Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-3287

Failover doesn't work when combined with 2-way TLS authentication

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Explained
    • AMQ 7.3.0.GA, AMQ 7.5.0.GA
    • None
    • high-availability
    • None
    • Hide

      No workaround available.

      Show
      No workaround available.

    Description

      Failover (replication) doesn't work when combined with 2-way TLS authentication. The port is actually opened, but the client is unable to re-connect when because of the wrong state sent by the broker. Reproduced on AMQ 7.3.0 and 7.5.0 using artemis-jms-client 2.9.0.redhat-00009 and activemq-client 5.11.0.redhat-630424 (attaching my test broker XMLs).

      This is after the failover happens:

      fvaleri-mac:amq-broker-7.5.0 fvaleri$ nmap localhost -Pn -p
      61616,61617,61618,61619
      PORT      STATE  SERVICE
      61616/tcp closed unknown
      61617/tcp open   unknown
      61618/tcp closed unknown
      61619/tcp open   unknown
      
      fvaleri-mac:~ fvaleri$ netstat -ntp tcp | grep 6161
      tcp4       0      0  127.0.0.1.61617        127.0.0.1.53430        ESTABLISHED
      tcp4       0      0  127.0.0.1.53430        127.0.0.1.61617        ESTABLISHED
      tcp4       0      0  127.0.0.1.61616        127.0.0.1.53237        TIME_WAIT
      tcp4       0      0  127.0.0.1.61616        127.0.0.1.53235        TIME_WAIT
      tcp4       0      0  127.0.0.1.61616        127.0.0.1.53240        TIME_WAIT
      

      Same behavior with:

      tcp://localhost:61618?ha=true&retryInterval=1000&retryIntervalMultiplier=1.0&reconnectAttempts=-1&sslEnabled=true&keyStorePath=/tmp/jks/client-ks.jks&keyStorePassword=secret&trustStorePath=/tmp/jks/client-ts.jks&trustStorePassword=secret
      

      and

      (tcp://localhost:61618,tcp://localhost:61619)?ha=true&retryInterval=1000&retryIntervalMultiplier=1.0&reconnectAttempts=-1&sslEnabled=true&keyStorePath=/tmp/jks/client-ks.jks&keyStorePassword=secret&trustStorePath=/tmp/jks/client-ts.jks&trustStorePassword=secret&useTopologyForLoadBalancing=false
      

      This is the client DEBUG log when doing the first connection to master. As you can see, with plain connection it gets both ports, while with TLS connection it gets the wrong state and, when failover happens, it always tries to reconnect to the master port.

      # plain client log
      2020-02-26 12:56:59,182 [Producer.main()] DEBUG .impl.ClientSessionFactoryImpl - Reconnection successful
      2020-02-26 12:56:59,203 [Producer.main()] DEBUG .impl.ClientSessionFactoryImpl - Setting up backup config = TransportConfiguration(name=host1-connector, factory=org-apache-activemq-artemis-core-remoting-impl-netty-NettyConnectorFactory) ?port=61617&useKQueue=false&host=localhost for live = TransportConfiguration(name=null, factory=org-apache-activemq-artemis-core-remoting-impl-netty-NettyConnectorFactory) ?port=61616&host=localhost&retryIntervalMultiplier=1-0&reconnectAttempts=-1&ha=true&retryInterval=1000
      
      # tls client log
      2020-02-26 12:51:52,107 [Producer.main()] DEBUG .impl.ClientSessionFactoryImpl - Reconnection successful
      2020-02-26 12:51:52,115 [Producer.main()] DEBUG .impl.ClientSessionFactoryImpl - ClientSessionFactoryImpl received backup update for live/backup pair = TransportConfiguration(name=null, factory=org-apache-activemq-artemis-core-remoting-impl-netty-NettyConnectorFactory) ?trustStorePassword=****&port=61618&keyStorePassword=****&sslEnabled=true&host=localhost&trustStorePath=/tmp/jks/client-ts-jks&keyStorePath=/tmp/jks/client-ks-jks&retryIntervalMultiplier=1-0&reconnectAttempts=-1&ha=true&retryInterval=1000 / null but it didn't belong to TransportConfiguration(name=null, factory=org-apache-activemq-artemis-core-remoting-impl-netty-NettyConnectorFactory) ?trustStorePassword=****&port=61618&keyStorePassword=****&sslEnabled=true&host=localhost&trustStorePath=/tmp/jks/client-ts-jks&keyStorePath=/tmp/jks/client-ks-jks&retryIntervalMultiplier=1-0&reconnectAttempts=-1&ha=true&retryInterval=1000
      

      Attachments

        Activity

          People

            ataylor@redhat.com Andy Taylor
            rhn-support-fvaleri Federico Valeri
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: