Deploying Artemis Broker With SSL Enabled and Use AMQP
Deploying Artemis Broker With SSL Enabled and Use AMQP
Learn how to deploy the Red Hat AMQ Broker on openshift 4.x. The external client can connect to produce/consume messages using AMQP.
Join the DZone community and get the full member experience.Join For Free
Red Hat AMQ Broker
AMQ Broker is based on Apache ActiveMQ Artemis. It provides a message broker that is JMS-compliant. Apache ActiveMQ Artemis is an open-source project for an asynchronous messaging system. It is a high performance, embeddable, clustered, and supports multiple protocols.
The core ActiveMQ Artemis is JMS-agnostic and provides a non-JMS API, which is referred to as the core API. ActiveMQ Artemis also provides a JMS client API that uses a facade layer to implement the JMS semantics on top of the core API. Essentially, JMS interactions are translated into core API operations on the client-side using the JMS client API. From there, all operations are sent using the core client API and Apache ActiveMQ Artemis wire format. The server itself only uses the core API. For more details on the core API and its concepts, refer to the ActiveMQ Artemis documentation.
Red Hat Open Shift
Red Hat Open Shift offers a consistent hybrid-cloud foundation for building and scaling containerized applications. Open Shift provides an enterprise-grade, container-based platform with no vendor lock-in. Red Hat was one of the first companies to work with Google on Kubernetes, even before launch, and has become the second leading contributor to the Kubernetes upstream project. Open Shift also provides a common development platform no matter what infrastructure we use to host the application.
The Advanced Message Queuing Protocol (AMQP) is an open standard application layer protocol for message-oriented middleware. The defining features of AMQP are message orientation, queuing, routing (including point-to-point and publish-and-subscribe), reliability and security.
In this article we will deploy the Red Hat AMQ Broker 7.7 on openshift 4.3 with SSL security enabled and produce consume messages from the external clients using AMQP protocol.
For this demonstration, you will need the following technologies set up in your development environment:
- An Open Shift 4.3+ environment with Cluster Admin access
- Open shift CLI (
- Apache Maven 3.6.3+
- JDK 8+ Installed
There are two ways to deploy AMQ Broker on Open Shift Container Platform:
The AMQ Broker Operator is the recommended way to create broker deployments on Open Shift Container Platform. we will be using AMQ Broker Operator to deploy the AMQ Broker
Deploy AMQ Broker on Open Shift
- In your web browser, navigate to the AMQ Broker Software Downloads page.
- In the Version drop-down box, ensure that the value is set to the latest AMQ Broker version,
Next to AMQ Broker 7.7 Operator Installation Files, click Download.
Download of the
amq-broker-operator-7.7.0-ocp-install-examples.zipcompressed archive automatically begins.
When the download has completed, move the archive to your chosen installation directory
Log in to the Open Shift Container Platform as a cluster administrator.
1. Create a new project
2. Specify a service account to use with the Operator
3. Create a service account in your project.
4. Create a role in your project. This file specifies the resources that the Operator can use and modify.
5. Create the role binding in your project. The role binding binds the previously-created service account to the Operator role, based on the names you specified
6. Install the latest CRDs in your Open Shift cluster before deploying and starting the Operator
Deploy the main broker CRD, address CRD, and scale down controller CRD.
7. Create Imagepullsecret and associate with the account used for authentication in the Red Hat Container Registry with the
builder service accounts for your Open Shift project.
8. Deploy the Operator
9. Now Deploy the AMQ Artemis SSL enabled broker
port parameters. Set values to specify the messaging protocols to be used by the acceptor and the port on each broker Pod to expose for those protocols
The configured acceptor exposes port 5672 to AMQP clients, Core protocol to the core, Open Wire to openwire, MQTT to MQTT and STOMP to stomp
For each broker Pod in your deployment, the Operator also creates a default acceptor that uses port 61616. This default acceptor is required for broker clustering and has the Core protocol enabled.
By default, the AMQ Broker management console uses port 8161 on the broker Pod. Each broker Pod in your deployment has a dedicated service that provides access to the console
To specify the number of concurrent client connections that the acceptor allows, add the
connections Allowed parameter and set a value
By default, an acceptor is exposed only to clients in the same Open Shift cluster as the broker deployment. To also expose the acceptor to clients outside Open Shift, add the
expose parameter and set the value to
Also, to enable secure connections to the acceptor from clients outside Open Shift, add the
sslEnabled parameter and set the value to
Configuring One-Way TLS
The procedure in this section shows how to configure one-way Transport Layer Security (TLS) to secure a broker-client connection.
In one-way TLS, only the broker presents a certificate. This certificate is used by the client to authenticate the broker
1. Generate a self-signed certificate for the broker key store.
2. Export the certificate from the broker key store, so that it can be shared with clients. Export the certificate in the Base64-encoded
3. On the client, create a client trust store that imports the broker certificate
4. Create a secret to store the TLS credentials
5. Add the secret to the service account that you created when installing the Operator.
6. Specify the secret name in the
sslSecret parameter of your secured acceptor or connector
7. Now deploy the broker
8. Now check all the project resources
Connecting to the Broker From External Clients
When you expose an acceptor to external clients (that is, by setting the value of the
expose parameter to
true), a dedicated Service and Route are automatically created for each broker Pod in the deployment
An external client can connect to the broker by specifying the full hostname of the Route created for the broker Pod
By default, the Open Shift router listens to port 80 for non-secured (that is, non-SSL) traffic and port 443 for secured (that is, SSL-encrypted) traffic. For an HTTP connection, the router automatically directs traffic to port 443 if you specify a secure connection URL, or to port 80 if you specify a non-secure connection URL
Clients must explicitly specify the port number (for example, port 443) as part of the connection URL.
For one-way TLS, the client must specify the path to its trust store and the corresponding password, as part of the connection URL.
To Produce Messages using amqps
For simplicity. I defined the above class as a bean and called from the camel route.
To Consume Messages using amqps.
camel consumer route
Now Run the Test case to connect the AMQ Broker deployed on openshift and produce/consume messages
Similarly, we can connect using the open-wire protocol.
I hope it will help those who want to deploy the Red Hat AMQ Broker on openshift 4.x and the external client can connect to produce/consume messages using AMQP and open-wire protocols
Opinions expressed by DZone contributors are their own.