2.16 Securing Communication Between ActiveMQ and Identity Applications

NetIQ recommends using Secure Socket Layer (SSL) protocols for communication between Identity Applications and ActiveMQ. By default, the SSL protocol is not configured between these two components. You must configure the SSL connection between them:

Figure 2-2 Secured Connection between ActiveMQ and Identity Applications

To support the SSL connections, you need to create keystore and truststore files. This section explains how to create, export, and store this certificate on your server

After the secured connection is enabled, the Identity Applications perform an SSL handshake to establish a secure channel.

2.16.1 Creating a Keystore and a Truststore

  1. Create a certificate for the broker by using the keytool.

    keytool -genkey -alias broker -keyalg RSA -keystore broker.ks

  2. Export the broker's certificate to share with clients.

    keytool -export -alias broker -keystore broker.ks -file broker_cert

  3. Create a certificate/keystore for the client.

    keytool -genkey -alias client -keyalg RSA -keystore client.ks

  4. Create a truststore for the client and import the broker's certificate. This establishes that the client trusts the broker.

    keytool -import -alias broker -keystore client.ts -file broker_cert

  5. Export the client's certificate so it can be shared with broker:

    keytool -export -alias client -keystore client.ks -file client_cert

  6. Create a truststore for the broker, and import the client's certificate. This establishes that the broker trusts the client:

    keytool -import -alias client -keystore broker.ts -file client_cert

NOTE:You must use the same passwords that were used for creating the keystores to configure the Fanout components for SSL. For more information about creating certificates, see Setting up the Key and Trust Stores.

2.16.2 Enabling SSL for ActiveMQ

  1. Copy the files broker.ks and broker.ts to the server where ActiveMQ is installed.

  2. Edit the activemq.xml file.

    1. Navigate to the <AMQ install path>/conf/ folder and open the activemq.xml file.

    2. Add the transport connector to enable SSL in the transportConnectors section.

      <transportConnector name="ssl" uri="ssl://0.0.0.0:61617?trace=true"/>

    3. Add the keystore or truststore paths and their passwords in the sslContext section.

      <sslContext> <sslContext keyStore="file:///root/activemqkeystore/broker.ks" keyStorePassword="novell" trustStore="file:///root/activemqkeystore/broker.ts" trustStorePassword="novell"/> </sslContext>

  3. Restart ActiveMQ.

NOTE:For more information about enabling secure transport on ActiveMQ, see Using Spring to configure SSL for a Broker instance.

2.16.3 Enabling SSL for the Identity Applications Client

  1. Go to tomcat/conf folder and modify the resource tag containing jms connection property with below values in the server.xml file:

    <Resource auth="Container" brokerName="LocalActiveMQBroker" brokerURL="ssl://0.0.0.0:61617" description="JMS Connection Factory" factory="org.apache.activemq.jndi.JNDIReferenceFactory" name="jms/ConnectionFactory" type="org.apache.activemq.ActiveMQSslConnectionFactory" trustStore="file:///root/activemqkeystore/client.ts" trustStorePassword="novell" keyStore="file:///root/activemqkeystore/client.ks" keyStorePassword="novell"/>

    NOTE:Update the path of the truststore and keystore files accordingly.

  2. Restart the Identity Applications server.