Solace Community is getting a facelift!
On March 3rd we will be starting the process of migrating Solace Community to a new platform. As a result, Solace Community will go in to a temporary read-only state. You will still be able to come onto Solace Community and search through posts to find answers, but you won't be able to ask questions, post comments, or react in any way.
We hope to have the migration complete by Wednesday March 5th (or sooner), so please keep an eye out!
Error with Client Certificate Authentication
Hi,
I have enabled authentication for message-vpn to be client-certificate by following the instruction on the docs page.
# commands used enable configure message-vpn <vpn_name> authentication client-certificate validate-certificate-date allow-api-provided-username no shutdown
While using SDK Perf to test the SSL connectivity, seeing below error:
JAVA: /bin/java
SOLACE_VM_ARGS: -Xms512m -Xmx1024m
Run Info: CPU usage currently disabled.
Client naming used:
logging ID = router generated.
username = perf_client000001
vpn = default
client names = sdk generated.
VM Name: OpenJDK 64-Bit Server VM
Run Info: Using Java Nanosecond Timer for Timing
Timing Package Clock Speed (Hz): 1000000000
Am I missing something, could someone please help?
Thanks,
Raghu
Comments
-
The line with "Client Certificate Authenticate is supported only for SSL secured schemes" indicates, that you are not connecting to a SSL port (eg SMF over TLS or MQTT over TLS).
What is your sdkperf-commandline ?
What is the output of
"show service" ?
And always a good idea: Have a look at the broker event.log for any errors.1 -
Hi @rdesoju, looks like you're making progress, which is good. @uherbst has it right - you're connecting to the unencrypted broker port. By default, if you specify just the broker address with the -cip option to sdkperf, it connects to port 55555 - the unencrypted broker port. Try -cip
<
address>:55443 which is the default encrypted port.
0 -
Here is the command I'm using. Still seeing the same issue.
#!/bin/bash broker_hosts=<ip1>:55443,<ip2>:55443 vpn=<vpn_name> cert_keystore=./client.keystore keystore_pass=<passwd> ./sdkperf_java.sh -cip=tcps://$broker_hosts -cu=@$vpn \ -pt1=ssl/topic -mn=10000 -stl=ssl/topic -q -md \ -sslks=$cert_keystore -sslksp=$ketystore_passAlso, I tried with and without port number in -cip switch. Default and non-default port numbers both throw the same error.
Here is theshow servicecommand output:Msg-Backbone: Enabled VRF: management SMF: Enabled Web-Transport: Enabled REST Incoming: Enabled REST Outgoing: Enabled MQTT: Enabled AMQP: Enabled Health-check: Enabled Mate-link: Enabled Redundancy: Enabled Max Incoming Connections: 100 Service SMF: 100 Service Web-Transport: 100 Service REST: 100 Service MQTT: 100 Service AMQP: 100 Max Outgoing Connections: Service REST: 100 Max SSL Connections: 100 Event Threshold Set Value Clear Value ---------------------------------- ---------------- ---------------- Incoming Connections 80%(80) 60%(60) Service SMF 80%(80) 60%(60) Outgoing Connections Service REST 80%(80) 60%(60) SSL Connections 80%(80) 60%(60) Flags Legend: TP - Transport T+U - TCP and UDP ---Press any key to continue, or `q' to quit--- S - SSL (Y=Yes, N=No, -=not-applicable) C - Compressed (Y=Yes, N=No, -=not-applicable) R - Routing Ctrl (Y=Yes, N=No, -=not-applicable) VRF - VRF (Mgmt=management, MsgBB=msg-backbone) A - Admin State (U=Up, D=Down, -=not-applicable) O - Oper State (U=Up, D=Down, -=not-applicable) Status Service TP S C R VRF MsgVpn Port A O Failed Reason ---------- --- ----- ----- --------------- ----- --- -------------------------- SEMP TCP N - - Mgmt 8080 U U SEMP TCP Y - - Mgmt 943 U U SMF TCP N N N Mgmt 55555 U U SMF TCP N Y N Mgmt 55003 U U SMF TCP N N Y Mgmt 55556 U D SMF TCP Y N N Mgmt 55443 U U SMF WEB N - - Mgmt 80 U U SMF WEB Y - - Mgmt 443 U U MQTT TCP N - - Mgmt default 1883 U U MQTT TCP Y - - Mgmt default 8883 U U MQTT WEB N - - Mgmt default 8000 U U MQTT WEB Y - - Mgmt default 8443 U U AMQP TCP N - - MsgBB default 5672 U U AMQP TCP Y - - MsgBB default 5671 U U REST WEB N - - Mgmt default 9000 U U REST WEB Y - - Mgmt default 9443 U U MATELINK TCP N N N Mgmt 8741 U U HEALTHCHK TCP N N N Mgmt 5550 U U REDUNDANCY TCP Y N N Mgmt 8300 U U REDUNDANCY T+U Y N N Mgmt 8301 U U REDUNDANCY T+U Y N N Mgmt 8302 U UThanks,
Raghu0 -
Above mentioned SDK Perf command is working when the
-cipswitch is proivided with only one IP Address and port numberbroker_hosts=<ip1>:55443.
However, if I give two ips and ports as mentioned initially it is still failing with the same error.Also, when I add below properties in my java smf code, it is still failing with same error as mentioned above:
properties.setProperty(JCSMPProperties.HOST, "ip:55443"); properties.setProperty(JCSMPProperties.AUTHENTICATION_SCHEME, JCSMPProperties.AUTHENTICATION_SCHEME_CLIENT_CERTIFICATE); properties.setProperty(JCSMPProperties.SSL_VALIDATE_CERTIFICATE, true); properties.setProperty(JCSMPProperties.SSL_VALIDATE_CERTIFICATE_DATE, false); properties.setProperty(JCSMPProperties.SSL_TRUST_STORE, "./cacerts"); properties.setProperty(JCSMPProperties.SSL_TRUST_STORE_PASSWORD, <passwd>); properties.setProperty(JCSMPProperties.SSL_KEY_STORE, "./client.keystore"); properties.setProperty(JCSMPProperties.SSL_KEY_STORE_PASSWORD, <passwd>);So, only SDK Perf is working with single IP and port combination right now.
Please help.Thanks,
Raghu0
Categories
