TLS/SSL Mulesoft Integration With ActiveMQ
The purpose of this article is to help Mulesoft developers understand the procedures for enabling TLS/SSL for ActiveMQ brokers with self-signed certificates.
Join the DZone community and get the full member experience.
Join For FreeIntroduction
This article explains the detailed procedures for enabling TLS/SSL for ActiveMQ brokers with self-signed certificates. The main topics are the following:
- Generate a self-signed certificate using OpenSSL with the PKCS12 format
- Configuration changes for the message brokers to E
- Mulesoft publisher and consumers connector configuration to include truststore in the PKCS12 format
The main purpose of this article is to help Mulesoft developers understand the integration of ActiveMQ with TLS/SSL enabled brokers.
Generate Self-Signed Certificates
OpenSSL and keytools are the most popular tools for TLS/SSL certificates generation. OpenSSL is a very powerful and versatile tool for broad usages such as networking and certificate manipulations. In this process, I use OpenSSL to generate PKCS12 certificates.
Keystore for ActiveMQ Brokers
In order to enable TLS/SSL for the ActiveMQ Brokers, we need a certificate with both a private key and a publish key. This can be in the formats of JKD, PKCS12, etc.
Step One: Generate Key Pair
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3650
The above command requires inputs. One of the important ones is FQDN (fully qualified domain name). For self-signed, it is better to use *.<Company-Name>.com. This will allow the certificates to be applied to multiple brokers.
Step Two: Generate Keystore in PKCS12 Format
openssl pkcs12 -export -in cert.pem -inkey key.pem -out hytemq-dev.p12 -name "hytemq-dev"
The above command will generate the file hytemq-dev.p12. This is required for ActiveMQ brokers.
To view the content of the keystore, use the following command:
openssl pkcs12 -info -in hytemq-dev.p12
Truststore for Client
The truststore is for clients to connect brokers.
openssl pkcs12 -export -nokeys -in cert.pem -out hytemq-truststore.p12
To view the contents of the truststore, use this command:
openssl pkcs12 -info -in hytemq-truststore.p12 -passin pass:changeme
Configure ActiveMQ With TLS/SSL
To enable TLS/SSL, we need to do the following:
- Copy the
hytemq-dev.p12
to${AMQ_HOME}/etc/ssl
- Update
activemq.xml
by adding the following segment:
<sslContext>
<sslContext keyStore="etc/ssl/hytemq-dev.p12" keyStoreKeyPassword="changeme" keyStorePassword="changeme"/>
</sslContext>
Note: We need add SSL transport to the activemq.xml
like the following:
<transportConnectors>
<transportConnector name="jms-management" uri="nio://0.0.0.0:61620?wireFormat.maxFrameSize=10485760&allowLinkStealing=false&maximumConnections=256"/>
<transportConnector name="jms-consumers-ssl" uri="nio+ssl://0.0.0.0:61618?wireFormat.maxFrameSize=10485760&allowLinkStealing=false&maximumConnections=256"/>
<transportConnector name="jms-producers-ssl" uri="nio+ssl://0.0.0.0:61621?wireFormat.maxFrameSize=10485760&allowLinkStealing=false&maximumConnections=256"/>
</transportConnectors>
Configure Mulesoft ActiveMQ Connector With TLS/SSL
Using Mulesoft ActiveMQ connector to publish or consume messages with TLS/SSL enabled, we need to configure the connector as the following:
<jms:config name="JMS_Config_SSL" doc:name="JMS Config" doc:id="301510cd-9750-4126-b452-b833e5137566" >
<jms:active-mq-connection username="admin" password="admin" >
<tls:context >
<tls:trust-store path="ssl/hytemq-truststore.p12" password="changeme" type="pkcs12" insecure="true"/>
</tls:context>
<jms:factory-configuration brokerUrl="failover:(ssl://vdlamq03.adt.com:61621,ssl://vdlamq02.adt.com:61621,ssl://vdlamq01.adt.com:61621)" />
</jms:active-mq-connection>
</jms:config>
The graphical view of the general tab is as the following:
The TLS/SSL view:
Takeaways
Commands for creating self-signed certificates:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3650
openssl pkcs12 -export -in cert.pem -inkey key.pem -out hytemq-dev.p12 -name "hytemq-dev"
openssl pkcs12 -info -in hytemq-dev.p12
openssl pkcs12 -export -nokeys -in cert.pem -out hytemq-truststore.p12
openssl pkcs12 -nokeys -info -in hytemq-truststore.p12 -passin pass:changeme
openssl pkcs12 -info -in hytemq-truststore.p12 -passin pass:changeme
Opinions expressed by DZone contributors are their own.
Comments