activemq-artemis/examples/features/standard/ssl-enabled-dual-authentica...
Clebert Suconic 06b29806ca [maven-release-plugin] prepare release 2.17.0 2021-02-08 15:56:18 -05:00
..
src/main Revert "NO-JIRA fixing variable on a few examples" 2018-04-03 20:33:12 -04:00
pom.xml [maven-release-plugin] prepare release 2.17.0 2021-02-08 15:56:18 -05:00
readme.md ARTEMIS-1562 Refactor example documentation 2017-12-15 14:54:16 +00:00

readme.md

JMS SSL Dual Authentication Example

To run the example, simply type mvn verify from this directory, or mvn -PnoServer verify if you want to start and create the broker manually.

This example shows you how to configure 2-way SSL along with 2 different authentications mechanisms so that SSL and non-SSL clients can send and consume messages to/from ActiveMQ Artemis. The non-SSL authentication mechanism simply uses username and password. The SSL authentication mechanism uses the client's certificate.

To configure 2-way SSL you need to configure the acceptor as follows:

<acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=server-side-keystore.jks;keyStorePassword=secureexample;trustStorePath=server-side-truststore.jks;trustStorePassword=secureexample</acceptor>

In the server-side URL, the server-side-keystore.jks is the key store file holding the server's certificate. The server-side-truststore.jks is the file holding the certificates which the broker trusts. Notice also the sslEnabled and needClientAuth parameters which enable SSL and require clients to present their own certificate respectively.

Here's the URL the client uses to connect over SSL:

tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/client-side-truststore.jks&trustStorePassword=secureexample&keyStorePath=activemq/server0/client-side-keystore.jks&keyStorePassword=secureexample

In the client-side URL, the client-side-keystore.jks is the key store file holding the client's certificate. The client-side-truststore.jks is the file holding the certificates which the client trusts. The sslEnabled parameter is present here as well just as it is on the server.

The various keystore files are generated using the following commands:

  • keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
  • keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample
  • keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
  • keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
  • keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample
  • keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt