...
Code Block |
---|
<sslContext> <sslContext keyStore="file://${activemq.base}/data/broker.ks" keyStorePassword="123456" trustStore="file://${activemq.base}/data/broker.ts" trustStorePassword="123456"/> </sslContext> |
By default java programs assume the keystore is located in ~/.keystore. This can be overridden by setting the relevant system properties either on the command line (using -Dproperty=value) or in code using e.g.:
Code Block |
---|
System.setProperty("javax.net.ssl.keyStore",keyStore);
System.setProperty("javax.net.ssl.keyStorePassword","123456");
System.setProperty("javax.net.ssl.trustStore",keyStore);
System.setProperty("javax.net.ssl.trustStorePassword","123456");
//System.setProperty("javax.net.debug", "ssl");
|
The "javax.net.debug" property can be used to enable verbose debug output from the SSL handshake and authentication stages.
Note that updating the key- or trust stores requires a server restart as they are read on start-up.
Using OpenSSL keys with the broker:
Code Block |
---|
$ cd /path/to/instance/data # Convert the broker key and certificate to PKCS12 format $ openssl pkcs12 -export -in broker.crt -inkey broker.key -out broker.p12 # Import the server key from the p12 file $ keytool -importkeystore -srckeystore broker.p12 \ -srcstoretype pkcs12 \ -destkeystore broker.ks \ -storepass 123456 \ # Import the CA certificate into the trust store. $ keytool -keystore broker.ts \ -storepass 123456 \ -import -alias CA \ -file /path/to/ca.crt |
...
Code Block |
---|
$ keytool -genkey -alias broker \
-keyalg RSA \
-keystore broker.ks # Generate broker certificate and key
$ keytool -export -alias broker \
-keystore broker.ks \
-file broker_cert # Export certificate for import into client trust store
$ keytool -genkey -alias client \
-keyalg RSA \
-keystore client.ks # Generate client key and certificate
$ keytool -import -alias broker \
-keystore client.ts \
-file broker_cert # Import server certificate in client trust store
$ keytool -export -alias client \
-keystore client.ks \
-file client_cert # Export client certificate for server trust store
$ keytool -import -alias client \
-keystore broker.ts \
-file client_cert # Import client certificate in server trust store
# Import client certificate+key to client
$ openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
$ keytool -importkeystore -srckeystore client.p12 -srcstoretype pkcs12 -destkeystore client.ks -storepass <pass>
# Import server certificate to client
$ keytool -import -alias broker -keystore client.ks -file ca.crt
# Import client key to server
$ openssl x509 -in client.pem -out client.der -outform der
$ keytool -importcert -alias client -keystore broker.ks -storepass <pass> -file client.der
|
...