[CONF] Apache ActiveMQ > How do I use SSL

[Piotr Klimczak (Confluence)]

Piotr Klimczak edited the page: How do I use SSL ... Info title ActiveMQ uses dummy credentials by default ActiveMQ includes key and trust stores that reference a dummy self signed cert. When you create a broker certificate and stores for your installation, either overwrite the values in the conf directory or delete the existing dummy key and trust stores so they cannot interfere) Using keytool, create a certificate for the broker: Code Block keytool -genkey -alias broker -keyalg RSA -keystore broker.ks Export the broker's certificate so it can be shared with clients: Code Block keytool -export -alias broker -keystore broker.ks -file broker_cert Create a certificate/keystore for the client: Code Block keytool -genkey -alias client -keyalg RSA -keystore client.ks Create a truststore for the client, and import the broker's certificate. This establishes that the client "trusts" the broker: Code Block keytool -import -alias broker -keystore client.ts -file broker_cert ... Before starting the broker's VM set the SSL_OPTS enviorment variable so that it knows to use the broker keystore. Code Block export SSL_OPTS = -Djavax.net.ssl.keyStore=/path/to/broker.ks -Djavax.net.ssl.keyStorePassword=password ... The SslContext test case validates starting an SSL transport listener using the configuration specified in the broker Xbean. The SslContext element is added to the broker as follows: Code Block <beans <amq:broker useJmx="false" persistent="false"> <amq:sslContext> <amq:sslContext keyStore="server.keystore" keyStorePassword="password" trustStore="client.keystore" trustStorePassword="password"/> </amq:sslContext> <amq:transportConnectors> <amq:transportConnector uri="ssl://localhost:61616" /> </amq:transportConnectors> </amq:broker> </beans> ... When starting the client's VM, specify the following system properties: Code Block javax.net.ssl.keyStore=/path/to/client.ks javax.net.ssl.keyStorePassword=password javax.net.ssl.trustStore=/path/to/client.ts ... If you want to verify client certificates, you need to take a few extra steps: Export the client's certificate so it can be shared with broker: Code Block keytool -export -alias client -keystore client.ks -file client_cert Create a truststore for the broker, and import the client's certificate. This establishes that the broker "trusts" the client: Code Block keytool -import -alias client -keystore broker.ts -file client_cert Add Code Block -Djavax.net.ssl.trustStore=/path/to/broker.ts to SSL_OPTS Instruct ActiveMQ to require client authentication but by setting the following in activemq.xml: Code Block <transportConnectors> <transportConnector name="ssl" uri="ssl://localhost:61617?needClientAuth=true" /> </transportConnectors> ... View Online · Like · View Changes Stop watching space · Manage Notifications This message was sent by Atlassian Confluence 5.0.3, Team Collaboration Software