Download | JavaDocsMore... | Source | Forums | Support
Setting up the Key and Trust StoresAlso see Tomcat's SSL instructions for more info. The following was provided by Colin Kilburn. Thanks Colin! ActiveMQ uses dummy credentials by default ActiveMQ includes key and trust stores that reference a dummy self signed cert. When you create a broker certificate and stores for your installation, either overwrite the values in the conf directory or delete the existing dummy key and trust stores so they cannot interfere)
Starting the BrokerUsing the javax.net.ssl.* System PropertiesBefore starting the broker's VM set the ACTIVEMQ_SSL_OPTS environment variable so that it knows to use the broker keystore. (note that in previous versions of ActiveMQ this property was called SSL_OPTS in some scripts. As of v5.12.0 all scripts use ACTIVEMQ_SSL_OPTS) Using Spring to configure SSL for a Broker instanceSometimes the use of javax.net.ssl.* system properties is not appropriate as they effect all SSL users in a JVM. ActiveMQ 5.2.x adds an <sslContext> element to the <amq:broker> that allows a broker specific set of SSL properties to be configured. The SslContext test case validates starting an SSL transport listener using the configuration specified in the broker Xbean. The SslContext element is added to the broker as follows: The SslContext is used to configure the SslTransportFactory for that broker. Full details of the configuration options available can be seen in the schema definition or in the accessors of org.apache.activemq.spring.SpringSslContext Starting the ClientWhen starting the client's VM, specify the following system properties: In Linux, do not use absolute path to keystore. By default, keytool uses ~/.keystore, but in some setups passing -Djavax.net.ssl.keyStore=/home/account/.keystore to Java VM does not work. This is not ActiveMQ specific but good to keep in mind anyway. Client certificatesIf you want to verify client certificates, you need to take a few extra steps:
Certificate revocationStarting with version 5.12, you can define certificate revocation list (CRL) path on ssl context, so that invalid certificates can revoked This list is static and loaded on broker startup. Starting with version 5.14.0, you can also enable more advanced Online Certificate Status Protocol (OCSP) protocol. For that you need to configure a location for the Then you need to configure OCSP responder properties in A demo of the broker configuration working with OCSP responder can be found at https://github.com/dejanb/sslib Working Around Java 7 SSL BugsAs noted by issue AMQ-5970, it seems some versions of Java 7 have problems with SSL sessions that need to use the Diffie-Hellman cypher suite. If you run into this issue, just copy the Bouncy Castle bcprov-jdk15on-148.jar to ActiveMQ's lib directory and restart your broker. Useful linksThese links might also help |
- Basic SSL Setup Generate a Self-Signed Certificate and a Key To generate a self-signed certificate and a single key that will be used to authenticate both the server and the client, we’ll use the JDK keytool command and create a separate keystore. This keystore will also be used as a truststore below.
- The client uses the imported certificate to trust the server that owns that certificate. When a client establishes a session, the server sends a server certificate to the client. If the certificate is a member of the certificates included in the client keystore, the client trusts the server and so proceeds to the session.
- Property Default Value Explanation; ssl.server.keystore.type: jks: Keystore file type: ssl.server.keystore.location: NONE: Keystore file location. The mapred user.
- Before starting the broker's VM set the ACTIVEMQSSLOPTS environment variable so that it knows to use the broker keystore. (note that in previous versions of ActiveMQ this property was called SSLOPTS in some scripts. As of v5.12.0 all scripts use ACTIVEMQSSLOPTS).
// in a real project this keystore instance will be most likely create from a java keystore file.
Home > Articles > Security > Network Security
This chapter is from the book
This chapter is from the book
Ssl Keystore Vs Truststore
In this article, we review how to use SSL with Axis and address the combination of SSL server authentication and BASIC-AUTH. SSL is based on a public key cryptography system, also called an asymmetrical key cryptography system, in which separate keys are used for encryption and decryption. In the case of server authentication, the server has a private key to decrypt messages from the client, and the client has the server's public key for encrypting messages that it sends after the session is established.
In the case of secret key encryption, more effort is required: Storage of the secret key by each communications partner, as well as the (initial) distribution of the secret key to those partners, must be secured. This can be a daunting and error-prone task.
You can create private and public keys using the keytool program provided with the JDK. If you add the -genkey option, the keytool command generates a private key and its public key (the command is broken here because of printing constraints, but it actually appears on a single line):
The options are summarized in Table 1. The generated private key and related information are stored in a keystore file, and keystore file information may also be specified in the command (for example, –keystore and –storetype).
The –keyalg and –keysize options specify the specification of the private key. –dname specifies an identification (X.500 Distinguished Name) for the key, and –alias indicates an alias for the key (unique within the keystore). In addition, a password for accessing the key may be specified with –keypass (by default, it is the same as the keystore password).
A public key corresponding to the private key is also generated with this command and is included in a certificate, which will be published to the client. Note that the certificate itself is described in more detail in the PKI section. The certificate must be signed in order to demonstrate integrity. The signature algorithm is specified by the –sigalg option. Although we would like to specify who signed (or will sign) the certificate, that information cannot be specified with keytool. In this case, the certificate is signed by the private key that is generated, making it a self-signed certificate. A self-signed certificate is not practical for real use but is sufficiently useful for the purpose of experimenting with SSL.
Table 1: Options for the keytool Command
What Is Keystore
Option | Value | Meaning |
-keyalg | RSA | Format of the private key is RSA |
-keysize | 1024 | Key size is 1024 bits |
-alias | SkatesTown | Key alias is SkatesTown |
-dname | CN=Purchase Order Service, ... | Identification of the key is CN=Purchase Order Service, ... |
-keypass | wsbookexample | Password for the private key is wsbookexample |
-sigalg | MD5withRSA | Method for signing certificate is MD5 with RSA |
-storepass | wsbookexample | Password for the keystore file is wsbookexample |
-keystore | SkatesTown.ks | Keystore filename is SkatesTown.ks |
-keystoretype | JKS | Keystore filetype is Java Key Store (JKS) |
The generated certificate can be extracted with the following keytool command:
The extracted certificate is stored in SkatesTown.cer. Next we import the server certificate to a client keystore using the following command:
Tomcat Ssl Keystore
The client uses the imported certificate to trust the server that owns that certificate. When a client establishes a session, the server sends a server certificate to the client. If the certificate is a member of the certificates included in the client keystore, the client trusts the server and so proceeds to the session.
We provide a browser interface for keytool within our example navigator. Visit /ch5/ex2/index.jsp. If you specify some parameters, keytool commands are automatically generated and executed (see Figure 1). You can create keystore files, export certificates, and import them to other keystore files.
Figure 1 Example navigator GUI for keytool.
Let's examine the SSL configuration for a Web server (Tomcat, in this case). In the <tomcat-home>/conf/server.xml file, you need to add the Connector section shown in Listing 1.
Listing 1: Tomcat Configuration for SSL
HTTPS settings are specified in the Parameter elements. The port parameter indicates a port number for SSL connections. socketFactory specifies the Java factory class that will create SSL socket objects. With keystore and keypass, Tomcat can get a private key for SSL session. Note that Tomcat assumes that (and hence requires) the server's keystore password is identical to the private key password. Finally, clientAuth specifies whether client authentication is performed. Note that you have to modify <java_home>/jre/security/java.security to run Tomcat with SSL.
For the client, you must set up Java system properties that are required when invoking SSL. Listing 2 shows a modified POSubmission program. As you can see, the keystore type (storetype), keystore filename (keystore), and keystore password (storepass) are fed to the constructor, and the parameters are set for system properties. We will review these properties in the section 'Java Secure Socket Extension.' Although we specify the system parameters programmatically, you can specify them with the –D option of the java command. In that case, you do not have to change the program at all.
Soapui Ssl Keystore
Listing 2: POSubmission That Performs Basic Authentication and SSL
You can execute POSubmission with BASIC-AUTH and SSL via /ch5/ex3/index.jsp in the example navigator. Specify some values in the page such as the keystore file, keystore password, and so on if you want, and then click the Submit PO button (see Figure 2).
Ssl Truststore
Figure 2 Example navigator GUI for basic authentication and SSL.