Show Table of Contents
3.4. Setting up SSL for A-MQ
ActiveMQ includes key and trust stores that reference a dummy self signed certificate.
To install and configure SSL support for A-MQ, you need to create a keystore file to store the server's private key and self-signed certificate and uncomment the
SSL HTTP/1.1 Connector entry in conf/server.xml.
Note
When you create a broker certificate and trust stores for your installation, either overwrite the values in the
conf directory or delete the existing dummy key and trust stores so they do not interfere.
Starting the Broker with SSL
To start the broker, use the
>javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword system properties
- Set the SSL_OPTS environment variable so that it knows to use the broker keystore.
<export SSL_OPTS = -Djavax.net.ssl.keyStore=/path/to/broker.ks -Djavax.net.ssl.keyStorePassword=passwordAlternately, you can set the system properties in the broker configuration file.
To configure the security context in the broker configuration file, follow the instructions below:
- In the
conf/activemq.xml, edit the attributes in thesslContextelement. - Set the values for KeyStore, Key StorePassword, truststore, trustStorePassword.
<beans> <broker> <sslContext> <sslContext keyStore="file:${activemq.base}/conf/broker.ks" keyStorePassword="password" trustStore="file:${activemq.base}/conf/broker.ts" trustStorePassword="password"/> </sslContext> </broker> </beans>
- keyStore
- equivalent to setting
javax.net.ssl.keyStore - keyStorePassword
- equivalent to setting
javax.net.ssl.keyStorePassword - keyStoreType
- equivalent to setting
javax.net.ssl.keyStoreType - keyStoreAlgorithm
- defaults to JKS
- trustStore
- equivalent to setting
javax.net.ssl.trustStore - trustStorePassword
- equivalent to setting
javax.net.ssl.trustStorePassword - trustStoreType
- equivalent to setting
javax.net.ssl.trustStoreType
Verifying Client Certificates
To verify client certificates, follow the below instructions:
- Export the client's certificate to share it with the broker. keytool -export -alias client -keystore client.ks -file client_cert
- Create a truststore for the broker and import the client's certificate. This ensures that the broker trusts the client.
keytool -import -alias client -keystore broker.ts -file client_cert
- Add
javax.net.ssl.trustStoresystem property toSSL_OPTSDjavax.net.ssl.trustStore=/path/to/broker.ts - Instruct ActiveMQ to require client authentication by setting the following in
activemq.xml.<transportConnectors> <transportConnector name="ssl" uri="ssl://localhost:61617?needClientAuth=true"/> </transportConnectors>
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.