🎄 Happy Holidays! 🥳
Most of Solace is closed December 24–January 1 so our employees can spend time with their families. We will re-open Thursday, January 2, 2024. Please expect slower response times during this period and open a support ticket for anything needing immediate assistance.
Happy Holidays!
Please note: most of Solace is closed December 25–January 2, and will re-open Tuesday, January 3, 2023.
Caused by: javax.naming.NamingException: JNDI lookup failed - 403: Client Username Is Shutdown
Hi Team,
While connecting securely Solace from MuleSoft Integration product using
AUTHENTICATION_SCHEME_CLIENT_CERTIFICATE with below studio version,
Anypoint Studio - Tooling for Mule Runtime Version: 7.8.0 Build Id: 202101272310
Caused by: org.mule.extensions.jms.api.exception.JmsExtensionException: JNDI lookup failed - 403: Client Username Is Shutdown. JNDI lookup failed - 403: Client Username Is Shutdown
Caused by: javax.naming.NamingException: JNDI lookup failed - 403: Client Username Is Shutdown
I struggled a lot to find the solution but I did not get anywhere but with help of my friend we found the below solution., so I thought of posting.
Solution:
The CN name in the certificate was not matching with client username in ACL. It is case sensitive and in my case client username was in small letter and CN name in the certificate is in capital letter. So I asked Solace Ops team to set username explicitly in Capital letter in ACL. That's the solution.
Comments
-
Thanks for sharing @manish. Certificates can definitely be tricky
For others that come across this I copied & pasted this from the docs as well:By default, when using client certificates, the common name (CN) in a client certificate’s subject is used as the client username.
So your certificate's CN must match your
client-username
to authenticate and then thatclient-username
has aclient-profile
andacl-profile
which define what permissions are authorized3 -
Just to explain, why the error is "Client Username is shutdown" - even if the (right) client username doesnt exist:
Solace brokers have a "default" client-username configured everywhere. If that client-username is enabled and you know the password for it, EVERY client with any client-username and the password from the default-client-username can connect.
There are use cases, where this is a feature: Imagine, you have 100.000 IoT devices connecting to your broker... you don't want to configure 100.000 client-usernames...
In environments, where you just have a small bunch of client-usernames, these are configured manually. And in these environments, the default client-username is disabled - so no login for any unknown client-username is possible. And that's the reason, why the error "Client Username is shutdown" is absolutely correct... because the default-client-username is shutdown'ed.4