activemq ssl java.security.cert.CertificateException: No name matching localhost found
解决activemq ssl java.security.cert.CertificateException: No name matching localhost found的问题
目录
Broker SSL Connector以及SSL证书的配置
问题描述:
在AMQ Broker配置ssl+nio的connector,安装SSL证书,客户端通过ssl进行topic消息的发送与消费时出现java.security.cert.CertificateException: No name matching localhost found的问题,下文是具体的过程
SSL证书的制作(未做CA签名)
#创建broker的keystore
keytool -genkey -alias broker -keyalg RSA -keystore broker.ks
#从broker keystore中导出证书
keytool -export -alias broker -keystore broker.ks -file broker_cert
#创建客户端的keystore
keytool -genkey -alias client -keyalg RSA -keystore client.ks
#将服务器端的证书导入客户端的keystore
keytool -import -alias broker -keystore client.ts -file broker_cert
注意:这里仅做单项认证,也就是说客户端认证服务器是否合法,并未做双向认证,双向认证可以参考文档:https://activemq.apache.org/how-do-i-use-ssl.html
Broker SSL Connector以及SSL证书的配置
将制作的证书配置在AMQ的Broker中,并且配置Connector使其生效
配置transportConnectors
<transportConnectors>
...
<transportConnector name="auto+nio+ssl" uri="auto+nio+ssl://0.0.0.0:61616?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
<transportConnector name="nio+ssl" uri="nio+ssl://0.0.0.0:61617?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
...
</transportConnectors>
配置SSL证书
<sslContext>
<sslContext keyStore="conf/broker.ks"
keyStorePassword="******"
trustStore="conf/broker.ks"
trustStorePassword="******" />
</sslContext>
客户端程序关键代码
客户端代码比较简单(无论publish还是subscribe),所以我只贴出来关键部分的代码
//使用ActiveMQSslConnectionFactory,它是ActiveMQConnectionFactory的子类,做了一些关于SSLContext的声明
ActiveMQSslConnectionFactory factory = new ActiveMQSslConnectionFactory("ssl://192.168.88.3:61617");
factory.setKeyAndTrustManagers(getKeyManagers("keystore路径", "keystore密码"),
getTrustManagers(), new java.security.SecureRandom());
//...省略
private static TrustManager[] getTrustManagers()
throws NoSuchAlgorithmException, IOException,
KeyStoreException, CertificateException {
return new TrustManager[]{new X509TrustManager() {
private X509Certificate[] certificates;
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
if (x509Certificates == null) {
this.certificat