Issues connecting IntegrationServer with ActiveMQ using SSL

Michele_Biancucci · April 4, 2017, 7:00pm

Hello everybody,
I’m running IntegrationServer 9.9 and ActiveMQ 5.14.4.
I’m trying to connect the Integration Server to ActiveMQ using SSL.
I configured SSL on ActiveMQ following the documentation the the official websbite.
First I generated the keystore and the truststore

keytool -genkey -alias broker -keyalg RSA -keystore broker.ks
keytool -export -alias broker -keystore broker.ks -file broker_cert
keytool -genkey -alias client -keyalg RSA -keystore client.ks
keytool -import -alias broker -keystore client.ts -file broker_cert

Then I copied the keystore and the trustore within the ActiveMQ installation directory

cp broker.ks /home/sag/apache-activemq-5.14.4/conf/
cp client.ks /home/sag/apache-activemq-5.14.4/conf/

.
Finally I edited the <active_mq_install_dir>/conf/activemq.xml with the following configuration: I added the ssl context

<sslContext>
    <sslContext
            keyStore="broker.ks" keyStorePassword="password"
            trustStore="client.ks" trustStorePassword="password"/>
</sslContext>

and I added the transport configuration

<transportConnector name="ssl" uri="ssl://0.0.0.0:61617?maximumConnections=1000&wireFormat.maxFrameSize=104857600" />

At this point, starting ActiveMQ is ok and I verified that the SSL connector is actually working

INFO | Connector ssl started

Regarding the IntegrationServer, I created a keystore alias under the security>keystore menu on localhost:5555. I also created a truststore alias under the security>keystore menu on localhost:5555. Obviously the keystore alias references the keystore broker.ks while the truststore alias references the truststore client.ks.
Finally, I added watt.server.ssl.keyStoreAlias and watt.server.ssl.trustStoreAlias within the extended settings referencing the keystore alias and the truststore alias mentioned above.
After having created the jndi alias name (test lookup is working) I also created the corresponding jms connection alias.
At this point, when enabling the jms connection alias I’m getting SSL exception:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed

Am I missing something? Is there something wrong with the procedure described above?
I hope you can help me