| <!DOCTYPE html> |
| <!-- |
| - |
| - Licensed to the Apache Software Foundation (ASF) under one |
| - or more contributor license agreements. See the NOTICE file |
| - distributed with this work for additional information |
| - regarding copyright ownership. The ASF licenses this file |
| - to you under the Apache License, Version 2.0 (the |
| - "License"); you may not use this file except in compliance |
| - with the License. You may obtain a copy of the License at |
| - |
| - http://www.apache.org/licenses/LICENSE-2.0 |
| - |
| - Unless required by applicable law or agreed to in writing, |
| - software distributed under the License is distributed on an |
| - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| - KIND, either express or implied. See the License for the |
| - specific language governing permissions and limitations |
| - under the License. |
| - |
| --> |
| <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> |
| <head> |
| <title>9.2. Sending an Encrypted Message - Apache Qpid™</title> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge"/> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"/> |
| <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> |
| <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> |
| <script type="text/javascript">var _deferredFunctions = [];</script> |
| <script type="text/javascript" src="/deferred.js" defer="defer"></script> |
| <!--[if lte IE 8]> |
| <link rel="stylesheet" href="/ie.css" type="text/css"/> |
| <script type="text/javascript" src="/html5shiv.js"></script> |
| <![endif]--> |
| |
| <!-- Redirects for `go get` and godoc.org --> |
| <meta name="go-import" |
| content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/> |
| <meta name="go-source" |
| content="qpid.apache.org |
| https://github.com/apache/qpid-proton/blob/go1/README.md |
| https://github.com/apache/qpid-proton/tree/go1{/dir} |
| https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> |
| </head> |
| <body> |
| <div id="-content"> |
| <div id="-top" class="panel"> |
| <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> |
| |
| <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> |
| |
| <ul id="-global-navigation"> |
| <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> |
| <li><a href="/documentation.html">Documentation</a></li> |
| <li><a href="/download.html">Download</a></li> |
| <li><a href="/discussion.html">Discussion</a></li> |
| </ul> |
| </div> |
| |
| <div id="-menu" class="panel" style="display: none;"> |
| <div class="flex"> |
| <section> |
| <h3>Project</h3> |
| |
| <ul> |
| <li><a href="/overview.html">Overview</a></li> |
| <li><a href="/components/index.html">Components</a></li> |
| <li><a href="/releases/index.html">Releases</a></li> |
| </ul> |
| </section> |
| |
| <section> |
| <h3>Messaging APIs</h3> |
| |
| <ul> |
| <li><a href="/proton/index.html">Qpid Proton</a></li> |
| <li><a href="/components/jms/index.html">Qpid JMS</a></li> |
| <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> |
| </ul> |
| </section> |
| |
| <section> |
| <h3>Servers and tools</h3> |
| |
| <ul> |
| <li><a href="/components/broker-j/index.html">Broker-J</a></li> |
| <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> |
| <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> |
| </ul> |
| </section> |
| |
| <section> |
| <h3>Resources</h3> |
| |
| <ul> |
| <li><a href="/dashboard.html">Dashboard</a></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li> |
| <li><a href="/resources.html">More resources</a></li> |
| </ul> |
| </section> |
| </div> |
| </div> |
| |
| <div id="-search" class="panel" style="display: none;"> |
| <form action="http://www.google.com/search" method="get"> |
| <input type="hidden" name="sitesearch" value="qpid.apache.org"/> |
| <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> |
| <button type="submit">Search</button> |
| <a href="/search.html">More ways to search</a> |
| </form> |
| </div> |
| |
| <div id="-middle" class="panel"> |
| <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-jms-amqp-0-x-6.3.1/index.html">Qpid JMS AMQP 0-x 6.3.1</a></li><li><a href="/releases/qpid-jms-amqp-0-x-6.3.1/jms-amqp-0-8-book/index.html">Apache Qpid JMS AMQP 0-8/0-9/0-9-1</a></li><li>9.2. Sending an Encrypted Message</li></ul> |
| |
| <div id="-middle-content"> |
| <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">9.2. Sending an Encrypted Message</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="JMS-Client-Message-Encryption.html">Prev</a> </td><th align="center" width="60%">Chapter 9. Message Encryption</th><td align="right" width="20%"> <a accesskey="n" href="JMS-Client-Message-Encryption-Receiving.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="JMS-Client-Message-Encryption-Sending"></a>9.2. Sending an Encrypted Message</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="JMS-Client-Message-Encryption-Sending-Setting-TrustStore"></a>9.2.1. Providing the Trust Store</h3></div></div></div><p> |
| In order for a connection to be capable of sending encrypted messages, it must be provided with a trust |
| store which contains the X509 certificates of the entities to which you wish to send. The details of the |
| trust store are supplied in the <a class="link" href="JMS-Client-0-8-Connection-URL.html" title="Chapter 7. Connection URLs">connection URL</a>. |
| </p><p> |
| There are two distinct mechanisms for providing the encryption trust store. Firstly you can supply a |
| standard password-protected trust store file on the file system. The location and password for this must |
| be specified using the <a class="link" href="JMS-Client-0-8-Connection-URL.html#JMS-Client-0-8-Connection-URL-BrokerOptions-EncryptionTrustStore"> |
| encryption_trust_store</a> and |
| <a class="link" href="JMS-Client-0-8-Connection-URL.html#JMS-Client-0-8-Connection-URL-BrokerOptions-EncryptionTrustStorePassword">encryption_trust_store_password |
| </a> options respectively. Such a connection URL might look somthing like: |
| </p><pre class="programlisting">amqp://username:password@clientid/test?brokerlist='tcp://localhost:5672?encryption_trust_store='/home/qpid/certificates.jks'&encryption_trust_store_password='password''</pre><p> |
| Alternatively, where available, you can configure the broker to distribute certificates from a trust |
| store (this is currently only available in the Apache Qpid Broker-J). In order to use this method, the broker |
| details in the connection url must contain the correctly configured |
| <a class="link" href="JMS-Client-0-8-Connection-URL.html#JMS-Client-0-8-Connection-URL-BrokerOptions-EncryptionRemoteTrustStore">encryption_remote_trust_store</a> |
| option. Such a connection URL might look somthing like: |
| </p><pre class="programlisting">amqp://username:password@clientid/test?brokerlist='tcp://localhost:5672?encryption_remote_trust_store='$certificates%255c/certstore''</pre><p> |
| The <code class="literal">$certificates/</code> prefix is mandatory. |
| However, in order to prevent the client from interpreting this the wrong way several layers of escaping and encoding need to take place. |
| The slash character ('/') needs to be escaped by a backslash ('\') which needs to be doubly URL encoded resulting in <code class="literal">$certificates%255c/</code>. |
| </p><p> |
| Note that to use the broker-distributed certificates the broker must be configured to expose the trust store as a message source. |
| See the broker documentation on TrustStores for more details. |
| </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="JMS-Client-Message-Encryption-Sending-Enabling-Encryption"></a>9.2.2. Enabling Encryption</h3></div></div></div><p> |
| Message encryption can be enabled individually on each sent message, or - using configuration - all |
| messages sent to a Destination can be encrypted. |
| </p><p> |
| In order to encrypt messages on a case by case basis, the appliation must set the boolean property |
| <code class="literal">x-qpid-encrypt</code> to true on the message before sending. The intended recipients of the |
| message must also be set (see |
| <a class="link" href="JMS-Client-Message-Encryption-Sending.html#JMS-Client-Message-Encryption-Sending-Choosing-Recipients" title="9.2.3. Choosing Recipients">Choosing Recipients</a>). |
| </p><pre class="programlisting">message.setBooleanProperty("x-qpid-encrypt", true);</pre><p> |
| In order to encrypt all messages sent to a given Destination, the option |
| <a class="link" href="JMS-Client-0-8-Binding-URL.html#JMS-Client-0-8-Binding-URL-Options-SendEncrypted">sendencrypted</a> can be used. Note |
| that enabling encryption on the address can be overridden by explicitly setting the property |
| <code class="literal">x-qpid-encrypt</code> to false on an individual message. An example address would look like: |
| </p><pre class="programlisting">direct:///queue/queue?sendencrypted='true'</pre></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="JMS-Client-Message-Encryption-Sending-Choosing-Recipients"></a>9.2.3. Choosing Recipients</h3></div></div></div><p> |
| Any message which is to be sent encrypted must also have a list of recipients who the sender wishes to |
| be able to decrypt the message. The recipients must be encoded as a semi-colon separated list of the |
| names given in the respective certificates of the recipients, e.g. |
| <code class="literal">cn=first@example.org,ou=example,o=example,l=ny,st=ny,c=us;cn=second@example.org,ou=example,o=example,l=ny,st=ny,c=us</code>. |
| </p><p> |
| As with enabling encryption, the recipients can be set either on a per-message basis or for all messages |
| sent to a given address. If both forms are used, the former overrides the latter. To set on an individual |
| message, set the String property <code class="literal">x-qpid-encrypt-recipients</code>. |
| </p><pre class="programlisting">message.setStringProperty("x-qpid-encrypt-recipients", "cn=only@example.org,ou=example,o=example");</pre><p> |
| To set the recipients on an address, use the address option |
| <a class="link" href="JMS-Client-0-8-Binding-URL.html#JMS-Client-0-8-Binding-URL-Options-EncryptedRecipients">encryptedrecipients</a>. |
| </p><pre class="programlisting">direct:///queue/queue?sendencrypted='true'&encryptedrecipients='cn=another@example.org,ou=example,o=example'</pre></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="JMS-Client-Message-Encryption-Sending-Exposing-Properties"></a>9.2.4. Exposing Properties</h3></div></div></div><p> |
| Message Encryption encrypts the message content and the properties set by the application. Sometimes |
| it is important to expose properties to allow (for example) message routing or message selectors within |
| the broker to work. To enable this it is possible to specify for each message all the properties which |
| the application wishes to make available to the broker. Note that exposing properties in this way means |
| that they are now visibe to anyone who can inspect the broker memory or file system stores. |
| </p><p> |
| To make message properties visible to the broker, set the String property |
| <code class="literal">x-qpid-unencrypted-properties</code> with a semi-colon separated list of the names of the |
| properties to be exposed. |
| </p><pre class="programlisting">message.setStringProperty("x-qpid-unencrypted-properties", "foo;bar;baz");</pre></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="JMS-Client-Message-Encryption.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="JMS-Client-Message-Encryption.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="JMS-Client-Message-Encryption-Receiving.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">Chapter 9. Message Encryption </td><td align="center" width="20%"><a accesskey="h" href="JMS-Client-Book.html">Home</a></td><td align="right" valign="top" width="40%"> 9.3. Receiving an Encrypted Message</td></tr></table></div></div> |
| |
| <hr/> |
| |
| <ul id="-apache-navigation"> |
| <li><a href="http://www.apache.org/">Apache</a></li> |
| <li><a href="http://www.apache.org/licenses/">License</a></li> |
| <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> |
| <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li> |
| <li><a href="/security.html">Security</a></li> |
| <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> |
| </ul> |
| |
| <p id="-legal"> |
| Apache Qpid, Messaging built on AMQP; Copyright © 2015 |
| The Apache Software Foundation; Licensed under |
| the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache |
| License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, |
| Proton, Apache, the Apache feather logo, and the Apache Qpid |
| project logo are trademarks of The Apache Software |
| Foundation; All other marks mentioned may be trademarks or |
| registered trademarks of their respective owners |
| </p> |
| </div> |
| </div> |
| </div> |
| </body> |
| </html> |