Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Allowing SSL access to the ActiveMQ broker is done by adding a suitable transport connector to the activemq.xml configuration file:

Code Block
xml
xml
    <transportConnectors>
        <transportConnector uri="ssl://0.0.0.0:3133761617?trace=true&amp;wantClientAuth=true&amp;needClientAuth=true"/>
    </transportConnectors>

After restarting the broker it will accept connections on port 31337 61617 (in this case) on any interface (Indicated by 0.0.0.0). Additionally client authentication will be enabled, which requires a truststore to be set up (see below).

Specifying the location of the key and trust stores used by the server is done in the sslContext section of the same configuration file (but must be placed above transportConnectors?):

Code Block
xml
xml
    <sslContext>
        <sslContext keyStore="file://${activemq.base}/data/broker.ks"
                    keyStorePassword="123456"
                    trustStore="file://${activemq.base}/data/broker.ts"
trustStorePassword="123456"/>
    </sslContext>

By default java programs assume the keystore is located in ~/.keystore. This can be overridden by setting the relevant system properties either on the command line (using -Dproperty=value) or in code using e.g.:

Code Block
     System.setProperty("javax.net.ssl.keyStore",keyStore);     System.setProperty("javax.net.ssl.keyStorePassword","123456");     System.setProperty("javax.net.ssl.trustStore",keyStore);     System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword="123456");/>
    //System.setProperty("javax.net.debug", "ssl");

The "javax.net.debug" property can be used to enable verbose debug output from the SSL handshake and authentication stages.

...

</sslContext>

Since multiple brokers on the same machine will probably want to share the same key and trust stores it might be advantageous to place the keys in ${activemq.home}/data.

Using OpenSSL keys with the broker:

Code Blocknoformat

$ cd /path/to/instance/data

    # Convert the broker key and certificate to PKCS12 format
$ openssl pkcs12 -export -in broker.crt -inkey broker.key -out broker.p12

    # Import the server key from the p12 file
$ keytool -importkeystore 
          -srckeystore broker.p12 \
          -srcstoretype pkcs12    \
          -destkeystore broker.ks \
          -storepass 123456       \

    # Import the CA certificate into the trust store.
$ keytool -keystore broker.ts \
          -storepass 123456   \
          -import -alias CA   \
          -file /path/to/ca.crt

Below are some another examples of usage of keytool:

Code Blocknoformat
$ keytool -genkey -alias broker \
          -keyalg RSA           \
          -keystore broker.ks     # Generate broker certificate and key

$ keytool -export -alias broker \
          -keystore broker.ks   \
           -file broker_cert      # Export certificate for import into client trust store

$ keytool -genkey -alias client \
          -keyalg RSA           \
          -keystore client.ks     # Generate client key and certificate

$ keytool -import -alias broker \
          -keystore client.ts   \
          -file broker_cert       # Import server certificate in client trust store

$ keytool -export -alias client \
          -keystore client.ks   \
          -file client_cert       # Export client certificate for server trust store

$ keytool -import -alias client \
          -keystore broker.ts   \
          -file client_cert       # Import client certificate in server trust store

    # Import client certificate+key to client
$ openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
$ keytool -importkeystore -srckeystore client.p12 -srcstoretype pkcs12 -destkeystore client.ks -storepass <pass>

    # Import server certificate to client
$ keytool -import -alias broker -keystore client.ks -file ca.crt

    # Import client key to server
$ openssl x509 -in client.pem -out client.der -outform der
$ keytool  -importcert -alias client -keystore broker.ks -storepass <pass> -file client.der

...