activemq-artemis/docs/migration-guide/_ssl.adoc

63 lines
2.2 KiB
Plaintext
Raw Normal View History

ARTEMIS-4383 migrate user docs to AsciiDoc Markdown, which is currently used for user-facing documentation, is good for a lot of things. However, it's not great for the kind of complex documentation we have and our need to produce both multi-page HTML and single-page PDF output via Maven. Markdown lacks features which would make the documentation easier to read, easier to navigate, and just look better overall. The current tool-chain uses honkit and a tool called Calibre. Honkit is written in TypeScript and is installed via NPM. Calibre is a native tool so it must be installed via an OS-specific package manager. All this complexity makes building, releasing, uploading, etc. a pain. AsciiDoc is relatively simple like Markdown, but it has more features for presentation and navigation not to mention Java-based Maven tooling to generate both HTML and PDF. Migrating will improve both the appearance of the documentation as well as the processes to generate and upload it. This commit contains the following changes: - Convert all the Markdown for the User Manual, Migration Guide, and Hacking guide to AsciiDoc via kramdown [1]. - Update the `artemis-website` build to use AsciiDoctor Maven tooling. - Update `RELEASING.md` with simplified instructions. - Update Hacking Guide with simplified instructions. - Use AsciiDoc link syntax in Artemis Maven doc plugin. - Drop EPUB & MOBI docs for User Manual as well as PDF for the Hacking Guide. All docs will be HTML only except for the User Manual which will have PDF. - Move all docs up out of their respective "en" directory. This was a hold-over from when we had docs in different languages. - Migration & Hacking Guides are now single-page HTML since they are relatively short. - Refactor README.md to simplify and remove redundant content. Benefits of the change: - Much simplified tooling. No more NPM packages or native tools. - Auto-generated table of contents for every chapter. - Auto-generated anchor links for every sub-section. - Overall more appealing presentation. - All docs will use the ActiveMQ favicon. - No more manual line-wrapping! AsciiDoc recommends one sentence per line and paragraphs are separated by a blank line. - AsciiDoctor plugins for IDEA are quite good. - Resulting HTML is less than *half* of the previous size. All previous links/bookmarks should continue to work. [1] https://github.com/asciidoctor/kramdown-asciidoc
2023-07-27 23:45:17 -04:00
= SSL
The next interesting security related topic is encrypting transport layer using SSL.
Both ActiveMQ and Artemis leverage JDK's Java Secure Socket Extension (JSSE), so things should be easy to migrate.
Let's recap quickly how SSL is used in ActiveMQ.
First, you need to define the _SSL Context_.
You can do that using `<sslContext>` configuration section in `conf/activemq.xml`, like
[,xml]
----
<sslContext>
<sslContext keyStore="file:${activemq.conf}/broker.ks" keyStorePassword="password"/>
</sslContext>
----
The SSL context defines key and trust stores to be used by the broker.
After this, you set your transport connector with the `ssl` schema and preferably some additional options.
[,xml]
----
<transportConnectors>
<transportConnector name="ssl" uri="ssl://localhost:61617?transport.needClientAuth=true"/>
</transportConnectors>
----
These options are related to https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLServerSocket.html[SSLServerSocket] and are specified as URL parameters with the `transport.` prefix, like `needClientAuth` shown in the example above.
In Artemis, Netty is responsible for all things related to the transport layer, so it handles SSL for us as well.
All configuration options are set directly on the acceptor, like
[,xml]
----
<acceptors>
<acceptor name="netty-ssl-acceptor">tcp://localhost:61617?sslEnabled=true;keyStorePath=${data.dir}/../etc/broker.ks;keyStorePassword=password;needClientAuth=true</acceptor>
</acceptors>
----
Note that we used the same Netty connector schema and just added `sslEnabled=true` parameter to use it with SSL.
Next, we can go ahead and define key and trust stores.
There's a slight difference in parameter naming between two brokers, as shown in the table below.
|===
| ActiveMQ | Artemis
| keyStore
| keyStorePath
| keyStorePassword
| keyStorePassword
| trustStore
| trustStorePath
| trustStorePassword
| trustStorePassword
|===
Finally, you can go and set all other `SSLServerSocket` parameters you need (like `needClientAuth` in this example).
There's no extra prefix needed for this in Artemis.
It's important to note that you should be able to reuse your existing key and trust stores and just copy them to the new broker.