I, [2017-01-27T15:43:59.869501 #18729] INFO -- : activemq.rb:139:in `on_ssl_con

1. I, [2017-01-27T15:43:59.869501 #18729] INFO -- : activemq.rb:139:in `on_ssl_connecting' Establishing SSL session with stomp+ssl://mcollective@broker.example.com:61614
2. E, [2017-01-27T15:44:00.070995 #18729] ERROR -- : activemq.rb:149:in `on_ssl_connectfail' SSL session creation with stomp+ssl://mcollective@broker.example.com:61614 failed: Connection reset by peer - SSL_connect
3. I, [2017-01-27T15:44:00.071371 #18729] INFO -- : activemq.rb:129:in `on_connectfail' TCP Connection to stomp+ssl://mcollective@broker.example.com:61614 failed on attempt 24
4.  
5. ERROR | Could not accept connection from null : {}
6. java.io.IOException: java.io.IOException: Connection reset by peer
7. at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:188)[activemq-client.jar:]
8. at org.apache.activemq.transport.stomp.StompNIOSSLTransport.initializeStreams(StompNIOSSLTransport.java:57)[activemq-stomp.jar:]
9. at org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543)[activemq-client.jar:]
10. at org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)[activemq-client.jar:]
11. at org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:462)[activemq-client.jar:]
12. at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55)[activemq-client.jar:]
13. at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client.jar:]
14. at org.apache.activemq.transport.stomp.StompTransportFilter.start(StompTransportFilter.java:65)[activemq-stomp.jar:]
15. at org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)[activemq-client.jar:]
16. at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client.jar:]
17. at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)[activemq-broker.jar:]
18. at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)[activemq-broker.jar:]
19. at java.lang.Thread.run(Thread.java:745)[:1.8.0_111]
20.  
21. java 20833 activemq 84u IPv6 53552 0t0 TCP *:61614 (LISTEN)
22.  
23. <!DOCTYPE activemq [
24. <!ENTITY keyStores SYSTEM "keyStores.xml">
25. ]>
26. <beans
27. xmlns="http://www.springframework.org/schema/beans"
28. xmlns:amq="http://activemq.apache.org/schema/core"
29. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
30. xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
31. http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
32.  
33. <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
34.  
35. <broker xmlns="http://activemq.apache.org/schema/core"
36. useJmx="false"
37. brokerName="broker"
38. dataDirectory="${activemq.base}/data">
39.  
40. <persistenceAdapter>
41. <kahaDB directory="${activemq.base}/data/kahadb"/>
42. </persistenceAdapter>
43.  
44. <sslContext>
45. &keyStores;
46. </sslContext>
47.  
48. <transportConnectors>
49. <transportConnector
50. name="stomp+nio"
51. uri="stomp+nio+ssl://0.0.0.0:61614?needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/>
52. </transportConnectors>
53.  
54. <plugins>
55. <simpleAuthenticationPlugin>
56. <users>
57. <authenticationUser username="mcollective" password="password" groups="mcollective,everyone"/>
58. <authenticationUser username="admin" password="password" groups="mcollective,admins,everyone"/>
59. </users>
60. </simpleAuthenticationPlugin>
61. <authorizationPlugin>
62. <map>
63. <authorizationMap>
64. <authorizationEntries>
65. <authorizationEntry queue=">" write="admins" read="admins" admin="admins" />
66. <authorizationEntry topic=">" write="admins" read="admins" admin="admins" />
67. <authorizationEntry topic="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" />
68. <authorizationEntry queue="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" />
69. <authorizationEntry topic="ActiveMQ.Advisory.>" read="everyone" write="everyone" admin="everyone"/>
70. </authorizationEntries>
71. </authorizationMap>
72. </map>
73. </authorizationPlugin>
74. </plugins>
75. </broker>
76.  
77. </beans>
78.  
79. <sslContext
80. keyStore="/etc/activemq/keystore.jks"
81. keyStorePassword="password"
82. trustStore="/etc/activemq/truststore.jks"
83. trustStorePassword="password" />
84.  
85. # /etc/mcollective/server.cfg
86.  
87. # ActiveMQ connector settings:
88. connector = activemq
89. direct_addressing = 1
90. plugin.activemq.pool.size = 1
91. plugin.activemq.pool.1.host = broker.example.com
92. plugin.activemq.pool.1.port = 61614
93. plugin.activemq.pool.1.user = mcollective
94. plugin.activemq.pool.1.password = password
95. plugin.activemq.pool.1.ssl = 1
96. plugin.activemq.pool.1.ssl.ca = /etc/puppetlabs/puppet/ssl/certs/ca.pem
97. plugin.activemq.pool.1.ssl.cert = /etc/puppetlabs/puppet/ssl/certs/mail.example.com.pem
98. plugin.activemq.pool.1.ssl.key = /etc/puppetlabs/puppet/ssl/private_keys/mail.example.com.pem
99. plugin.activemq.pool.1.ssl.fallback = 0
100.  
101. # SSL security plugin settings:
102. securityprovider = ssl
103. plugin.ssl_client_cert_dir = /etc/puppetlabs/mcollective/clients
104. plugin.ssl_server_private = /etc/puppetlabs/mcollective/server_private.pem
105. plugin.ssl_server_public = /etc/puppetlabs/mcollective/server_public.pem
106.  
107. # Facts, identity, and classes:
108. identity = mail.example.com
109. factsource = yaml
110. plugin.yaml = /etc/puppetlabs/mcollective/facts.yaml
111. classesfile = /var/lib/puppet/state/classes.txt
112.  
113. # No additional subcollectives:
114. collectives = mcollective
115. main_collective = mcollective
116.  
117. # Registration:
118. # We don't configure a listener, and only send these messages to keep the
119. # Stomp connection alive. This will use the default "agentlist" registration
120. # plugin.
121. registerinterval = 600
122.  
123. # Auditing (optional):
124. # If you turn this on, you must arrange to rotate the log file it creates.
125. rpcaudit = 1
126. rpcauditprovider = logfile
127. plugin.rpcaudit.logfile = /var/log/mcollective-audit.log
128.  
129. # Authorization:
130. # If you turn this on now, you won't be able to issue most MCollective
131. # commands, although `mco ping` will work. You should deploy the
132. # ActionPolicy plugin before uncommenting this; see "Deploy Plugins" below.
133.  
134. # rpcauthorization = 1
135. # rpcauthprovider = action_policy
136. # plugin.actionpolicy.allow_unconfigured = 1
137.  
138. # Logging:
139. logger_type = file
140. loglevel = debug
141. logfile = /var/log/mcollective.log
142. keeplogs = 5
143. max_log_size = 2097152
144. logfacility = user
145.  
146. # Platform defaults:
147. # These settings differ based on platform; the default config file created by
148. # the package should include correct values. If you are managing settings as
149. # resources, you can ignore them, but with a template you'll have to account
150. # for the differences.
151. libdir = /usr/share/mcollective/plugins
152. daemonize = 1
153.  
154. root@mail:/etc/puppetlabs/puppet/ssl# openssl s_client -connect broker.example.com:61614 -CAfile certs/ca.pem -cert certs/mail.example.com.pem -key private_keys/mail.example.com.pem
155. CONNECTED(00000003)
156. write:errno=104
157. ---
158. no peer certificate available
159. ---
160. No client certificate CA names sent
161. ---
162. SSL handshake has read 0 bytes and written 305 bytes
163. ---
164. New, (NONE), Cipher is (NONE)
165. Secure Renegotiation IS NOT supported
166. Compression: NONE
167. Expansion: NONE
168. No ALPN negotiated
169. SSL-Session:
170. Protocol : TLSv1.2
171. Cipher : 0000
172. Session-ID:
173. Session-ID-ctx:
174. Master-Key:
175. Key-Arg : None
176. PSK identity: None
177. PSK identity hint: None
178. SRP username: None
179. Start Time: 1485554633
180. Timeout : 300 (sec)
181. Verify return code: 0 (ok)
182. ---