Page tree
Skip to end of metadata
Go to start of metadata
  • Please replace $activemq with the correct ActiveMQ installation folder name, such as C:\Program Files\Apache Software Foundation\ActiveMQ 5.13.
  • Please replace $tomcat with the correct Tomcat installation folder name, such as C:\Program Files\Apache Software Foundation\Tomcat 8.5.
  • Please replace $mytimetable-ec-consumer with the MyTimetable Consumer installation folder name.
  • Please replace $mytimetable-ec-producer with the MyTimetable Producer installation folder name.

 

Certificate authentication

Also see: http://activemq.apache.org/how-do-i-use-ssl.html

To enable certificate authentication, we need a keystore and a truststore for each of the components:

  • Broker
  • Consumer
  • Producer
  • Web interface

Keystores

Use the following command to generate a keystore for the broker with a 2048 bit key and 10 years validity. Choose the key password to be the same as the keystore password.

Broker keystore creation
> keytool -genkey -alias broker -keyalg RSA -validity 3650 -keysize 2048 -keystore broker.keystore.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  DOMAIN NAME OF THE BROKER
What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:
Is CN=DOMAIN NAME OF THE BROKER, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  yes
Enter key password for <broker>
        (RETURN if same as keystore password):

Then generate keystores for the clients:

Consumer keystore creation
> keytool -genkey -alias consumer -keyalg RSA -validity 3650 -keysize 2048 -keystore consumer.keystore.jks
...
What is your first and last name?
  [Unknown]:  mytimetable-consumer
...
Producer keystore creation
> keytool -genkey -alias producer -keyalg RSA -validity 3650 -keysize 2048 -keystore producer.keystore.jks
...
What is your first and last name?
  [Unknown]:  mytimetable-producer
...
Web interface keystore creation
> keytool -genkey -alias web -keyalg RSA -validity 3650 -keysize 2048 -keystore web.keystore.jks
...
What is your first and last name?
  [Unknown]:  mytimetable-web
...

Truststores

First, export all certificates from the keystores. When exporting a certificate from the keystore, you'll be asked to enter the keystore's password you chose earlier on.

> keytool -export -alias broker -keystore broker.keystore.jks -file broker_cert
> keytool -export -alias consumer -keystore consumer.keystore.jks -file consumer_cert
> keytool -export -alias producer -keystore producer.keystore.jks -file producer_cert
> keytool -export -alias web -keystore web.keystore.jks -file web_cert

Let's create the truststore for the broker. It should contain the certificates of all three clients. You'll need to enter a new password for the truststore and trust the certificate which is being imported.

Broker truststore creation
> keytool -import -alias consumer -keystore broker.truststore.jks -file consumer_cert
> keytool -import -alias producer -keystore broker.truststore.jks -file producer_cert
> keytool -import -alias web -keystore broker.truststore.jks -file web_cert

Now we'll create the truststore which contains the broker certificate and which can be shared across the three clients.

Client truststore creation
> keytool -import -alias broker -keystore client.truststore.jks -file broker_cert

Configuring the broker

Put broker.keystore.jks and broker.truststore.jks in the $activemq\conf directory and update the ActiveMQ wrapper configuration.

$activemq/bin/wrapper.conf
...
wrapper.java.additional.3=-Djavax.net.ssl.keyStorePassword=BROKER_KEYSTORE_PASSWORD
wrapper.java.additional.4=-Djavax.net.ssl.trustStorePassword=BROKER_TRUSTSTORE_PASSWORD
wrapper.java.additional.5=-Djavax.net.ssl.keyStore="%ACTIVEMQ_CONF%/broker.keystore.jks"
wrapper.java.additional.6=-Djavax.net.ssl.trustStore="%ACTIVEMQ_CONF%/broker.truststore.jks"
...

Configuring the MyTimetable Consumer

Create the directory $mytimetable-ec-consumer\config\ssl and put client.truststore.jks and consumer.keystore.jks in it. Then create $mytimetable-ec-consumer\config\activemq.properties with the following contents:

$mytimetable-ec-consumer/config/activemq.properties
ExternalCalendaring.ActiveMQ.BrokerUrl = ssl://HOSTNAME-OF-ACTIVEMQ-MACHINE:61616

ExternalCalendaring.ActiveMQ.KeyStore = C:\\PATH\ TO\\mytimetable-ec-consumer\\config\\ssl\\consumer.keystore.jks
ExternalCalendaring.ActiveMQ.KeyStorePassword = YOUR_CONSUMER_KEYSTORE_PASSWORD
ExternalCalendaring.ActiveMQ.TrustStore = C:\\PATH\ TO\\mytimetable-ec-consumer\\config\\ssl\\client.truststore.jks
ExternalCalendaring.ActiveMQ.TrustStorePassword = YOUR_CLIENT_TRUSTSTORE_PASSWORD

Configuring the MyTimetable Producer

Like Configuring the MyTimetable Consumer , but use producer.keystore.jks instead of consumer.keystore.jks and $mytimetable-ec-producer instead of $mytimetable-ec-consumer.

Configuring the MyTimetable Web Interface

First, make sure the system property application.home is passed to the MyTimetable application.

-Dapplication.home=$tomcat\mytimetable

Create the directory $tomcat\mytimetable\config\ssl and put client.truststore.jks and web.keystore.jks in it. Then create $tomcat\mytimetable\config\activemq.properties with the following contents:

$tomcat/mytimetable/config/activemq.properties
ExternalCalendaring.ActiveMQ.BrokerUrl = ssl://HOSTNAME-OF-ACTIVEMQ-MACHINE:61616

ExternalCalendaring.ActiveMQ.KeyStore = C:\\PATH\ TO\\mytimetable\\config\\ssl\\web.keystore.jks
ExternalCalendaring.ActiveMQ.KeyStorePassword = YOUR_WEB_KEYSTORE_PASSWORD
ExternalCalendaring.ActiveMQ.TrustStore = C:\\PATH\ TO\\mytimetable\\config\\ssl\\client.truststore.jks
ExternalCalendaring.ActiveMQ.TrustStorePassword = YOUR_CLIENT_TRUSTSTORE_PASSWORD

Transport connectors

First we configure the transport connectors: we make sure the broker is only accessible through SSL. Edit $activemq\conf\activemq.xml and configure the SSL transport connector and disable all others. Note that the SSL connector enforces certificate authentication (transport.needClientAuth=true).

$activemq\conf\activemq.xml
...
<transportConnectors>
    <!-- DOS protection, limit concurrent connections to 1000 and frame size to 100MB -->
    <transportConnector name="ssl" uri="ssl://0.0.0.0:61616?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600&amp;transport.needClientAuth=true" />

    <!--
    <transportConnector name="openwire" uri="tcp://0.0.0.0:61616?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
    <transportConnector name="amqp" uri="amqp://0.0.0.0:5672?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
    <transportConnector name="stomp" uri="stomp://0.0.0.0:61613?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
    <transportConnector name="mqtt" uri="mqtt://0.0.0.0:1883?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
    <transportConnector name="ws" uri="ws://0.0.0.0:61614?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
    -->
</transportConnectors>
...

Securing the web console

Edit $activemq\conf\jetty-realm.properties so it contains all users that need access to the web console. Be sure to remove the defaults!

$activemq\conf\jetty-realm.properties
...
# Defines users that can access the web (console, demo, etc.)
# username: password [,rolename ...]
admin: PASSWORDHERE, admin