Caused by: javax.naming.NamingException: JNDI lookup failed - 403: Client Username Is Shutdown

manish
manish Member Posts: 45 ✭✭✭

Hi Team,
While connecting securely Solace from MuleSoft Integration product using
AUTHENTICATION_SCHEME_CLIENT_CERTIFICATE with below studio version,

Anypoint Studio - Tooling for Mule Runtime
Version: 7.8.0
Build Id: 202101272310 

Caused by: org.mule.extensions.jms.api.exception.JmsExtensionException: JNDI lookup failed - 403: Client Username Is Shutdown. JNDI lookup failed - 403: Client Username Is Shutdown
Caused by: javax.naming.NamingException: JNDI lookup failed - 403: Client Username Is Shutdown
I struggled a lot to find the solution but I did not get anywhere but with help of my friend we found the below solution., so I thought of posting.
Solution:

The CN  name in the certificate  was not matching  with client username in ACL. It is case sensitive and in my case client username was in small letter and CN name in the certificate is in capital letter.
So I asked Solace Ops team to set username explicitly in Capital letter  in ACL. That's the solution.
Tagged:

Comments

  • marc
    marc Member, Administrator, Moderator, Employee Posts: 959 admin

    Thanks for sharing @manish. Certificates can definitely be tricky :)
    For others that come across this I copied & pasted this from the docs as well:

    By default, when using client certificates, the common name (CN) in a client certificate’s subject is used as the client username.

    So your certificate's CN must match your client-username to authenticate and then that client-username has a client-profile and acl-profile which define what permissions are authorized

  • uherbst
    uherbst Member, Employee Posts: 129 Solace Employee
    edited March 2021 #3

    Just to explain, why the error is "Client Username is shutdown" - even if the (right) client username doesnt exist:

    Solace brokers have a "default" client-username configured everywhere. If that client-username is enabled and you know the password for it, EVERY client with any client-username and the password from the default-client-username can connect.
    There are use cases, where this is a feature: Imagine, you have 100.000 IoT devices connecting to your broker... you don't want to configure 100.000 client-usernames...
    In environments, where you just have a small bunch of client-usernames, these are configured manually. And in these environments, the default client-username is disabled - so no login for any unknown client-username is possible. And that's the reason, why the error "Client Username is shutdown" is absolutely correct... because the default-client-username is shutdown'ed.