Details
-
Bug
-
Resolution: Not a Bug
-
Minor
-
None
-
AMQ 7.3.0.GA, AMQ 7.5.0.GA
-
None
Description
Failover (replication) doesn't work when combined with 2-way TLS authentication. The port is actually opened, but the client is unable to re-connect when because of the wrong state sent by the broker. Reproduced on AMQ 7.3.0 and 7.5.0 using artemis-jms-client 2.9.0.redhat-00009 and activemq-client 5.11.0.redhat-630424 (attaching my test broker XMLs).
This is after the failover happens:
fvaleri-mac:amq-broker-7.5.0 fvaleri$ nmap localhost -Pn -p 61616,61617,61618,61619 PORT STATE SERVICE 61616/tcp closed unknown 61617/tcp open unknown 61618/tcp closed unknown 61619/tcp open unknown fvaleri-mac:~ fvaleri$ netstat -ntp tcp | grep 6161 tcp4 0 0 127.0.0.1.61617 127.0.0.1.53430 ESTABLISHED tcp4 0 0 127.0.0.1.53430 127.0.0.1.61617 ESTABLISHED tcp4 0 0 127.0.0.1.61616 127.0.0.1.53237 TIME_WAIT tcp4 0 0 127.0.0.1.61616 127.0.0.1.53235 TIME_WAIT tcp4 0 0 127.0.0.1.61616 127.0.0.1.53240 TIME_WAIT
Same behavior with:
tcp://localhost:61618?ha=true&retryInterval=1000&retryIntervalMultiplier=1.0&reconnectAttempts=-1&sslEnabled=true&keyStorePath=/tmp/jks/client-ks.jks&keyStorePassword=secret&trustStorePath=/tmp/jks/client-ts.jks&trustStorePassword=secret
and
(tcp://localhost:61618,tcp://localhost:61619)?ha=true&retryInterval=1000&retryIntervalMultiplier=1.0&reconnectAttempts=-1&sslEnabled=true&keyStorePath=/tmp/jks/client-ks.jks&keyStorePassword=secret&trustStorePath=/tmp/jks/client-ts.jks&trustStorePassword=secret&useTopologyForLoadBalancing=false
This is the client DEBUG log when doing the first connection to master. As you can see, with plain connection it gets both ports, while with TLS connection it gets the wrong state and, when failover happens, it always tries to reconnect to the master port.
# plain client log 2020-02-26 12:56:59,182 [Producer.main()] DEBUG .impl.ClientSessionFactoryImpl - Reconnection successful 2020-02-26 12:56:59,203 [Producer.main()] DEBUG .impl.ClientSessionFactoryImpl - Setting up backup config = TransportConfiguration(name=host1-connector, factory=org-apache-activemq-artemis-core-remoting-impl-netty-NettyConnectorFactory) ?port=61617&useKQueue=false&host=localhost for live = TransportConfiguration(name=null, factory=org-apache-activemq-artemis-core-remoting-impl-netty-NettyConnectorFactory) ?port=61616&host=localhost&retryIntervalMultiplier=1-0&reconnectAttempts=-1&ha=true&retryInterval=1000 # tls client log 2020-02-26 12:51:52,107 [Producer.main()] DEBUG .impl.ClientSessionFactoryImpl - Reconnection successful 2020-02-26 12:51:52,115 [Producer.main()] DEBUG .impl.ClientSessionFactoryImpl - ClientSessionFactoryImpl received backup update for live/backup pair = TransportConfiguration(name=null, factory=org-apache-activemq-artemis-core-remoting-impl-netty-NettyConnectorFactory) ?trustStorePassword=****&port=61618&keyStorePassword=****&sslEnabled=true&host=localhost&trustStorePath=/tmp/jks/client-ts-jks&keyStorePath=/tmp/jks/client-ks-jks&retryIntervalMultiplier=1-0&reconnectAttempts=-1&ha=true&retryInterval=1000 / null but it didn't belong to TransportConfiguration(name=null, factory=org-apache-activemq-artemis-core-remoting-impl-netty-NettyConnectorFactory) ?trustStorePassword=****&port=61618&keyStorePassword=****&sslEnabled=true&host=localhost&trustStorePath=/tmp/jks/client-ts-jks&keyStorePath=/tmp/jks/client-ks-jks&retryIntervalMultiplier=1-0&reconnectAttempts=-1&ha=true&retryInterval=1000
