Setting up the Key and Trust Stores

Also see Tomcat's SSL instructions for more info. The following was provided by Colin Kilburn. Thanks Colin!

ActivmMQ uses dummy credentials by default
ActiveMQ includes key and trust stores that reference a dummy self signed cert. When you create a broker certificate and stores for your installation, either overwrite the values in the conf directory or delete the existing dummy key and trust stores so they cannot interfere)
  1. Using keytool, create a certificate for the broker: 
    keytool -genkey -alias broker -keyalg RSA -keystore broker.ks
  2. Export the broker's certificate so it can be shared with clients: 
    keytool -export -alias broker -keystore broker.ks -file broker_cert
  3. Create a certificate/keystore for the client: 
    keytool -genkey -alias client -keyalg RSA -keystore client.ks
  4. Create a truststore for the client, and import the broker's certificate. This establishes that the client "trusts" the broker: 
    keytool -import -alias broker -keystore client.ts -file broker_cert

Starting the Broker

Using the javax.net.ssl.* System Properties

Before starting the broker's VM set the SSL_OPTS enviorment variable so that it knows to use the broker keystore.

export SSL_OPTS = -Djavax.net.ssl.keyStore=/path/to/broker.ks -Djavax.net.ssl.keyStorePassword=password

Using Spring to configure SSL for a Broker instance

Sometimes the use of javax.net.ssl.* system properties is not appropriate as they effect all SSL users in a JVM. ActiveMQ 5.2.x adds an <sslContext> element to the <amq:broker> that allows a broker specific set of SSL properties to be configured.

The sslContext test case validates starting an ssl transport listener using the configuration specified in the broker Xbean. The sslContext element is added to the broker as follows: 

<beans 
  xmlns="http://www.springframework.org/schema/beans" 
  xmlns:amq="http://activemq.apache.org/schema/core"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
  http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
  
  <!--  lets create an embedded ActiveMQ Broker -->
  <amq:broker useJmx="false" persistent="false">

    <amq:sslContext>
      <amq:sslContext 
      		keyStore="server.keystore" keyStorePassword="password"
      		trustStore="client.keystore" trustStorePassword="password"/>
    </amq:sslContext>
    
    <amq:transportConnectors>
      <amq:transportConnector uri="ssl://localhost:61616" />
    </amq:transportConnectors>
    
  </amq:broker>
  
</beans>

The sslContext is used to configure the SslTransportFactory for that broker. Full details of the configuration options available can be seen in the schema definition or in the accessors of org.apache.activemq.spring.SpringSslContext

Starting the Client

When starting the client's VM, specify the following system properties:

javax.net.ssl.keyStore=/path/to/client.ks
javax.net.ssl.keyStorePassword=password
javax.net.ssl.trustStore=/path/to/client.ts

In Linux, do not use absolute path to keystore. By default, keytool uses ~/.keystore, but in some setups passing -Djavax.net.ssl.keyStore=/home/account/.keystore to Java VM does not work. This is not ActiveMQ specific but good to keep in mind anyway.

Client certificates

If you want to verify client certificates, you need to take a few extra steps:

  1. Patch ActiveMQ to fix a bug with client certificates (AMQ-1330, AMQ-1381)
  2. Export the client's certificate so it can be shared with broker: 
    keytool -export -alias client -keystore client.ks -file client_cert
  3. Create a truststore for the broker, and import the client's certificate. This establishes that the broker "trusts" the client: 
    keytool -import -alias client -keystore broker.ts -file client_cert
  4. Add 
    -Djavax.net.ssl.trustStore=/path/to/broker.ts
    to SSL_OPTS
  5. Instruct ActiveMQ to require client authentication but setting the following in activemq.xml:
      <transportConnectors>
    <transportConnector name="ssl" uri="ssl://localhost:61617?needClientAuth=true" />
  </transportConnectors>

Useful links

These links might also help

Overview

Search



Sub Projects

Community

Features

Connectivity

Using ActiveMQ 5

Using ActiveMQ 4

Tools

Support

Related Projects

Developers

Tests

Project Reports
© 2004-2008 The Apache Software Foundation. - Privacy Policy - (edit this page)
Graphic Design By Hiram