Error with Client Certificate Authentication
Hi,
I have enabled authentication for message-vpn to be client-certificate by following the instruction on the docs page.
# commands used enable configure message-vpn <vpn_name> authentication client-certificate validate-certificate-date allow-api-provided-username no shutdown
While using SDK Perf to test the SSL connectivity, seeing below error:
JAVA: /bin/java
SOLACE_VM_ARGS: -Xms512m -Xmx1024m
Run Info: CPU usage currently disabled.
Client naming used:
logging ID = router generated.
username = perf_client000001
vpn = default
client names = sdk generated.
VM Name: OpenJDK 64-Bit Server VM
Run Info: Using Java Nanosecond Timer for Timing
Timing Package Clock Speed (Hz): 1000000000
Am I missing something, could someone please help?
Thanks,
Raghu
Comments
-
The line with "Client Certificate Authenticate is supported only for SSL secured schemes" indicates, that you are not connecting to a SSL port (eg SMF over TLS or MQTT over TLS).
What is your sdkperf-commandline ?
What is the output of
"show service" ?
And always a good idea: Have a look at the broker event.log for any errors.1 -
Hi @rdesoju, looks like you're making progress, which is good. @uherbst has it right - you're connecting to the unencrypted broker port. By default, if you specify just the broker address with the -cip option to sdkperf, it connects to port 55555 - the unencrypted broker port. Try -cip
<
address>:55443 which is the default encrypted port.
0 -
Here is the command I'm using. Still seeing the same issue.
#!/bin/bash broker_hosts=<ip1>:55443,<ip2>:55443 vpn=<vpn_name> cert_keystore=./client.keystore keystore_pass=<passwd> ./sdkperf_java.sh -cip=tcps://$broker_hosts -cu=@$vpn \ -pt1=ssl/topic -mn=10000 -stl=ssl/topic -q -md \ -sslks=$cert_keystore -sslksp=$ketystore_passAlso, I tried with and without port number in -cip switch. Default and non-default port numbers both throw the same error.
Here is theshow servicecommand output:Msg-Backbone: Enabled VRF: management SMF: Enabled Web-Transport: Enabled REST Incoming: Enabled REST Outgoing: Enabled MQTT: Enabled AMQP: Enabled Health-check: Enabled Mate-link: Enabled Redundancy: Enabled Max Incoming Connections: 100 Service SMF: 100 Service Web-Transport: 100 Service REST: 100 Service MQTT: 100 Service AMQP: 100 Max Outgoing Connections: Service REST: 100 Max SSL Connections: 100 Event Threshold Set Value Clear Value ---------------------------------- ---------------- ---------------- Incoming Connections 80%(80) 60%(60) Service SMF 80%(80) 60%(60) Outgoing Connections Service REST 80%(80) 60%(60) SSL Connections 80%(80) 60%(60) Flags Legend: TP - Transport T+U - TCP and UDP ---Press any key to continue, or `q' to quit--- S - SSL (Y=Yes, N=No, -=not-applicable) C - Compressed (Y=Yes, N=No, -=not-applicable) R - Routing Ctrl (Y=Yes, N=No, -=not-applicable) VRF - VRF (Mgmt=management, MsgBB=msg-backbone) A - Admin State (U=Up, D=Down, -=not-applicable) O - Oper State (U=Up, D=Down, -=not-applicable) Status Service TP S C R VRF MsgVpn Port A O Failed Reason ---------- --- ----- ----- --------------- ----- --- -------------------------- SEMP TCP N - - Mgmt 8080 U U SEMP TCP Y - - Mgmt 943 U U SMF TCP N N N Mgmt 55555 U U SMF TCP N Y N Mgmt 55003 U U SMF TCP N N Y Mgmt 55556 U D SMF TCP Y N N Mgmt 55443 U U SMF WEB N - - Mgmt 80 U U SMF WEB Y - - Mgmt 443 U U MQTT TCP N - - Mgmt default 1883 U U MQTT TCP Y - - Mgmt default 8883 U U MQTT WEB N - - Mgmt default 8000 U U MQTT WEB Y - - Mgmt default 8443 U U AMQP TCP N - - MsgBB default 5672 U U AMQP TCP Y - - MsgBB default 5671 U U REST WEB N - - Mgmt default 9000 U U REST WEB Y - - Mgmt default 9443 U U MATELINK TCP N N N Mgmt 8741 U U HEALTHCHK TCP N N N Mgmt 5550 U U REDUNDANCY TCP Y N N Mgmt 8300 U U REDUNDANCY T+U Y N N Mgmt 8301 U U REDUNDANCY T+U Y N N Mgmt 8302 U UThanks,
Raghu0 -
Above mentioned SDK Perf command is working when the
-cipswitch is proivided with only one IP Address and port numberbroker_hosts=<ip1>:55443.
However, if I give two ips and ports as mentioned initially it is still failing with the same error.Also, when I add below properties in my java smf code, it is still failing with same error as mentioned above:
properties.setProperty(JCSMPProperties.HOST, "ip:55443"); properties.setProperty(JCSMPProperties.AUTHENTICATION_SCHEME, JCSMPProperties.AUTHENTICATION_SCHEME_CLIENT_CERTIFICATE); properties.setProperty(JCSMPProperties.SSL_VALIDATE_CERTIFICATE, true); properties.setProperty(JCSMPProperties.SSL_VALIDATE_CERTIFICATE_DATE, false); properties.setProperty(JCSMPProperties.SSL_TRUST_STORE, "./cacerts"); properties.setProperty(JCSMPProperties.SSL_TRUST_STORE_PASSWORD, <passwd>); properties.setProperty(JCSMPProperties.SSL_KEY_STORE, "./client.keystore"); properties.setProperty(JCSMPProperties.SSL_KEY_STORE_PASSWORD, <passwd>);So, only SDK Perf is working with single IP and port combination right now.
Please help.Thanks,
Raghu0
