Friday, February 27, 2015

Configure ActiveMQ Transport Connector With nio+ssl With Mutual Authentication

Introduction

In my previous blogs about ActiveMQ, I have covered the topics about how to setup high availability with various topologies and configuration. In this blog, I am going to explain in details about how to setup transport connection using nio+ssl. In detail I will explain the following areas:

  1. A brief introduction of nio+ssl transport
  2. Create SSL keystore and truststore files using keytool
  3. Enable SSL transport ActiveMQ with trusted clients
  4. How to run producer and consumers

NIO SSL Transport

NIO is the same as TCP except the New I/O Java library is use. The NIO provide better performance over TCP. In the ActiveMQ transport connector, we can replace with tcp by nio. nio+ssl is SSL [Secure Sockets Layer] over TCP using java New I/O packaging. This transport is recommended for the enterprise messaging system as it provide better security by encrypt the message over the wire.

The above figure illustrates the scenarios for mutual authentication between server and client. The client and server establish connection by exchanging the server and client certificates which are stored in the file broker.ts and client.ts for server and client, respectively.

Generate Keystore and Truststore

In order to achieve the mutual authentication, we need to generate 4 files:

  1. broker.ks : server keystore
  2. broker.ts : server trusstore
  3. client.ks : client keystore
  4. client.ts : client truststore

Here is the procedure to generate these files:

cd $ACTIVEMQ_HOME/conf
keytool -genkey -alias broker -keyalg RSA -keystore broker.ks
keytool -genkey -alias client -keyalg RSA -keystore client.ks
keytool -export -alias broker -keystore broker.ks -file broker_cert
keytool -export -alias client -keystore client.ks -file client_cert
keytool -import -alias broker -keystore client.ts -file broker_cert
keytool -import -alias client -keystore broker.ts -file client_cert

Modify activemq.xml


       ...
       
            
            
        
 
        
            
            
        
        ...

Start ActiveMQ

After you start the ActiveMQ server [by activemq start command], in the server log, you should see the following log: 

2015-02-27 15:49:04,544 | INFO  | Refreshing org.apache.activemq.xbean.XBeanBrokerFactory$1@2c90f71b: startup date [Fri Feb 27 15:49:04 CST 2015]; root of context hierarchy | org.apache.activemq.xbean.XBeanBrokerFactory$1 | main
2015-02-27 15:49:05,672 | INFO  | PListStore:[/opt/app/amq/Transport/NioSsl/data/NioSsl/tmp_storage] started | org.apache.activemq.store.kahadb.plist.PListStoreImpl | main
2015-02-27 15:49:05,783 | INFO  | Using Persistence Adapter: KahaDBPersistenceAdapter[/amqdata/master-slave/data/kahadb] | org.apache.activemq.broker.BrokerService | main
2015-02-27 15:49:05,798 | INFO  | JMX consoles can connect to service:jmx:rmi://localhost:44444/jndi/rmi://localhost:11099/jmxrmi | org.apache.activemq.broker.jmx.ManagementContext | JMX connector
2015-02-27 15:49:06,563 | INFO  | KahaDB is version 5 | org.apache.activemq.store.kahadb.MessageDatabase | main
2015-02-27 15:49:06,581 | INFO  | Recovering from the journal ... | org.apache.activemq.store.kahadb.MessageDatabase | main
2015-02-27 15:49:06,605 | INFO  | Recovery replayed 634 operations from the journal in 0.036 seconds. | org.apache.activemq.store.kahadb.MessageDatabase | main
2015-02-27 15:49:06,751 | INFO  | Apache ActiveMQ 5.10.0 (NioSsl, ID:SANDBOXFUSEV01-33072-1425073746626-0:1) is starting | org.apache.activemq.broker.BrokerService | main
2015-02-27 15:49:06,803 | INFO  | Listening for connections at: nio+ssl://SANDBOXFUSEV01:61617?maximumConnections=1000&wireFormat.maxFrameSize=104857600 | org.apache.activemq.transport.TransportServerThreadSupport | main
2015-02-27 15:49:06,808 | INFO  | Connector nio+ssl started | org.apache.activemq.broker.TransportConnector | main
2015-02-27 15:49:07,066 | INFO  | Connector https started | org.apache.activemq.broker.TransportConnector | main
2015-02-27 15:49:07,069 | INFO  | Apache ActiveMQ 5.10.0 (NioSsl, ID:SANDBOXFUSEV01-33072-1425073746626-0:1) started | org.apache.activemq.broker.BrokerService | main
2015-02-27 15:49:07,073 | INFO  | For help or more information please see: http://activemq.apache.org | org.apache.activemq.broker.BrokerService | main
2015-02-27 15:49:07,077 | ERROR | Temporary Store limit is 51200 mb, whilst the temporary data directory: /opt/app/amq/Transport/NioSsl/data/NioSsl/tmp_storage only has 9820 mb of usable space - resetting to maximum available 9820 mb. | org.apache.activemq.broker.BrokerService | main
2015-02-27 15:49:07,405 | INFO  | ActiveMQ WebConsole available at http://0.0.0.0:8161/ | org.apache.activemq.web.WebConsoleStarter | main
2015-02-27 15:49:07,449 | INFO  | Initializing Spring FrameworkServlet 'dispatcher' | /admin | main
2015-02-27 15:49:07,634 | INFO  | jolokia-agent: No access restrictor found at classpath:/jolokia-access.xml, access to all MBeans is allowed | /api | main

Note the line of particular interesting:

2015-02-27 15:49:06,803 | INFO  | Listening for connections at: nio+ssl://SANDBOXFUSEV01:61617?maximumConnections=1000&wireFormat.maxFrameSize=104857600 | org.apache.activemq.transport.TransportServerThreadSupport | main
2015-02-27 15:49:06,808 | INFO  | Connector nio+ssl started | org.apache.activemq.broker.TransportConnector | main
2015-02-27 15:49:07,066 | INFO  | Connector https started | org.apache.activemq.broker.TransportConnector | main
2015-02-27 15:49:07,069 | INFO  | Apache ActiveMQ 5.10.0 (NioSsl, ID:SANDBOXFUSEV01-33072-1425073746626-0:1) started | org.apache.activemq.broker.BrokerService | main

The above log indicate the server has started with nio+ssl transport over port 161617

.

Run Producer and Consumer

I create a scirpt name runProducer.sh with the following contents:

#!/bin/bash
ACTIVEMQ_HOME=/opt/app/amq/Transport/NioSsl
ant producer -Durl="nio+ssl://localhost:61617" \
 -Dtopic=false \
 -Ddurable=true \
 -Dsubject=QUEUE.NIOSSL \
 -Dmax=100 \
 -Djavax.net.ssl.keyStore=${ACTIVEMQ_HOME}/conf/client.ks \
 -Djavax.net.ssl.keyStorePassword=amqadmin@ \
 -Djavax.net.ssl.trustStore=${ACTIVEMQ_HOME}/conf/client.ts \
 -Djavax.net.ssl.trustStorePassword=amqadmin@

Run the above script at $ACTIVEMQ_HOME/examples/openwire/swissarmy

The script for running consumer, namely, runConsumer.sh has the following contents:

#!/bin/bash
ACTIVEMQ_HOME=/opt/app/amq/Transport/NioSsl
ant consumer -Durl="nio+ssl://localhost:61617" \
 -Dtopic=false \
 -Ddurable=true \
 -Dsubject=QUEUE.NIOSSL \
 -Djavax.net.ssl.keyStore=${ACTIVEMQ_HOME}/conf/client.ks \
 -Djavax.net.ssl.keyStorePassword=amqadmin@ \
 -Djavax.net.ssl.trustStore=${ACTIVEMQ_HOME}/conf/client.ts \
 -Djavax.net.ssl.trustStorePassword=amqadmin@

If the consumer is running, you can check the connections. The following is what I can see:

Note: the URL takes the following form: 

url="nio+ssl://localhost:61617"

Summery

In this blog, I have explained the procedures to setup nio+ssl transport for ActiveMQ with the procedures of testing. This should give us a clear picture on how the nio+ssl transport works

at

1 comment:

  1. Usama LaDLaOctober 26, 2019 at 1:32 AM

    I have to search sites with relevant information on given topic and provide them to teacher our opinion and the article. musica italiana

    ReplyDelete

Subscribe to: Post Comments (Atom)

Anypoint Studio Error: The project is missing Munit lIbrary to run tests

Anypoint Studio 7.9 has a bug. Even if we following the article: https://help.mulesoft.com/s/article/The-project-is-missing-MUnit-libraries-...