Connecting to ActiveMQ "Classic" using SSL with self-signed certs

Question

How can I setup SSL on ActiveMQ server?

I followed this tutorial to create certificate for ActiveMQ.

1. Using keytool, create a certificate for the broker:

   keytool -genkey -alias broker -keyalg RSA -keystore amq-server.ks
   

2. Export the broker’s certificate so it can be shared with clients:

   keytool -export -alias broker -keystore broker.ks -file amq- server_cert
   

3. Create a certificate/keystore for the client:

   keytool -genkey -alias client -keyalg RSA -keystore amq-server.ks
   

4. Create a truststore for the client, and import the broker’s certificate. This establishes that client "trusts" the broker:

   keytool -import -alias broker -keystore client.ts -file amq-server_cert
   

I have Ubuntu Server with ActiveMQ and Windows Machine with MQTT.fx.

I added that setting in ActiveMQ config:

<transportConnector name="openwire" uri="tcp://0.0.0.0:1883?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
<transportConnector name="ssl" uri="ssl://0.0.0.0:61714?transport.enabledProtocols=TLSv1.2"/`

I installed now on a machine MQTT.fx, and I'm trying to connect over SSL. I created 2 configs - one with a certificate and other without a certificate. Connecting works without certificate. Connection with certificate does not work. I have selected the server certificate or the client certificate does not work.

If I add this setting to ActiveMQ config then nothing works anymore

<sslContext> 
   <sslContext keyStore="file:${activemq.base}/conf/amq-server.ks" 
               keyStorePassword="password"
               trustStore="file:${activemq.base}/conf/amq-server.ts"
               trustStorePassword="password"/> 
</sslContext>

I have tried all combinations does not work.

Can someone help me? How can I just set up SSL on ActiveMQ and communicate with certificate. Maybe one way SSL?

Answer 1

In step #3 you should be using this command:

keytool -genkey -alias client -keyalg RSA -keystore client.ts

Notice that this command uses client.ts rather than amq-server.ks. This will be the truststore that you use on MQTT.fx.

Also, if you're using MQTT with and without SSL you should add the proper transportConnector elements and use those from your MQTT application(s), e.g.:

<transportConnector name="mqtt+nio" uri="mqtt+nio://0.0.0.0:1883"/>
<transportConnector name="mqtt+nio" uri="mqtt+nio+ssl://0.0.0.0:8883"/>

Your sslContext should be configured as follows:

<sslContext>
    <sslContext keyStore="file:${activemq.conf}/amq-server.ks" keyStorePassword="password"/>
</sslContext>