Introduction
In my previous blogs about ActiveMQ, I have covered the topics about how to setup high availability with various topologies and configuration. In this blog, I am going to explain in details about how to setup transport connection using nio+ssl. In detail I will explain the following areas:
- A brief introduction of nio+ssl transport
- Create SSL keystore and truststore files using keytool
- Enable SSL transport ActiveMQ with trusted clients
- How to run producer and consumers
NIO SSL Transport
NIO is the same as TCP except the New I/O Java library is use. The NIO provide better performance over TCP. In the ActiveMQ transport connector, we can replace with tcp by nio. nio+ssl is SSL [Secure Sockets Layer] over TCP using java New I/O packaging. This transport is recommended for the enterprise messaging system as it provide better security by encrypt the message over the wire.
The above figure illustrates the scenarios for mutual authentication between server and client. The client and server establish connection by exchanging the server and client certificates which are stored in the file broker.ts and client.ts for server and client, respectively.
Generate Keystore and Truststore
In order to achieve the mutual authentication, we need to generate 4 files:
- broker.ks : server keystore
- broker.ts : server trusstore
- client.ks : client keystore
- client.ts : client truststore
Here is the procedure to generate these files:
cd $ACTIVEMQ_HOME/conf keytool -genkey -alias broker -keyalg RSA -keystore broker.ks keytool -genkey -alias client -keyalg RSA -keystore client.ks keytool -export -alias broker -keystore broker.ks -file broker_cert keytool -export -alias client -keystore client.ks -file client_cert keytool -import -alias broker -keystore client.ts -file broker_cert keytool -import -alias client -keystore broker.ts -file client_cert
Modify activemq.xml
... ...
Start ActiveMQ
After you start the ActiveMQ server [by activemq start command], in the server log, you should see the following log:
2015-02-27 15:49:04,544 | INFO | Refreshing org.apache.activemq.xbean.XBeanBrokerFactory$1@2c90f71b: startup date [Fri Feb 27 15:49:04 CST 2015]; root of context hierarchy | org.apache.activemq.xbean.XBeanBrokerFactory$1 | main 2015-02-27 15:49:05,672 | INFO | PListStore:[/opt/app/amq/Transport/NioSsl/data/NioSsl/tmp_storage] started | org.apache.activemq.store.kahadb.plist.PListStoreImpl | main 2015-02-27 15:49:05,783 | INFO | Using Persistence Adapter: KahaDBPersistenceAdapter[/amqdata/master-slave/data/kahadb] | org.apache.activemq.broker.BrokerService | main 2015-02-27 15:49:05,798 | INFO | JMX consoles can connect to service:jmx:rmi://localhost:44444/jndi/rmi://localhost:11099/jmxrmi | org.apache.activemq.broker.jmx.ManagementContext | JMX connector 2015-02-27 15:49:06,563 | INFO | KahaDB is version 5 | org.apache.activemq.store.kahadb.MessageDatabase | main 2015-02-27 15:49:06,581 | INFO | Recovering from the journal ... | org.apache.activemq.store.kahadb.MessageDatabase | main 2015-02-27 15:49:06,605 | INFO | Recovery replayed 634 operations from the journal in 0.036 seconds. | org.apache.activemq.store.kahadb.MessageDatabase | main 2015-02-27 15:49:06,751 | INFO | Apache ActiveMQ 5.10.0 (NioSsl, ID:SANDBOXFUSEV01-33072-1425073746626-0:1) is starting | org.apache.activemq.broker.BrokerService | main 2015-02-27 15:49:06,803 | INFO | Listening for connections at: nio+ssl://SANDBOXFUSEV01:61617?maximumConnections=1000&wireFormat.maxFrameSize=104857600 | org.apache.activemq.transport.TransportServerThreadSupport | main 2015-02-27 15:49:06,808 | INFO | Connector nio+ssl started | org.apache.activemq.broker.TransportConnector | main 2015-02-27 15:49:07,066 | INFO | Connector https started | org.apache.activemq.broker.TransportConnector | main 2015-02-27 15:49:07,069 | INFO | Apache ActiveMQ 5.10.0 (NioSsl, ID:SANDBOXFUSEV01-33072-1425073746626-0:1) started | org.apache.activemq.broker.BrokerService | main 2015-02-27 15:49:07,073 | INFO | For help or more information please see: http://activemq.apache.org | org.apache.activemq.broker.BrokerService | main 2015-02-27 15:49:07,077 | ERROR | Temporary Store limit is 51200 mb, whilst the temporary data directory: /opt/app/amq/Transport/NioSsl/data/NioSsl/tmp_storage only has 9820 mb of usable space - resetting to maximum available 9820 mb. | org.apache.activemq.broker.BrokerService | main 2015-02-27 15:49:07,405 | INFO | ActiveMQ WebConsole available at http://0.0.0.0:8161/ | org.apache.activemq.web.WebConsoleStarter | main 2015-02-27 15:49:07,449 | INFO | Initializing Spring FrameworkServlet 'dispatcher' | /admin | main 2015-02-27 15:49:07,634 | INFO | jolokia-agent: No access restrictor found at classpath:/jolokia-access.xml, access to all MBeans is allowed | /api | main
Note the line of particular interesting:
2015-02-27 15:49:06,803 | INFO | Listening for connections at: nio+ssl://SANDBOXFUSEV01:61617?maximumConnections=1000&wireFormat.maxFrameSize=104857600 | org.apache.activemq.transport.TransportServerThreadSupport | main 2015-02-27 15:49:06,808 | INFO | Connector nio+ssl started | org.apache.activemq.broker.TransportConnector | main 2015-02-27 15:49:07,066 | INFO | Connector https started | org.apache.activemq.broker.TransportConnector | main 2015-02-27 15:49:07,069 | INFO | Apache ActiveMQ 5.10.0 (NioSsl, ID:SANDBOXFUSEV01-33072-1425073746626-0:1) started | org.apache.activemq.broker.BrokerService | main
The above log indicate the server has started with nio+ssl transport over port 161617
.Run Producer and Consumer
I create a scirpt name runProducer.sh with the following contents:
#!/bin/bash ACTIVEMQ_HOME=/opt/app/amq/Transport/NioSsl ant producer -Durl="nio+ssl://localhost:61617" \ -Dtopic=false \ -Ddurable=true \ -Dsubject=QUEUE.NIOSSL \ -Dmax=100 \ -Djavax.net.ssl.keyStore=${ACTIVEMQ_HOME}/conf/client.ks \ -Djavax.net.ssl.keyStorePassword=amqadmin@ \ -Djavax.net.ssl.trustStore=${ACTIVEMQ_HOME}/conf/client.ts \ -Djavax.net.ssl.trustStorePassword=amqadmin@
Run the above script at $ACTIVEMQ_HOME/examples/openwire/swissarmy
The script for running consumer, namely, runConsumer.sh has the following contents:
#!/bin/bash ACTIVEMQ_HOME=/opt/app/amq/Transport/NioSsl ant consumer -Durl="nio+ssl://localhost:61617" \ -Dtopic=false \ -Ddurable=true \ -Dsubject=QUEUE.NIOSSL \ -Djavax.net.ssl.keyStore=${ACTIVEMQ_HOME}/conf/client.ks \ -Djavax.net.ssl.keyStorePassword=amqadmin@ \ -Djavax.net.ssl.trustStore=${ACTIVEMQ_HOME}/conf/client.ts \ -Djavax.net.ssl.trustStorePassword=amqadmin@
If the consumer is running, you can check the connections. The following is what I can see:
Note: the URL takes the following form:
url="nio+ssl://localhost:61617"
Summery
In this blog, I have explained the procedures to setup nio+ssl transport for ActiveMQ with the procedures of testing. This should give us a clear picture on how the nio+ssl transport works