Securing AMQ7 Routers with SSL

November 30, 2017
Mary Cochran
Related products:
Streams for Apache Kafka

AMQ7 is full of new and exciting technology and capabilities. However, with both routers and brokers now securing your topology can get confusing. Particularly securing the routers and learning how to use clients with them, using AMQP can be challenging for those of us used to using jks files and pure jms.

SSL between Routers

The first step in securing traffic between routers is getting your pem files for your key and certificate. These steps will also give you a PKCS12 truststore file, perfect for using with an AMQP client. While this step can be done with keytool, we will use openssl. 

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 65000 -out cert.pem
openssl x509 -text -noout -in cert.pem
openssl pkcs12 -inkey key.pem -in cert.pem -export -out truststore.p12
openssl pkcs12 -in truststore.p12 -noout -info

Next, you will need to update your router configurations. Here we will use two routers, Router.A and Router.B. The sslProfile will need to be added to both router conf files. 

sslProfile {
   name: router-ssl
   certFile: /absolute/path/to/cert.pem
   keyFile:/absolute/path/to/key.pem
   password: password
}

Then you will need to add or adjust an inter-router listener on Router.A. 

listener {
   role: inter-router
   host: 0.0.0.0
   port: 10003
   saslMechanisms: ANONYMOUS
   sslProfile: router-ssl
   authenticatePeer: false
   requireSsl: true
}

Then you need to add or adjust a connector on Router.B, which will be used to connect it to Router.A. 

connector {
   role: inter-router
   host: 0.0.0.0
   port: 10003
   saslMechanisms: ANONYMOUS
   sslProfile: router-ssl
   verifyHostName: no
}

After this is done you should be able to start both of your routers and then run something like the command below to view the connections. 

qdstat -b 0.0.0.0:5672 -c

SSL to Routers

After traffic between the routers has been secured, traffic from the client to the routers should be the next concern. On Router.A adjust the main listener like so. 

listener {
   host: 0.0.0.0
   port: amqp
   saslMechanisms: ANONYMOUS
   authenticatePeer: no
   sslProfile: router-ssl
   requireSsl: true
}

Then you are ready to send to the router. You will need to start with a client that was working without ssl such as https://github.com/apache/qpid-jms/tree/master/qpid-jms-examples. Then simply adjust your connection URL to being secure and use your PKCS12 truststore.

Note: VerifyHost is false here due to a self-signed certificate and use of localhost. 

amqps://localhost:5672?transport.verifyHost=false&transport.storeType=PKCS12&transport.trustStoreLocation=/absolute/path/to/certificate.p12&transport.trustStorePassword=password

Now your routers are secure with SSL!

Click here to download and quickly get started with  Red Hat JBoss AMQ.

Last updated: November 29, 2017