ"/> 
      <http-connector name="http-connector" endpoint="http-acceptor" socket-binding="https"/> 
      <http-connector name="http-connector-throughput" endpoint="http-acceptor-throughput" socket-binding="https"> 
       <param name="batch-delay" value="50"/> 
      </http-connector> 
      <in-vm-connector name="in-vm" server-id="0"/> 
      <http-acceptor name="http-acceptor" http-listener="https"/> 
      <http-acceptor name="http-acceptor-throughput" http-listener="https"> 
       <param name="batch-delay" value="50"/> 
       <param name="direct-deliver" value="false"/> 
      </http-acceptor> 
      <in-vm-acceptor name="in-vm" server-id="0"/> 
      <jms-queue name="ExpiryQueue" entries="java:/jms/queue/ExpiryQueue"/> 
      <jms-queue name="DLQ" entries="java:/jms/queue/DLQ"/> 
      <connection-factory name="InVmConnectionFactory" entries="java:/ConnectionFactory" connectors="in-vm"/> 
      <connection-factory name="RemoteConnectionFactory" consumer-window-size="0" entries="java:jboss/exported/jms/RemoteConnectionFactory" connectors="http-connector"/> 
      <pooled-connection-factory name="activemq-ra" transaction="xa" entries="java:/JmsXA java:jboss/DefaultJMSConnectionFactory" connectors="in-vm"/> 
     </server> 
    </subsystem> 

Mehr-Server-Konfiguration:

<subsystem xmlns="urn:jboss:domain:undertow:3.0"> 
     <buffer-cache name="default"/> 
     <server name="default-server"> 
      (REMOVED THIS) <http-listener name="default" max-post-size="104857600" socket-binding="http" redirect-socket="https"/> (REMOVED THIS) 

      <https-listener name="https" max-post-size="104857600" security-realm="BISRealm" socket-binding="https"/> 
      <host name="default-host" alias="localhost"/> 
     </server> 
     <servlet-container name="default"> 
      <jsp-config display-source-fragment="false"/> 
      <websockets/> 
     </servlet-container> 
    </subsystem> 

Server-Fehlermeldung, wenn Client eine Verbindung herzustellen versucht:

2017-01-12 14:03:47,283 DEBUG [io.undertow.request] (default I/O-11) UT005013: An IOException occurred: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? 
     at sun.security.ssl.EngineInputRecord.bytesInCompletePacket(EngineInputRecord.java:156) [jsse.jar:1.8.0_71] 
     at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:868) [jsse.jar:1.8.0_71] 
     at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) [jsse.jar:1.8.0_71] 
     at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) [rt.jar:1.8.0_71] 
     at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:705) 
     at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:608) 
     at io.undertow.protocols.ssl.SslConduit.access$600(SslConduit.java:63) 
     at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1034) 
     at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) [xnio-nio-3.3.4.Final.jar:3.3.4.Final] 
     at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) [xnio-nio-3.3.4.Final.jar:3.3.4.Final] 

2017-01-12 14:03:47,284 DEBUG [io.undertow.request.io] (default I/O-11) UT005013: An IOException occurred: java.io.IOException: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? 
     at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:577) 
     at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:668) 
     at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:530) 
     at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) [xnio-api-3.3.4.Final.jar:3.3.4.Final] 
     at io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:152) 
     at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130) 
     at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56) 
     at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) [xnio-api-3.3.4.Final.jar:3.3.4.Final] 
     at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) [xnio-api-3.3.4.Final.jar:3.3.4.Final] 
     at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1059) 
     at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) [xnio-nio-3.3.4.Final.jar:3.3.4.Final] 
     at org.xnio.nio.WorkerThread.run(WorkerThread.java:559) [xnio-nio-3.3.4.Final.jar:3.3.4.Final] 
Caused by: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? 
     at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) [jsse.jar:1.8.0_71] 
     at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) [jsse.jar:1.8.0_71] 
     at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) [jsse.jar:1.8.0_71] 
     at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) [jsse.jar:1.8.0_71] 
     at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:575) 
     ... 11 more 

Client-Fehlermeldung, wenn Client versucht JMS-Nachricht zu lesen:

2017-01-12 16:09:19.601 DEBUG org.apache.activemq.artemis.core.client.getConnectionWithRetry(750)) #() #() Trying reconnection attempt 0/1 
2017-01-12 16:09:19.601 DEBUG org.apache.activemq.artemis.core.client.createTransportConnection(1025)) #() #() Trying to connect with connector = org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnectorFactory@2714d74c, parameters = {httpUpgradeEnabled=true, port=8443, httpPpgradeEndpoint=http-acceptor, host=bisdb} connector = null 
2017-01-12 16:09:19.601 DEBUG org.apache.activemq.artemis.core.client.start(528)) #() #() Started Netty Connector version 4.0.32.Final 
2017-01-12 16:09:19.602 DEBUG org.apache.activemq.artemis.core.client.createConnection(586)) #() #() Remote destination: bisdb/10.134.141.92:8443 
2017-01-12 16:09:19.604 DEBUG org.apache.activemq.artemis.core.client.createConnection(656)) #() #() Sending HTTP request DefaultHttpRequest(decodeResult: success, version: HTTP/1.1) 
GET HTTP/1.1 
Host: bisdb 
Upgrade: activemq-remoting 
Connection: Upgrade 
httpPpgradeEndpoint: http-acceptor 
Sec-ActiveMQRemoting-Key: EVEoDiZ+Sv4Xe8QYk9X4PQ== 
2017-01-12 16:09:25.311 DEBUG org.jboss.ejb.client.EJBClientContext.getEJBReceiver(758)) #() #() org.jboss.ejb.client.RandomDeploymentNodeSelector@d536e70 deployment node selector selected bisdb node for appname=MorphoBIS,modulename=Wfm,distinctname= 
2017-01-12 16:09:25.311 DEBUG org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(136)) #() #() Sending invocation to node bisdb 
2017-01-12 16:09:35.318 DEBUG org.jboss.ejb.client.EJBClientContext.getEJBReceiver(758)) #() #() org.jboss.ejb.client.RandomDeploymentNodeSelector@d536e70 deployment node selector selected bisdb node for appname=MorphoBIS,modulename=Wfm,distinctname= 
2017-01-12 16:09:35.318 DEBUG org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(136)) #() #() Sending invocation to node bisdb 
2017-01-12 16:09:45.321 DEBUG org.jboss.ejb.client.EJBClientContext.getEJBReceiver(758)) #() #() org.jboss.ejb.client.RandomDeploymentNodeSelector@d536e70 deployment node selector selected bisdb node for appname=MorphoBIS,modulename=Wfm,distinctname= 
2017-01-12 16:09:45.321 DEBUG org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(136)) #() #() Sending invocation to node bisdb 
2017-01-12 16:09:49.604 DEBUG org.apache.activemq.artemis.core.client.openTransportConnection(994)) #() #() Connector towards NettyConnector [host=bisdb, port=8443, httpEnabled=false, httpUpgradeEnabled=true, useServlet=false, servletPath=/messaging/ActiveMQServlet, sslEnabled=false, useNio=true] failed 
2017-01-12 16:09:49.605 WARN Received exception jndiEnv : {java.naming.provider.url=https-remoting://bisapp:8443, java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory, UrlPkgPrefixes=org.jboss.naming:org.jnp.interfaces} 
javax.jms.JMSException: Failed to create session factory 
     at org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createConnectionInternal(ActiveMQConnectionFactory.java:727) ~[jboss-client.jar:10.0.0.Final] 
     at org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createQueueConnection(ActiveMQConnectionFactory.java:284) ~[jboss-client.jar:10.0.0.Final] 
     at org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createQueueConnection(ActiveMQConnectionFactory.java:280) ~[jboss-client.jar:10.0.0.Final] 
... 
     at java.lang.Thread.run(Thread.java:745) [na:1.8.0_71] 
Caused by: org.apache.activemq.artemis.api.core.ActiveMQNotConnectedException: AMQ119007: Cannot connect to server(s). Tried with all available servers. 
     at org.apache.activemq.artemis.core.client.impl.ServerLocatorImpl.createSessionFactory(ServerLocatorImpl.java:777) ~[jboss-client.jar:10.0.0.Final] 
     at org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createConnectionInternal(ActiveMQConnectionFactory.java:724) ~[jboss-client.jar:10.0.0.Final] 
     ... 10 common frames omitted 

Es sieht aus wie der Client über HTTP zu kommunizieren versucht, aber ich kann nicht herausfinden, wie die Verbindung konfigurieren HTTPS zu verwenden.

Wie konfiguriere ich den Wildfly 10 Server (und die Clients), um messaging-activemq über https zu verwenden?

Answer 1

Späte Antwort, aber Sie fehlen <param name="ssl-enabled" value="true" /> in beiden http-connector Elemente.