Versions Compared

Old Version 5

changes.mady.by.user M

Saved on

compared with

New Version 6

changes.mady.by.user Michael Rasmussen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Allowing SSL access to the ActiveMQ broker is done by adding a suitable transport connector to the activemq.xml configuration file:

Code Block
xml
xml
    <transportConnectors>
        <transportConnector uri="ssl://0.0.0.0:31337?trace=true&amp;wantClientAuth=true&amp;needClientAuth=true"/>
    </transportConnectors>

...

Specifying the location of the key and trust stores used by the server is done in the sslContext section of the same configuration file (but must be placed above transportConnectors?):

Code Block
xml
xml
    <sslContext>
        <sslContext keyStore="file://${activemq.base}/data/broker.ks" 
                    keyStorePassword="123456" 
                    trustStore="file://${activemq.base}/data/broker.ts"
                    trustStorePassword="123456"/>
    </sslContext>

Since multiple brokers on the same machine will probably want to share the same key and trust stores it might be advantageous to place the keys in ${activemq.home}/data.

Using OpenSSL keys with the broker:

Code Blocknoformat
$ cd /path/to/instance/data

    # Convert the broker key and certificate to PKCS12 format
$ openssl pkcs12 -export -in broker.crt -inkey broker.key -out broker.p12

    # Import the server key from the p12 file
$ keytool -importkeystore
          -srckeystore broker.p12 \
          -srcstoretype pkcs12    \
          -destkeystore broker.ks \
          -storepass 123456       \

    # Import the CA certificate into the trust store.
$ keytool -keystore broker.ts \
          -storepass 123456   \
          -import -alias CA   \
          -file /path/to/ca.crt

Below are some another examples of usage of keytool:

Code Blocknoformat
$ keytool -genkey -alias broker \
          -keyalg RSA           \
          -keystore broker.ks     # Generate broker certificate and key

$ keytool -export -alias broker \
          -keystore broker.ks   \
           -file broker_cert      # Export certificate for import into client trust store

$ keytool -genkey -alias client \
          -keyalg RSA           \
          -keystore client.ks     # Generate client key and certificate

$ keytool -import -alias broker \
          -keystore client.ts   \
          -file broker_cert       # Import server certificate in client trust store

$ keytool -export -alias client \
          -keystore client.ks   \
          -file client_cert       # Export client certificate for server trust store

$ keytool -import -alias client \
          -keystore broker.ts   \
          -file client_cert       # Import client certificate in server trust store

    # Import client key to server
$ openssl x509 -in client.pem -out client.der -outform der
$ keytool  -importcert -alias client -keystore broker.ks -storepass <pass> -file client.der

...