Google Git
Sign in
apache / activemq-website / 4b856e9b8fa3258f6a2985d4393d8a4ea3be4121 / . / output / components / classic / documentation / ssl-transport-reference.html
blob: 5b6ecd0b92652232b6d24bd8d4a7428477d6f29d [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>ActiveMQ</title>
<link rel="icon" type="image/png" href="/assets/img/favicon.png">
<link rel="stylesheet" href="/css/main.css">
<script defer src="/js/fontawesome-all.min.js" integrity="sha384-rOA1PnstxnOBLzCLMcre8ybwbTmemjzdNlILg8O7z1lUkLXozs4DHonlDtnE7fpc"></script>
<script src="/js/jquery.slim.min.js" integrity="sha384-5AkRS45j4ukf+JbWAfHL8P4onPA9p0KwwP7pUdjSQA3ss9edbJUJc/XcYAiheSSz"></script>
<script src="/js/popper.min.js" integrity="sha384-ApNbgh9B+Y1QKtv3Rn7W3mgPxhU9K/ScQsAP7hUibX39j7fakFPskvXusvfa0b4Q"></script>
<script src="/js/bootstrap.min.js" integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl"></script>
</head>
<body>
<nav class="navbar navbar-expand-lg navbar-light fixed-top">
<div class="container">
<!-- <a class="navbar-brand mr-auto" href="#"><img style="height: 50px" src="assets/img/apache-feather.png" /></a> -->
<a class="navbar-brand mr-auto" href="/"><img src="/assets/img/activemq_logo_black_small.png" style="height: 50px"/></a>
<button class="navbar-toggler ml-auto" type="button" data-toggle="collapse" data-target="#navbarContent" aria-controls="navbarContent" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="ml-auto collapse navbar-collapse" id="navbarContent">
<ul class="navbar-nav ml-auto">
<li class="nav-item">
<a class="nav-link active" href="/news">News</a>
</li>
<li class="nav-item dropdown">
<a class="nav-link" id="navbarDropdownComponents" data-target="#" href="" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Components<span class="caret"></span></a>
<ul class="dropdown-menu dropdown-menu-center" aria-labelledby="navbarDropdownComponents">
<div class="row">
<div class="col-12">
<ul class="multi-column-dropdown">
<li class="nav-item"><a class="dropdown-item" href="/components/classic">ActiveMQ Classic</a></li>
<li class="nav-item"><a class="dropdown-item" href="/components/artemis/">ActiveMQ Artemis</a></li>
<li class="nav-item"><a class="dropdown-item" href="/components/nms">NMS Clients</a></li>
<li class="nav-item"><a class="dropdown-item" href="/components/cms">CMS Client</a></li>
</ul>
</div>
</div>
</ul>
</li>
<li class="nav-item dropdown">
<a class="nav-link" id="navbarDropdownCommunity" data-target="#" href="" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Community<span class="caret"></span></a>
<ul class="dropdown-menu dropdown-menu-center multi-column columns-1" aria-labelledby="navbarDropdownCommunity">
<div class="row">
<div class="col-12">
<ul class="multi-column-dropdown">
<li class="nav-item"><a class="dropdown-item" href="/contact">Contact Us</a></li>
<li class="nav-item"><a class="dropdown-item" href="/contributing">Contribute</a></li>
<li class="nav-item"><a class="dropdown-item" href="/issues">Report Issues</a></li>
<li class="nav-item"><a class="dropdown-item" href="/support">Get Support</a></li>
</ul>
</div>
</div>
</ul>
</li>
<li class="nav-item dropdown">
<a class="nav-link" id="navbarDropdownTeam" data-target="#" href="" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"><img src="/assets/img/feather.png" style="height:20px">Apache<span class="caret"></span></a>
<ul class="dropdown-menu dropdown-menu-center multi-column columns-1" aria-labelledby="navbarDropdownTeam">
<div class="row">
<div class="col-sm-12">
<ul class="multi-column-dropdown">
<li class="nav-item"><a class="dropdown-item" href="https://www.apache.org">The Apache Software Foundation</a></li>
<li class="nav-item"><a class="dropdown-item" href="https://www.apache.org/licenses/">License</a></li>
<li class="nav-item"><a class="dropdown-item" href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
<li class="nav-item"><a class="dropdown-item" href="https://www.apache.org/foundation/thanks.html">Thanks</a></li>
<li class="nav-item"><a class="dropdown-item" href="/security-advisories">Security</a></li>
<li class="nav-item"><a class="dropdown-item" href="https://www.apache.org/events/current-event">Events</a></li>
<li class="nav-item"><a class="dropdown-item" href="https://people.apache.org/phonebook.html?pmc=activemq">PMC & Committers</a></li>
<li class="nav-item"><a class="dropdown-item" href="https://whimsy.apache.org/board/minutes/ActiveMQ.html">Board Reports</a></li>
<li class="nav-item"><a class="dropdown-item" href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a></li>
</ul>
</div>
</div>
</ul>
</li>
</ul>
</div>
</div>
</nav>
<div class="content">
<div class="page-title-classic">
<div class="container">
<h1>SSL Transport Reference</h1>
</div>
</div>
<div class="container" >
<div class="row" style="margin-top: 30px">
<div class="col-12 classic">
<p><a href="using-activemq-classic">Using ActiveMQ Classic</a> &gt; <a href="configuring-transports">Configuring Transports</a> &gt; <a href="activemq-classic-connection-uris">ActiveMQ Classic Connection URIs</a> &gt; <a href="ssl-transport-reference">SSL Transport Reference</a></p>
<h3 id="the-ssl-transport">The SSL Transport</h3>
<p>The SSL transport allows clients to connect to a remote ActiveMQ Classic broker using SSL over a TCP socket.</p>
<h4 id="configuration-syntax">Configuration Syntax</h4>
<p><strong>ssl://hostname:port?transportOptions</strong></p>
<h4 id="transport-options">Transport Options</h4>
<p>The configuration options from <a href="tcp-transport-reference">TCP</a> are relevant.</p>
<h4 id="example-uri">Example URI</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssl://localhost:61616?trace=false
</code></pre></div></div>
<h4 id="sslserversocket-options">SSLServerSocket options</h4>
<p>From version 5.4 any <a href="http://java.sun.com/j2se/1.4.2/docs/api/javax/net/ssl/SSLServerSocket.html">SSLServerSocket</a> option may be set on a TransportConnection via <strong>?transport.XXX</strong>, for example:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssl://localhost:61616?transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
ssl://localhost:61616?transport.needClientAuth=true
</code></pre></div></div>
<h4 id="client-configuration">Client configuration</h4>
<p>JMS clients can simply use the <a href="http://activemq.apache.org/maven/5.9.0/apidocs/org/apache/activemq/ActiveMQSslConnectionFactory.html">ActiveMQSslConnectionFactory</a> together with an <code class="language-plaintext highlighter-rouge">ssl://</code> broker url as the following Spring configuration illustrates</p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;bean</span> <span class="na">id=</span><span class="s">"AMQJMSConnectionFactory"</span> <span class="na">class=</span><span class="s">"org.apache.activemq.ActiveMQSslConnectionFactory"</span><span class="nt">&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"trustStore"</span> <span class="na">value=</span><span class="s">"/path/to/truststore.ts"</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"trustStorePassword"</span> <span class="na">value=</span><span class="s">"password"</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"keyStore"</span> <span class="na">value=</span><span class="s">"/path/to/keystore.ks"</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"keyStorePassword"</span> <span class="na">value=</span><span class="s">"password"</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"brokerURL"</span> <span class="na">value=</span><span class="s">"ssl://localhost:61616"</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"userName"</span> <span class="na">value=</span><span class="s">"admin"</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"password"</span> <span class="na">value=</span><span class="s">"admin"</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;/bean&gt;</span>
</code></pre></div></div>
<p>Unless the broker’s SSL transport is configured for transport.needClientAuth=true, the client won’t need a keystore but requires a truststore in order to validate the broker’s certificate.</p>
<p>Similar to the broker transport configuration you can pass on SSL transport options using <strong>?socket.XXX</strong>, such as</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssl://localhost:61616?socket.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
</code></pre></div></div>
<h4 id="hostname-validation-starting-with-version-5156">Hostname Validation (Starting with version 5.15.6)</h4>
<p>From version 5.15.6 ActiveMQ Classic now supports TLS Hostname validation. This has been enabled by default for the ActiveMQ Classic client and is off by default on the broker. To configure:</p>
<h4 id="server-side-configuration-of-hostname-validation">Server side configuration of hostname validation</h4>
<p>The default for the server side is to disable Hostname validation and this can be configured with ?transport.verifyHostName. This is only relevant for 2-way SSL and will cause the client’s CN of their certificate to be compared to their hostname to verify they match, e.g.:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssl://localhost:61616?transport.verifyHostName=true
</code></pre></div></div>
<h4 id="client-side-configuration-of-hostname-validation">Client side configuration of hostname validation</h4>
<p>The default for the ActiveMQ Classic client is to enable Hostname validation and this can be configured with <code class="language-plaintext highlighter-rouge">?socket.verifyHostName</code> or simply <code class="language-plaintext highlighter-rouge">?verifyHostName</code> with no prefix. This will cause the CN of the server certificate to be compared to the server hostname to verify they match, e.g.:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssl://localhost:61616?socket.verifyHostName=false
</code></pre></div></div>
<p>or:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssl://localhost:61616?verifyHostName=false
</code></pre></div></div>
<h4 id="other-links">Other Links</h4>
<ul>
<li><a href="how-do-i-use-ssl">How do I use SSL</a></li>
</ul>
<p>You can also turn on SSL debug informations this way by adding:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>-Djavax.net.debug=ssl
</code></pre></div></div>
<p>this way you can see what goes wrong and why you get connections closed.</p>
<h4 id="be-careful-with-multicast-discovery">Be careful with multicast discovery</h4>
<p>If your XML configuration file contains the following and you wish to use SSL</p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt">&lt;networkConnector</span> <span class="na">uri=</span><span class="s">"multicast://default"</span><span class="nt">/&gt;</span>
</code></pre></div></div>
<p>Then you will currently need to comment that out. The reason is to prevent ActiveMQ Classic atempting to connect to itself - if you do this with a self-signed certificate, you will get a constant spam of certificate_unknown stacktraces to the console, as the broker is not configured with the truststore.</p>
</div>
</div>
</div>
</div>
<div class="row sitemap">
<div class="col-sm-12">
<div class="container">
<div class="row">
<div class="col-sm-12">
<div class="row">
<div class="col-sm-3">
<div >
<img class="float-left" style="max-height: 100px" src="/assets/img/activemq_logo_white_vertical_small.png"/>
</div>
</div>
<div style="text-align: center; margin-bottom: 0px; margin-top: 30px; font-size: 65%" class="col-sm-6">
<p><a href="https://www.apache.org/foundation/marks/list/">Apache, ActiveMQ, Apache ActiveMQ</a>, the Apache feather logo, and the Apache ActiveMQ project logo are trademarks of The Apache Software Foundation. Copyright &copy; 2024, The Apache Software Foundation. Licensed under <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License 2.0</a>.</p>
</div>
<div class="col-sm-3">
<div >
<a href="https://www.apache.org"><img class="float-right" style="margin-top: 10px; max-height: 80px" src="/assets/img/apache-logo-small.png"/></a>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>