76 lines
4.2 KiB
HTML
76 lines
4.2 KiB
HTML
<!--
|
|
Licensed to the Apache Software Foundation (ASF) under one
|
|
or more contributor license agreements. See the NOTICE file
|
|
distributed with this work for additional information
|
|
regarding copyright ownership. The ASF licenses this file
|
|
to you under the Apache License, Version 2.0 (the
|
|
"License"); you may not use this file except in compliance
|
|
with the License. You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing,
|
|
software distributed under the License is distributed on an
|
|
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
KIND, either express or implied. See the License for the
|
|
specific language governing permissions and limitations
|
|
under the License.
|
|
-->
|
|
|
|
<html>
|
|
<head>
|
|
<title>ActiveMQ Artemis JMS SSL Example</title>
|
|
<link rel="stylesheet" type="text/css" href="../../../common/common.css" />
|
|
<link rel="stylesheet" type="text/css" href="../../../common/prettify.css" />
|
|
<script type="text/javascript" src="../../../common/prettify.js"></script>
|
|
</head>
|
|
<body onload="prettyPrint()">
|
|
<h1>JMS SSL Dual Authentication Example</h1>
|
|
|
|
<pre>To run the example, simply type <b>mvn verify</b> from this directory, <br>or <b>mvn -PnoServer verify</b> if you want to start and create the server manually.</pre>
|
|
|
|
<p>This example shows you how to configure 2-way SSL along with 2 different authentications mechanisms so that SSL and non-SSL clients can send and consume messages to/from ActiveMQ Artemis.
|
|
The non-SSL authentication mechanism simply uses username and password. The SSL authentication mechanism uses the client's certificate.</p>
|
|
|
|
<p>To configure 2-way SSL you need to configure the acceptor as follows:</p>
|
|
|
|
<p>
|
|
<pre class="prettyprint">
|
|
<code>
|
|
<!-- Acceptor -->
|
|
|
|
<acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=${data.dir}/../etc/server-side-keystore.jks;keyStorePassword=secureexample;trustStorePath=${data.dir}/../etc/server-side-truststore.jks;trustStorePassword=secureexample</acceptor>
|
|
</code>
|
|
</pre>
|
|
</p>
|
|
|
|
<p>In the server-side URL, the server-side-keystore.jks is the key store file holding the server's certificate. The server-side-truststore.jks is the file holding the certificates which the server trusts. Notice also the "sslEnabled" and "needClientAuth" parameters which enable SSL and require clients to present their own certificate respectively. Here's the URL the client uses to connect over SSL:</p>
|
|
|
|
<p>
|
|
<pre class="prettyprint">
|
|
<code>
|
|
tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/client-side-truststore.jks&trustStorePassword=secureexample&keyStorePath=activemq/server0/client-side-keystore.jks&keyStorePassword=secureexample
|
|
</code>
|
|
</pre>
|
|
</p>
|
|
|
|
<p>In the client-side URL, the client-side-keystore.jks is the key store file holding the client's certificate. The client-side-truststore.jks is the file holding the certificates which the client trusts. The "sslEnabled" parameter is present here as well just as it is on the server.</p>
|
|
|
|
<p>The various keystore files are generated using the following commands:</p>
|
|
|
|
<p>
|
|
<pre class="prettyprint">
|
|
<code>
|
|
keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
|
|
keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample
|
|
keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
|
|
keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
|
|
keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample
|
|
keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
|
|
</code>
|
|
</pre>
|
|
</p>
|
|
|
|
</body>
|
|
</html>
|