Securing AMQ7 Brokers with SSL (part 2)

December 28, 2017

Previously I did a post on Securing AMQ7 Routers with SSL. This post will expand upon that and explain how to secure JBoss AMQ7 Brokers with SSL and how to connect the routers and brokers with SSL as well.

SSL Between Brokers

If you have not already gathered your keystore and truststore files from the previous post, you will need to do so following these directions. If you already generated files to use for securing your routers those same files can be used.

 openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 65000 -out cert.pem
 openssl x509 -text -noout -in cert.pem
 openssl pkcs12 -inkey key.pem -in cert.pem -export -out truststore.p12
 openssl pkcs12 -in truststore.p12 -noout -info

You should end up with the following files:

key.pem
cert.pem
truststore.p12

Now that you have the appropriate files, you will need to edit your broker.xml files to use the certificates. Both acceptors and connectors need to be edited. In this example the files are in my broker/etc folder so I do not need a file path. A path is necessary if you place the files elsewhere.

<acceptors>
   <acceptor name="artemis">tcp://localhost:61616?sslEnabled=true;keyStorePath=truststore.p12;keyStorePassword=password;enabledProtocols=TLSv1,TLSv1.1,TLSv1.2;trustStorePath=truststore.p12;trustStorePassword=password</acceptor>
</acceptors>
<connectors>
   <connector name="my-connector">tcp://localhost:61616?sslEnabled=true;keyStorePath=truststore.p12;keyStorePassword=password;enabledProtocols=TLSv1,TLSv1.1,TLSv1.2;trustStorePath=truststore.p12;trustStorePassword=password</connector>
</connectors>

If you start up 2 brokers now with the sslEnabled you can see the traffic between them is secure.

SSL Between Brokers and Routers

In the previous post we setup an sslProfile in the router configuration. This will be used again here. If you have not previously added it, do so now.

sslProfile {
   name: router-ssl
   certFile: /absolute/path/to/cert.pem
   keyFile:/absolute/path/to/key.pem
   password: password
}

Next you will adjust the connector for the broker in the router configuration to use this ssl profile.

connector {
   name: broker1
   host: localhost
   port: 61616
   role: route-container
   saslMechanisms: ANONYMOUS
   sslProfile: router-ssl
   verifyHostName: no
}

After this step everything going in and out of the brokers is secure with SSL. Happy testing!

Take advantage of your Red Hat Developers membership and download RHEL today at no cost.

Last updated: December 27, 2017

Report a website issue

Linux

Java runtimes & frameworks

Kubernetes

Integration & App Connectivity

Automation

Developer tools

Developer Sandbox for Red Hat OpenShift

Programming Languages & Frameworks

System Design & Architecture

Developer Productivity

Secure Development & Architectures

Platform Engineering

Automated Data Processing

Start exploring in the Developer Sandbox for free

Interactive Lessons and Learning Paths

Developer Sandbox Activities

E-Books

Tutorials

Cheat Sheets

API Catalog

Red Hat Learning

Tech Talks

Deep Dives

Red Hat Summit

Securing AMQ7 Brokers with SSL (part 2)

SSL Between Brokers

SSL Between Brokers and Routers

Red Hat Trusted Software Supply Chain is now available

Synchronize instance tags from Amazon EC2 and Microsoft Azure with Red Hat Insights

Containerize Node.js applications at the edge on RHEL and Fedora

How to monitor OpenShift using the Datadog Operator

Red Hat build of Keycloak high availability: A simplified approach

Products

Build

Quicklinks

Communicate

RED HAT DEVELOPER

Red Hat legal and privacy links

Red Hat legal and privacy links

Report a website issue