Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.5.0, 2.16.0
-
None
-
In our case the application uses the default Java truststore location at $JAVA_HOME/lib/security/jssecacerts, and only supplies its password in javax.net.ssl.trustStorePassword, and then uses a dedicated truststore for Artemis. Defining both org.apache.activemq.ssl.trustStore and org.apache.activemq.ssl.trustStorePassword now makes Artemis use the dedicated truststore (javax.net.ssl.trustStore is not set as we use the
default location, so the second choice org.apache.activemq.ssl.trustStore applies), but with the Java default truststore password (first choice javax.net.ssl.trustStorePassword applies instead of the second choice because it is set for the default truststore). Obviously, this does not work unless both passwords are identical!In our case the application uses the default Java truststore location at $JAVA_HOME/lib/security/jssecacerts , and only supplies its password in javax.net.ssl.trustStorePassword , and then uses a dedicated truststore for Artemis. Defining both org.apache.activemq.ssl.trustStore and org.apache.activemq.ssl.trustStorePassword now makes Artemis use the dedicated truststore ( javax.net.ssl.trustStore is not set as we use the default location, so the second choice org.apache.activemq.ssl.trustStore applies), but with the Java default truststore password (first choice javax.net.ssl.trustStorePassword applies instead of the second choice because it is set for the default truststore). Obviously, this does not work unless both passwords are identical!
Description
If an application wants to use a special key/truststore for Artemis but have the remainder of the application use the default Java store, the
org.apache.activemq.ssl.keyStore
needs to take precedence over Java's
javax.net.ssl.keyStore
However, the current implementation takes the first non-null value from
System.getProperty(JAVAX_KEYSTORE_PATH_PROP_NAME) System.getProperty(ACTIVEMQ_KEYSTORE_PATH_PROP_NAME) keyStorePath
So if the default Java property is set, no override is possible.
Attachments
Issue Links
- relates to
-
ARTEMIS-2932 Configuration of SSL/TLS
- Reopened
- links to