Connect to EMS JMS queue using Spring + SSL

spring ssl certificate ems
user2393009 picture user2393009 · May 17, 2013 · Viewed 14.5k times · Source

I'm having some issues to create a connection to (and reading from) a Tibco EMS JMS queue, using SSL and mutual authentication with certicates. Here is my Spring config:

<!-- TIBCO Connection Factory Bean -->
<bean id="tibcoConnectionFactory" class="com.tibco.tibjms.TibjmsConnectionFactory">
  <constructor-arg value="ssl://mytibco.server.address:30113" />
  <property name="userName" value="userName" />
  <property name="userPassword" value="${tibcoPwd}" />
  <property name="connAttemptCount" value="10" />
  <property name="connAttemptDelay" value="100" />
  <property name="connAttemptTimeout" value="1000" />
  <property name="reconnAttemptCount" value="10" />
  <property name="reconnAttemptDelay" value="100" />
  <property name="reconnAttemptTimeout" value="1000" />
  <property name="SSLVendor" value="j2se" />
  <property name="SSLEnableVerifyHost" value="false" />
  <property name="SSLEnableVerifyHostName" value="false" />
  <property name="SSLTrace" value="true" />
  <property name="SSLDebugTrace" value="true" />
  <property name="SSLIdentity" value="c:\\cert\\testCert.p12" />
  <property name="SSLPassword" value="*******" />
</bean>

<!-- Spring CachingConnectionFactory Bean -->
<bean id="tibcoJmsConnectionFactory" class="org.springframework.jms.connection.CachingConnectionFactory">
  <constructor-arg ref="tibcoConnectionFactory" />
  <property name="reconnectOnException" value="true" />
  <property name="sessionCacheSize" value="10" />
</bean>

When I try to put something on the queue, I receive the following stack trace:

[TIBCO EMS]: [J] [SSL] initializing security with vendor 'j2se'
[TIBCO EMS]: [J] [SSL] client version 5.1.0, security version 3.0.0, SSL initialized with vendor 'j2se'
[TIBCO EMS]: [J] [SSL] WARNING: server verification is disabled, will trust any server.
[TIBCO EMS]: [J] [SSL] reading client identity from byte array, format=AUTO
WARN  [jmsContainer-1] org.springframework.jms.listener.DefaultMessageListenerContainer - Execution of JMS message listener failed
org.springframework.jms.JmsSecurityException: Error occured while reading identity data: Invalid or not supported identity data; nested exception is javax.jms.JMSSecurityException: Error occured while reading identity data: Invalid or not supported identity data
   at org.springframework.jms.support.JmsUtils.convertJmsAccessException(JmsUtils.java:283)
   at org.springframework.jms.support.JmsAccessor.convertJmsAccessException(JmsAccessor.java:168)
   at org.springframework.jms.core.JmsTemplate.execute(JmsTemplate.java:474)
   at org.springframework.jms.core.JmsTemplate.execute(JmsTemplate.java:436)
   ...
   at org.springframework.jms.listener.AbstractMessageListenerContainer.doInvokeListener(AbstractMessageListenerContainer.java:543)
   at org.springframework.jms.listener.AbstractMessageListenerContainer.invokeListener(AbstractMessageListenerContainer.java:482)
   at org.springframework.jms.listener.AbstractMessageListenerContainer.doExecuteListener(AbstractMessageListenerContainer.java:451)
   at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.doReceiveAndExecute(AbstractPollingMessageListenerContainer.java:323)
   at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.receiveAndExecute(AbstractPollingMessageListenerContainer.java:241)
   at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.invokeListener(DefaultMessageListenerContainer.java:982)
   at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.executeOngoingLoop(DefaultMessageListenerContainer.java:974)
   at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.run(DefaultMessageListenerContainer.java:876)
   at java.lang.Thread.run(Thread.java:662)
Caused by: javax.jms.JMSSecurityException: Error occured while reading identity data: Invalid or not supported identity data
   at com.tibco.tibjms.TibjmsSSL._identityFromStore(TibjmsSSL.java:2670)
   at com.tibco.tibjms.TibjmsSSL.createIdentity(TibjmsSSL.java:2575)
   at com.tibco.tibjms.TibjmsxLinkSSL._initSSL(TibjmsxLinkSSL.java:309)
   at com.tibco.tibjms.TibjmsxLinkSSL.connect(TibjmsxLinkSSL.java:390)
   at com.tibco.tibjms.TibjmsConnection._create(TibjmsConnection.java:1288)
   at com.tibco.tibjms.TibjmsConnection.<init>(TibjmsConnection.java:4115)
   at com.tibco.tibjms.TibjmsxCFImpl._createImpl(TibjmsxCFImpl.java:209)
   at com.tibco.tibjms.TibjmsxCFImpl._createConnection(TibjmsxCFImpl.java:253)
   at com.tibco.tibjms.TibjmsConnectionFactory.createConnection(TibjmsConnectionFactory.java:36)
   at org.springframework.jms.connection.SingleConnectionFactory.doCreateConnection(SingleConnectionFactory.java:343)
   at org.springframework.jms.connection.SingleConnectionFactory.initConnection(SingleConnectionFactory.java:290)
   at org.springframework.jms.connection.SingleConnectionFactory.createConnection(SingleConnectionFactory.java:227)
   at org.springframework.jms.support.JmsAccessor.createConnection(JmsAccessor.java:184)
   at org.springframework.jms.core.JmsTemplate.access$500(JmsTemplate.java:90)
   at org.springframework.jms.core.JmsTemplate$JmsTemplateResourceFactory.createConnection(JmsTemplate.java:1028)
   at org.springframework.jms.connection.ConnectionFactoryUtils.doGetTransactionalSession(ConnectionFactoryUtils.java:298)
   at org.springframework.jms.core.JmsTemplate.execute(JmsTemplate.java:458)
   ... 12 more

Until now, I can't succeed to resolve the ssl handshake. How to resolve this issue?

Answer

Nick Holt picture Nick Holt · Sep 29, 2017

The problem you having is due to a combination of Spring and the fact that com.tibco.tibjms.TibjmsConnectionFactory overloads the setSSLIdentity method, allowing either a byte[] or String to be passed.

This is confusing Spring which is invoking setSSLIdentity(byte[]) meaning that com.tibco.tibjms.TibjmsConnectionFactory is treating the bytes of the string c:\\cert\\testCert.p12 as a certificate (which it clearly isn't).

Unfortunately Spring doesn't let you force the type on the property element (like it does on constructor-arg, at least at the time of writing), so you'll use the constructor that takes a java.utils.Map and pass the configuration as properties:

<bean id="tibcoConnectionFactory" class="com.tibco.tibjms.TibjmsConnectionFactory">
  <constructor-arg value="ssl://mytibco.server.address:30113" />
  <constructor-arg><null/></constructor-arg>
  <constructor-arg>
    <util:map>
      <entry key="com.tibco.tibjms.factory.username" value="userName"/>
      <entry key="com.tibco.tibjms.factory.password" value="${tibcoPwd}"/>
      <entry key="com.tibco.tibjms.connect.attemptcount" value="10"/>
      <entry key="com.tibco.tibjms.connect.attemptdelay" value="100"/>
      <entry key="com.tibco.tibjms.connect.attempttimeout" value="1000"/>  
      <entry key="com.tibco.tibjms.reconnect.attemptcount" value="10"/>
      <entry key="com.tibco.tibjms.reconnect.attemptdelay" value="10-"/>
      <entry key="com.tibco.tibjms.reconnect.attempttimeout" value="1000" />  
      <entry key="com.tibco.tibjms.ssl.vendor" value="j2se"/>
      <entry key="com.tibco.tibjms.ssl.enable_verify_host" value="false"/>
      <entry key="com.tibco.tibjms.ssl.enable_verify_hostname" value="false"/>
      <entry key="com.tibco.tibjms.ssl.trace" value="true"/>
      <entry key="com.tibco.tibjms.ssl.debug_trace" value="true"/>
      <entry key="com.tibco.tibjms.ssl.identity" value="c:/cert/testCert.p12"/>
      <entry key="com.tibco.tibjms.ssl.password" value="value="*******"/>  
    <util:map>
  </constructor-arg>
</bean>

For anyone looking for the names for other properties, you can drill into the associated setter and see property name there.

Related questions

HTTPS login with Spring Security redirects to HTTP

I have a Spring web app, secured with Spring Security, running on EC2. In front of the EC2 instance is an Elastic Load Balancer with an SSL cert (https terminates at the load balancer ie. port 443 -> port 80), so …

Read More
Spring 5 WebClient using ssl

I'm trying to find examples of WebClient use. My goal is to use Spring 5 WebClient to query a REST service using https and self signed certificate Any example?

Read More
trusted certificate entries are not password-protected Spring SAML

I have generated testIdp.cer file by copying 509 entry of the IDP I am planning to connect. Then I created JKS file by executing the following command keytool -importcert -alias adfssigning -keystore C:\Users\user\Desktop\samlKeystore.jks -file C:\…

Read More