Securing AMQ7 Brokers with SSL (part 2)

December 28, 2017
Mary Cochran
Related products:
Streams for Apache Kafka

Previously I did a post on Securing AMQ7 Routers with SSL. This post will expand upon that and explain how to secure JBoss AMQ7 Brokers with SSL and how to connect the routers and brokers with SSL as well.

SSL Between Brokers

If you have not already gathered your keystore and truststore files from the previous post, you will need to do so following these directions. If you already generated files to use for securing your routers those same files can be used. 

 openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 65000 -out cert.pem
 openssl x509 -text -noout -in cert.pem
 openssl pkcs12 -inkey key.pem -in cert.pem -export -out truststore.p12
 openssl pkcs12 -in truststore.p12 -noout -info

You should end up with the following files:

  • key.pem
  • cert.pem
  • truststore.p12

Now that you have the appropriate files, you will need to edit your broker.xml files to use the certificates. Both acceptors and connectors need to be edited. In this example the files are in my broker/etc folder so I do not need a file path. A path is necessary if you place the files elsewhere. 

<acceptors>
   <acceptor name="artemis">tcp://localhost:61616?sslEnabled=true;keyStorePath=truststore.p12;keyStorePassword=password;enabledProtocols=TLSv1,TLSv1.1,TLSv1.2;trustStorePath=truststore.p12;trustStorePassword=password</acceptor>
</acceptors>
<connectors>
   <connector name="my-connector">tcp://localhost:61616?sslEnabled=true;keyStorePath=truststore.p12;keyStorePassword=password;enabledProtocols=TLSv1,TLSv1.1,TLSv1.2;trustStorePath=truststore.p12;trustStorePassword=password</connector>
</connectors>

If you start up 2 brokers now with the sslEnabled you can see the traffic between them is secure.

SSL Between Brokers and Routers

In the previous post we setup an sslProfile in the router configuration.  This will be used again here.  If you have not previously added it, do so now. 

sslProfile {
   name: router-ssl
   certFile: /absolute/path/to/cert.pem
   keyFile:/absolute/path/to/key.pem
   password: password
}

Next you will adjust the connector for the broker in the router configuration to use this ssl profile. 

connector {
   name: broker1
   host: localhost
   port: 61616
   role: route-container
   saslMechanisms: ANONYMOUS
   sslProfile: router-ssl
   verifyHostName: no
}

After this step everything going in and out of the brokers is secure with SSL.  Happy testing!

Take advantage of your Red Hat Developers membership and download RHEL today at no cost.

Last updated: December 27, 2017