Bug 1807980
| Summary: | [RFE] Support security-enabled connections to Artemis | ||
|---|---|---|---|
| Product: | [Community] Candlepin (Migrated to Jira) | Reporter: | Jonathon Turel <jturel> |
| Component: | candlepin | Assignee: | candlepin-bugs |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 3.1 | CC: | bcourt, ehelms, nmoumoul, redakkan |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-11-22 13:39:40 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is what shows up in candlepin.log when security-enables is set to true:
2020-03-02 18:47:07,259 [thread=Thread-1 (ActiveMQ-remoting-threads-ActiveMQServerImpl::serverUUID=cd004ce9-3bc0-11ea-8e7d-525400390078-1826811976)] [=, org=, csid=] WARN org.apache.activemq.artemis.core.server - AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from invm:0. Username: null; SSL certificate subject DN: unavailable
2020-03-02 18:47:07,262 [thread=localhost-startStop-1] [=, org=, csid=] ERROR org.candlepin.async.JobManager - Unexpected exception occurred during initialization
org.candlepin.async.JobException: org.candlepin.messaging.CPMException: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229031: Unable to validate user from invm:0. Username: null; SSL certificate subject DN: unavailable]
at org.candlepin.async.JobMessageReceiver.initialize(JobMessageReceiver.java:269)
at org.candlepin.async.JobManager.initialize(JobManager.java:422)
at org.candlepin.guice.CandlepinContextListener.initializeSubsystems(CandlepinContextListener.java:213)
at org.candlepin.guice.CandlepinContextListener.withInjector(CandlepinContextListener.java:151)
at org.jboss.resteasy.plugins.guice.GuiceResteasyBootstrapServletContextListener.contextInitialized(GuiceResteasyBootstrapServletContextListener.java:59)
at org.candlepin.guice.CandlepinContextListener.contextInitialized(CandlepinContextListener.java:144)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:5118)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5634)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1260)
at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:2002)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.candlepin.messaging.CPMException: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229031: Unable to validate user from invm:0. Username: null; SSL certificate subject DN: unavailable]
at org.candlepin.messaging.impl.artemis.ArtemisSessionFactory.createSession(ArtemisSessionFactory.java:230)
at org.candlepin.messaging.impl.artemis.ArtemisSessionFactory.createSession(ArtemisSessionFactory.java:41)
at org.candlepin.async.JobMessageReceiver.createSession(JobMessageReceiver.java:171)
at org.candlepin.async.JobMessageReceiver.initialize(JobMessageReceiver.java:258)
... 18 common frames omitted
Caused by: org.apache.activemq.artemis.api.core.ActiveMQSecurityException: AMQ229031: Unable to validate user from invm:0. Username: null; SSL certificate subject DN: unavailable
at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:464)
at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:358)
at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQClientProtocolManager.createSessionContext(ActiveMQClientProtocolManager.java:300)
at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQClientProtocolManager.createSessionContext(ActiveMQClientProtocolManager.java:249)
at org.apache.activemq.artemis.core.client.impl.ClientSessionFactoryImpl.createSessionChannel(ClientSessionFactoryImpl.java:1348)
at org.apache.activemq.artemis.core.client.impl.ClientSessionFactoryImpl.createSessionInternal(ClientSessionFactoryImpl.java:673)
at org.apache.activemq.artemis.core.client.impl.ClientSessionFactoryImpl.createTransactedSession(ClientSessionFactoryImpl.java:315)
at org.candlepin.messaging.impl.artemis.ArtemisSessionFactory$SessionManager.createClientSession(ArtemisSessionFactory.java:110)
at org.candlepin.messaging.impl.artemis.ArtemisSessionFactory.createSession(ArtemisSessionFactory.java:225)
... 21 common frames omitted
|
Description of problem: From Katello we'd like to connect to embedded Artemis with security enabled. Turning security-enabled mode on in broker.xml right now prevents Candlepin's internal listeners from connecting to Artemis. There is also no way for us to configure the security manager configuration due to the way the embedded broker is initialized. Basically what needs to change is in ArtemisContextListener.java to pass a configured SecurityManager to the broker: ActiveMQJAASSecurityManager ourSecurityManager = new ActiveMQJAASSecurityManager("PropertiesLogin", "CertLogin"); this.activeMQServer.setSecurityManager(ourSecurityManager); With this, we can specify the login.config ie -Djava.security.auth.login.config=login.config with the configurations for PropertiesLogin and CertLogin Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: