Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Securing AMQ7 Routers With SSL

DZone's Guide to

Securing AMQ7 Routers With SSL

Digging AMQ7 and what it offers for AMQP projects? Make sure your routers are secure with this simple guide to configuring SSL for them.

· IoT Zone ·
Free Resource

Download Microservices for Java Developers: A hands-on introduction to frameworks and containers. Brought to you in partnership with Red Hat.

AMQ7 is full of new and exciting technology and capabilities. However, with both routers and brokers, securing your topology can get confusing. Particularly when securing the routers and learning how to use clients with them, using AMQP can be challenging for those of us used to using JKS files and pure JMS.

SSL Between Routers

The first step in securing traffic between routers is getting your PEM files for your key and certificate. These steps will also give you a PKCS12 truststore file, perfect for using with an AMQP client. While this step can be done with keytool, we will use OpenSSL.

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 65000 -out cert.pem
openssl x509 -text -noout -in cert.pem
openssl pkcs12 -inkey key.pem -in cert.pem -export -out truststore.p12
openssl pkcs12 -in truststore.p12 -noout -info


Next, you will need to update your router configurations. Here, we will use two routers, Router.A and Router.B. The sslProfile will need to be added to both router conf files.

sslProfile {
   name: router-ssl
   certFile: /absolute/path/to/cert.pem
   keyFile:/absolute/path/to/key.pem
   password: password
}


Then you will need to add or adjust an inter-router listener on Router.A.

listener {
   role: inter-router
   host: 0.0.0.0
   port: 10003
   saslMechanisms: ANONYMOUS
   sslProfile: router-ssl
   authenticatePeer: false
   requireSsl: true
}


Then you need to add or adjust a connector on Router.B, which will be used to connect it to Router.A.

connector {
   role: inter-router
   host: 0.0.0.0
   port: 10003
   saslMechanisms: ANONYMOUS
   sslProfile: router-ssl
   verifyHostName: no
}


After this is done, you should be able to start both of your routers and then run something like the command below to view the connections.

qdstat -b 0.0.0.0:5672 -c


SSL to Routers

After traffic between the routers has been secured, traffic from the client to the routers should be the next concern. On Router.A, adjust the main listener like so.

listener {
   host: 0.0.0.0
   port: amqp
   saslMechanisms: ANONYMOUS
   authenticatePeer: no
   sslProfile: router-ssl
   requireSsl: true
}


Then you are ready to send to the router. You will need to start with a client that was working without SSL such as https://github.com/apache/qpid-jms/tree/master/qpid-jms-examples. Then, simply adjust your connection URL to being secure and use your PKCS12 truststore.

Note: VerifyHost is false here due to a self-signed certificate and use of localhost.

amqps://localhost:5672?transport.verifyHost=false&transport.storeType=PKCS12&transport.trustStoreLocation=/absolute/path/to/certificate.p12&transport.trustStorePassword=password


Now your routers are secure with SSL!

Download Building Reactive Microservices in Java: Asynchronous and Event-Based Application Design. Brought to you in partnership with Red Hat

Topics:
iot ,iot protocols ,amqp ,ssl ,iot security

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}