AMQ7 is full of new and exciting technology and capabilities. However, with both routers and brokers now securing your topology can get confusing. Particularly securing the routers and learning how to use clients with them, using AMQP can be challenging for those of us used to using jks files and pure jms.
SSL between Routers
The first step in securing traffic between routers is getting your pem files for your key and certificate. These steps will also give you a PKCS12 truststore file, perfect for using with an AMQP client. While this step can be done with keytool, we will use openssl.
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 65000 -out cert.pem openssl x509 -text -noout -in cert.pem openssl pkcs12 -inkey key.pem -in cert.pem -export -out truststore.p12 openssl pkcs12 -in truststore.p12 -noout -info
Next, you will need to update your router configurations. Here we will use two routers, Router.A and Router.B. The sslProfile will need to be added to both router conf files.
sslProfile {
name: router-ssl
certFile: /absolute/path/to/cert.pem
keyFile:/absolute/path/to/key.pem
password: password
}Then you will need to add or adjust an inter-router listener on Router.A.
listener {
role: inter-router
host: 0.0.0.0
port: 10003
saslMechanisms: ANONYMOUS
sslProfile: router-ssl
authenticatePeer: false
requireSsl: true
}Then you need to add or adjust a connector on Router.B, which will be used to connect it to Router.A.
connector {
role: inter-router
host: 0.0.0.0
port: 10003
saslMechanisms: ANONYMOUS
sslProfile: router-ssl
verifyHostName: no
}After this is done you should be able to start both of your routers and then run something like the command below to view the connections.
qdstat -b 0.0.0.0:5672 -c
SSL to Routers
After traffic between the routers has been secured, traffic from the client to the routers should be the next concern. On Router.A adjust the main listener like so.
listener {
host: 0.0.0.0
port: amqp
saslMechanisms: ANONYMOUS
authenticatePeer: no
sslProfile: router-ssl
requireSsl: true
}Then you are ready to send to the router. You will need to start with a client that was working without ssl such as https://github.com/apache/qpid-jms/tree/master/qpid-jms-examples. Then simply adjust your connection URL to being secure and use your PKCS12 truststore.
Note: VerifyHost is false here due to a self-signed certificate and use of localhost.
amqps://localhost:5672?transport.verifyHost=false&transport.storeType=PKCS12&transport.trustStoreLocation=/absolute/path/to/certificate.p12&transport.trustStorePassword=password
Now your routers are secure with SSL!
Click here to download and quickly get started with Red Hat JBoss AMQ.
Last updated: November 29, 2017