Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Securing AMQ7 Brokers With SSL (Part 2)

DZone's Guide to

Securing AMQ7 Brokers With SSL (Part 2)

Check out how to secure JBoss AMQ7 Brokers with SSL before diving into how to connect the routers and brokers with SSL as well.

· IoT Zone ·
Free Resource

Download Microservices for Java Developers: A hands-on introduction to frameworks and containers. Brought to you in partnership with Red Hat.

Previously I did a post on Securing AMQ7 Routers with SSL. This post will expand upon that and explain how to secure JBoss AMQ7 Brokers with SSL and how to connect the routers and brokers with SSL as well.

SSL Between Brokers

If you have not already gathered your keystore and truststore files from the previous post, you will need to do so following these directions. If you already generated files to use for securing your routers those same files can be used.

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 65000 -out cert.pem
openssl x509 -text -noout -in cert.pem
openssl pkcs12 -inkey key.pem -in cert.pem -export -out truststore.p12
openssl pkcs12 -in truststore.p12 -noout -info


You should end up with the following files:

  • key.pem
  • cert.pem
  • truststore.p12

Now that you have the appropriate files, you will need to edit your broker.xml files to use the certificates. Both acceptors and connectors need to be edited. In this example the files are in my broker/etc folder so I do not need a file path. A path is necessary if you place the files elsewhere.

<acceptors>
   <acceptor name="artemis">tcp://localhost:61616?sslEnabled=true;keyStorePath=truststore.p12;keyStorePassword=password;enabledProtocols=TLSv1,TLSv1.1,TLSv1.2;trustStorePath=truststore.p12;trustStorePassword=password</acceptor>
</acceptors>
<connectors>
   <connector name="my-connector">tcp://localhost:61616?sslEnabled=true;keyStorePath=truststore.p12;keyStorePassword=password;enabledProtocols=TLSv1,TLSv1.1,TLSv1.2;trustStorePath=truststore.p12;trustStorePassword=password</connector>
</connectors>


If you start up two brokers now with sslEnabled, you can see the traffic between them is secure.

SSL Between Brokers and Routers

In the previous post, we set up an sslProfile in the router configuration. This will be used again here. If you have not previously added it, do so now.

sslProfile {
   name: router-ssl
   certFile: /absolute/path/to/cert.pem
   keyFile:/absolute/path/to/key.pem
   password: password
}


Next, you will adjust the connector for the broker in the router configuration to use this SSL profile.

connector {
   name: broker1
   host: localhost
   port: 61616
   role: route-container
   saslMechanisms: ANONYMOUS
   sslProfile: router-ssl
   verifyHostName: no
}


After this step, everything going in and out of the brokers is secure with SSL. Happy testing!

Download Building Reactive Microservices in Java: Asynchronous and Event-Based Application Design. Brought to you in partnership with Red Hat

Topics:
iot ,amq7 router ,ssl ,tutorial ,amqp

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}