Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
    <sslContext>
        <sslContext keyStore="file://${activemq.base}/data/broker.ks" keyStorePassword="123456" trustStore="file://${activemq.base}/data/broker.ts" trustStorePassword="123456"/>
    </sslContext>

By default java programs assume the keystore is located in ~/.keystore. This can be overridden by setting the relevant system properties either on the command line (using -Dproperty=value) or in code using e.g.:

Code Block

    System.setProperty("javax.net.ssl.keyStore",keyStore);
    System.setProperty("javax.net.ssl.keyStorePassword","123456");
    System.setProperty("javax.net.ssl.trustStore",keyStore);
    System.setProperty("javax.net.ssl.trustStorePassword","123456");
    //System.setProperty("javax.net.debug", "ssl");

The "javax.net.debug" property can be used to enable verbose debug output from the SSL handshake and authentication stages.

Note that updating the key- or trust stores requires a server restart as they are read on start-up.

Using OpenSSL keys with the broker:

Code Block
 
$ cd /path/to/instance/data

    # Convert the broker key and certificate to PKCS12 format
$ openssl pkcs12 -export -in broker.crt -inkey broker.key -out broker.p12

    # Import the server key from the p12 file
$ keytool -importkeystore
           -srckeystore broker.p12 \
          -srcstoretype pkcs12    \
          -destkeystore broker.ks \
          -storepass 123456       \

    # Import the CA certificate into the trust store.
$ keytool -keystore broker.ts \
          -storepass 123456   \
          -import -alias CA   \
          -file /path/to/ca.crt

...

Code Block
$ keytool -genkey -alias broker \
          -keyalg RSA           \
          -keystore broker.ks     # Generate broker certificate and key

$ keytool -export -alias broker \
          -keystore broker.ks   \
           -file broker_cert      # Export certificate for import into client trust store

$ keytool -genkey -alias client \
          -keyalg RSA           \
          -keystore client.ks     # Generate client key and certificate

$ keytool -import -alias broker \
          -keystore client.ts   \
          -file broker_cert       # Import server certificate in client trust store

$ keytool -export -alias client \
          -keystore client.ks   \
          -file client_cert       # Export client certificate for server trust store

$ keytool -import -alias client \
          -keystore broker.ts   \
          -file client_cert       # Import client certificate in server trust store

    # Import client certificate+key to client
$ openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
$ keytool -importkeystore -srckeystore client.p12 -srcstoretype pkcs12 -destkeystore client.ks -storepass <pass>

    # Import server certificate to client
$ keytool -import -alias broker -keystore client.ks -file ca.crt

    # Import client key to server
$ openssl x509 -in client.pem -out client.der -outform der
$ keytool  -importcert -alias client -keystore broker.ks -storepass <pass> -file client.der

...