The purpose of this README file is to show how to generate SSL-related key pairs and self-signed certificates for testing, and how to configure the RocketMQ TLS configuration file parameters.
openssl req -newkey rsa:2048 -passout pass:123456 -keyout ca_rsa_private.pem -x509 -days 365 -out ca.crt -subj "/C=CN/ST=BJ/L=BJ/O=COM/OU=NSP/CN=CA/emailAddress=youremail@apache.com"
openssl req -newkey rsa:2048 -passout pass:server -keyout server_rsa_private.pem -out server.csr -subj "/C=CN/ST=BJ/L=BJ/O=COM/OU=NSP/CN=SERVER/emailAddress=youremail@apache.com"
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca_rsa_private.pem -passin pass:123456 -CAcreateserial -out server.crt # Alternatively, convert the encrypted RSA key to an unencrypted RSA key, avoiding the requirement to enter the decryption password for each read. openssl rsa -in server_rsa_private.pem -out server_rsa_private.pem.unsecure -passin pass:server
openssl req -newkey rsa:2048 -passout pass:client -keyout client_rsa_private.pem -out client.csr -subj "/C=CN/ST=BJ/L=BJ/O=COM/OU=NSP/CN=CLIENT/emailAddress=youremail@apache.com"
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca_rsa_private.pem -passin pass:123456 -CAcreateserial -out client.crt # Alternatively, convert the encrypted RSA key to an unencrypted RSA key openssl rsa -in client_rsa_private.pem -out client_rsa_private.pem.unsecure -passin pass:client
openssl pkcs8 -topk8 -v1 PBE-SHA1-RC4-128 -in server_rsa_private.pem -out server_rsa_private_pkcs8.pem -passout pass:server -passin pass:server openssl pkcs8 -topk8 -v1 PBE-SHA1-RC4-128 -in client_rsa_private.pem -out client_rsa_private_pkcs8.pem -passout pass:client -passin pass:client
ssl.properties (Note: there should be no spaces after the attribute value)
## client setting tls.client.certPath=/home/rocketmq/ssl/client.crt tls.client.keyPath=/home/rocketmq/ssl/client_rsa_private_pkcs8.pem tls.client.keyPassword=client tls.client.trustCertPath=/home/rocketmq/ssl/ca.crt ## server setting tls.server.certPath=/home/rocketmq/ssl/server.crt tls.server.keyPath=/home/rocketmq/ssl/server_rsa_private_pkcs8.pem tls.server.keyPassword=server tls.server.trustCertPath=/home/rocketmq/ssl/ca.crt #server.auth.client tls.server.need.client.auth=required
-Dtls.enable=true -Dtls.client.authServer=true # force verifying server cert -Dtls.test.mode.enable=false # not a test mode -Dtls.config.file=/home/rocketmq/ssl/ssl.properties
-Dtls.test.mode.enable=false #not a test mode -Dtls.config.file=/home/rocketmq/ssl/ssl.properties -Dtls.server.need.client.auth=required
$ docker logs rmqbroker java.lang.IllegalArgumentException: Input stream does not contain valid private key. at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:278) at org.apache.rocketmq.remoting.netty.TlsHelper.buildSslContext(TlsHelper.java:124) at org.apache.rocketmq.remoting.netty.NettyRemotingClient.<init>(NettyRemotingClient.java:133) at org.apache.rocketmq.remoting.netty.NettyRemotingClient.<init>(NettyRemotingClient.java:99) at org.apache.rocketmq.broker.out.BrokerOuterAPI.<init>(BrokerOuterAPI.java:74) at org.apache.rocketmq.broker.out.BrokerOuterAPI.<init>(BrokerOuterAPI.java:70) at org.apache.rocketmq.broker.BrokerController.<init>(BrokerController.java:189) at org.apache.rocketmq.broker.BrokerStartup.createBrokerController(BrokerStartup.java:210) at org.apache.rocketmq.broker.BrokerStartup.main(BrokerStartup.java:58) Caused by: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48) at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:257) at sun.security.util.DerInputStream.getOID(DerInputStream.java:314) at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114) at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) at javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95) at io.netty.handler.ssl.SslContext.generateKeySpec(SslContext.java:907) at io.netty.handler.ssl.SslContext.getPrivateKeyFromByteBuffer(SslContext.java:963) at io.netty.handler.ssl.SslContext.toPrivateKey(SslContext.java:953) at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:276) ... 8 more For illustration purposes: openssl genrsa -out private_openssl.pem openssl pkcs8 -topk8 -v1 PBE-SHA1-RC4-128 -in private_openssl.pem -out private_pkcs8_v1.pem -passout pass:123456 openssl pkcs8 -topk8 -v2 des3 -in private_openssl.pem -out private_pkcs8_v2.pem -passout pass:123456 KSE can open private_pkcs8_v1.pem just fine (that is when running under Java8, things are even worse with Java7), while trying to open private_pkcs8_v2.pem will cause java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48).