Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Allowing SSL access to the ActiveMQ broker is done by adding a suitable transport connector to the activemq.xml configuration file:

    <amq:transportConnectors>
        <amq:transportConnector uri="ssl://0.0.0.0:31337?trace=true&amp;wantClientAuth=true&amp;needClientAuth=true"/>
    </amq:transportConnectors>

After restarting the broker it will accept connections on port 31337 (in this case) on any interface (Indicated by 0.0.0.0). Additionally client authentication will be enabled, which requires a truststore to be setup (see below).

Specifying the location of the key and trust stores used by the server is done in the sslContext section of the same configuration file:

    <amq:sslContext>
        <amq:sslContext keyStore="file://${activemq.base}/data/broker.ks" keyStorePassword="123456" trustStore="file://${activemq.base}/data/broker.ks" trustStorePassword="123456"/>
    </amq:sslContext>

Note that updating the key- or trust stores requires a server restart as they are read on start-up.

$ keytool -genkey -alias broker \
          -keyalg RSA           \
          -keystore broker.ks     # Generate broker certificate and key

$ keytool -export -alias broker \
          -keystore broker.ks   \
           -file broker_cert      # Export certificate for import into client trust store

$ keytool -genkey -alias client \
          -keyalg RSA           \
          -keystore client.ks     # Generate client key and certificate

$ keytool -import -alias broker \
          -keystore client.ts   \
          -file broker_cert       # Import server certificate in client trust store

$ keytool -export -alias client \
          -keystore client.ks   \
          -file client_cert       # Export client certificate for server trust store

$ keytool -import -alias client \
          -keystore broker.ts   \
          -file client_cert       # Import client certificate in server trust store

At present using the java keytool to generate and manage keys is preferable (for tests!) as it can be tricky to manage the interplay with the openssl implementation. However the below commands should be usable to convert openssl type keys to something usable with the Java keystore.

    # Import client certificate+key to client
$ openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
$ keytool -importkeystore -srckeystore client.p12 -srcstoretype pkcs12 -destkeystore client.ks -storepass <pass>

    # Import server certificate to client
$ keytool -import -alias broker -keystore client.ks -file ca.crt

    # Import client key to server
$ openssl x509 -in client.pem -out client.der -outform der
$ keytool  -importcert -alias client -keystore broker.ks -storepass <pass> -file client.der

ActiveMQ reference "How Do I Use SSL?"

  • No labels