activemq-artemis/examples/features/standard/ssl-enabled-dual-authentica...
jbertram 7715b5ee12 ARTEMIS-529 support dual auth
A new feature whereby 2-way SSL connections can be authenticated differently
than non-SSL connections.
2016-06-17 11:07:03 -05:00
..
src/main ARTEMIS-529 support dual auth 2016-06-17 11:07:03 -05:00
pom.xml ARTEMIS-529 support dual auth 2016-06-17 11:07:03 -05:00
readme.html ARTEMIS-529 support dual auth 2016-06-17 11:07:03 -05:00

readme.html

<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements.  See the NOTICE file
distributed with this work for additional information
regarding copyright ownership.  The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

  http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied.  See the License for the
specific language governing permissions and limitations
under the License.
-->

<html>
  <head>
    <title>ActiveMQ Artemis JMS SSL Example</title>
    <link rel="stylesheet" type="text/css" href="../../../common/common.css" />
    <link rel="stylesheet" type="text/css" href="../../../common/prettify.css" />
    <script type="text/javascript" src="../../../common/prettify.js"></script>
  </head>
  <body onload="prettyPrint()">
     <h1>JMS SSL Dual Authentication Example</h1>

     <pre>To run the example, simply type <b>mvn verify</b> from this directory, <br>or <b>mvn -PnoServer verify</b> if you want to start and create the server manually.</pre>

     <p>This example shows you how to configure 2-way SSL along with 2 different authentications mechanisms so that SSL and non-SSL clients can send and consume messages to/from ActiveMQ Artemis.
     The non-SSL authentication mechanism simply uses username and password. The SSL authentication mechanism uses the client's certificate.</p>

     <p>To configure 2-way SSL you need to configure the acceptor as follows:</p>

     <p>
        <pre class="prettyprint">
           <code>
      &lt;!-- Acceptor --&gt;

      &lt;acceptor name=&quot;netty-ssl-acceptor&quot;&gt;tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=${data.dir}/../etc/server-side-keystore.jks;keyStorePassword=secureexample;trustStorePath=${data.dir}/../etc/server-side-truststore.jks;trustStorePassword=secureexample&lt;/acceptor&gt;
           </code>
        </pre>
     </p>

     <p>In the server-side URL, the server-side-keystore.jks is the key store file holding the server's certificate. The server-side-truststore.jks is the file holding the certificates which the server trusts. Notice also the "sslEnabled" and "needClientAuth" parameters which enable SSL and require clients to present their own certificate respectively. Here's the URL the client uses to connect over SSL:</p>

     <p>
        <pre class="prettyprint">
           <code>
      tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/client-side-truststore.jks&trustStorePassword=secureexample&keyStorePath=activemq/server0/client-side-keystore.jks&keyStorePassword=secureexample
           </code>
        </pre>
     </p>

     <p>In the client-side URL, the client-side-keystore.jks is the key store file holding the client's certificate. The client-side-truststore.jks is the file holding the certificates which the client trusts. The "sslEnabled" parameter is present here as well just as it is on the server.</p>

     <p>The various keystore files are generated using the following commands:</p>

     <p>
        <pre class="prettyprint">
           <code>
keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample
keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample
keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
           </code>
        </pre>
     </p>

  </body>
</html>