Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-8713

ConsumeJMS and PublishJMS SSL/TLS PKIX path building failed

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.13.2
    • Fix Version/s: None
    • Component/s: Extensions
    • Environment:
      redhat
      java sap machine 1.11
      activemq-all-5.15.9.jar

      Description

      ConsumeJMS and PublichJMS  SSL/TLS - error message  PKIX path building failed

       

      In the current design the keystore password is stored in plain text. It should be stored in sensitive property. se comment below!

       

       

       

      getJMSQueue putJMSQueue works fine with the same jks file and SSL context service.
      invokeHTTP works fine with the same context service.

      I have a  root ca that issues the server certificates without intermediate ca.
      In the trust store jks there is only one certificate so it's a very simple setup.

      Is there any extra requirements on the jks trsutstore when using ConsumeJMS or PublishJMS compared to getJMSQueue putJMSQueue ?

       

      The trust store type in the SSL context service seems to not matter if it is set to JKS or PKCS12 .

      ConsumeJMS or PublishJMS fails both with JKS and PKCS12

       getJMSQueue putJMSQueue works with  JKS and PKCS12.

       

      java keytool lists my trust store as keystore type PKCS12 provider SUN.

      I have tested with a keystore of type JKS but it fails with the same error message. 

       

      activemq-all-5.15.9.jar is used with ConsumeJMS or PublishJMS

      getJMSQueue putJMSQueue uses ActiveMQ driver shipped with NiFi

       

      The activemq-all-5.15.9.jar has been tested in sap po whrere it works fine. 

       

      Tested using the JMS* properties on the processor instead of the connection factory service JMS context servive but still the same error message.

      I guess the ConsumeJMS or PublishJMS doesn't use the specified ssl context service but maybe fall back to using jdk cacerts file?
      Tested putting the root ca cert in cacerts file and in the file pointed to by nifi.security.truststore but it is still the same error message.

       

        Attachments

        1. image-2021-06-17-12-07-32-920.png
          35 kB
          Jul Tomten
        2. image-2021-06-16-21-40-53-349.png
          37 kB
          Jul Tomten

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              tomten1970 Jul Tomten
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: