Google Git
Sign in
apache / qpid-site / 4461686423fa437279655313089bde1fa1a60dbe / . / content / releases / qpid-jms-amqp-0-x-6.3.1 / jms-amqp-0-8-book / JMS-Client-Message-Encryption.html
blob: 77df106bb5c47027751565a3555306e352639feb [file] [log] [blame]
<!DOCTYPE html>
<!--
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
-
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Chapter&#160;9.&#160;Message Encryption - Apache Qpid&#8482;</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
<link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
<script type="text/javascript">var _deferredFunctions = [];</script>
<script type="text/javascript" src="/deferred.js" defer="defer"></script>
<!--[if lte IE 8]>
<link rel="stylesheet" href="/ie.css" type="text/css"/>
<script type="text/javascript" src="/html5shiv.js"></script>
<![endif]-->
<!-- Redirects for `go get` and godoc.org -->
<meta name="go-import"
content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
<meta name="go-source"
content="qpid.apache.org
https://github.com/apache/qpid-proton/blob/go1/README.md
https://github.com/apache/qpid-proton/tree/go1{/dir}
https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
</head>
<body>
<div id="-content">
<div id="-top" class="panel">
<a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
<a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
<ul id="-global-navigation">
<li><a id="-logotype" href="/index.html">Apache Qpid<sup>&#8482;</sup></a></li>
<li><a href="/documentation.html">Documentation</a></li>
<li><a href="/download.html">Download</a></li>
<li><a href="/discussion.html">Discussion</a></li>
</ul>
</div>
<div id="-menu" class="panel" style="display: none;">
<div class="flex">
<section>
<h3>Project</h3>
<ul>
<li><a href="/overview.html">Overview</a></li>
<li><a href="/components/index.html">Components</a></li>
<li><a href="/releases/index.html">Releases</a></li>
</ul>
</section>
<section>
<h3>Messaging APIs</h3>
<ul>
<li><a href="/proton/index.html">Qpid Proton</a></li>
<li><a href="/components/jms/index.html">Qpid JMS</a></li>
<li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
</ul>
</section>
<section>
<h3>Servers and tools</h3>
<ul>
<li><a href="/components/broker-j/index.html">Broker-J</a></li>
<li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
<li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
</ul>
</section>
<section>
<h3>Resources</h3>
<ul>
<li><a href="/dashboard.html">Dashboard</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
<li><a href="/resources.html">More resources</a></li>
</ul>
</section>
</div>
</div>
<div id="-search" class="panel" style="display: none;">
<form action="http://www.google.com/search" method="get">
<input type="hidden" name="sitesearch" value="qpid.apache.org"/>
<input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
<button type="submit">Search</button>
<a href="/search.html">More ways to search</a>
</form>
</div>
<div id="-middle" class="panel">
<ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-jms-amqp-0-x-6.3.1/index.html">Qpid JMS AMQP 0-x 6.3.1</a></li><li><a href="/releases/qpid-jms-amqp-0-x-6.3.1/jms-amqp-0-8-book/index.html">Apache Qpid JMS AMQP 0-8/0-9/0-9-1</a></li><li>Chapter&#160;9.&#160;Message Encryption</li></ul>
<div id="-middle-content">
<div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Chapter&#160;9.&#160;Message Encryption</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="JMS-Client-0-8-Binding-URL.html">Prev</a>&#160;</td><th align="center" width="60%">&#160;</th><td align="right" width="20%">&#160;<a accesskey="n" href="JMS-Client-Message-Encryption-Sending.html">Next</a></td></tr></table><hr /></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a id="JMS-Client-Message-Encryption"></a>Chapter&#160;9.&#160;Message Encryption</h1></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="JMS-Client-Message-Encryption.html#JMS-Client-Message-Encryption-Overview">9.1. Overview</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html">9.2. Sending an Encrypted Message</a></span></dt><dd><dl><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html#JMS-Client-Message-Encryption-Sending-Setting-TrustStore">9.2.1. Providing the Trust Store</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html#JMS-Client-Message-Encryption-Sending-Enabling-Encryption">9.2.2. Enabling Encryption</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html#JMS-Client-Message-Encryption-Sending-Choosing-Recipients">9.2.3. Choosing Recipients</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html#JMS-Client-Message-Encryption-Sending-Exposing-Properties">9.2.4. Exposing Properties</a></span></dt></dl></dd><dt><span class="section"><a href="JMS-Client-Message-Encryption-Receiving.html">9.3. Receiving an Encrypted Message</a></span></dt><dd><dl><dt><span class="section"><a href="JMS-Client-Message-Encryption-Receiving.html#JMS-Client-Message-Encryption-Sending-Setting-KeyStore">9.3.1. Providing the Key Store</a></span></dt></dl></dd><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html">9.4. Message Encryption Example</a></span></dt><dd><dl><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Introduction">9.4.1. Introduction</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Prerequisites">9.4.2. Prerequisites</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Broker-Config">9.4.3. Broker Configuration</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Client-Config">9.4.4. Client Configuration</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Application">9.4.5. Application Code</a></span></dt></dl></dd></dl></div><p>
In some cases it is desirable to ensure no-one but the intended recipient(s) of a message will be able to read
its contents. Using SSL/TLS to encrypt traffic travelling between client and broker only ensures that those
snooping the network cannot read messages, however once the message arrives at the broker it is decrypted and
so anyone with access to the broker can read the message. For such confidential information it is necessary to
implement a mechanism of end-to-end encryption such that the sender of the message encrypts the message before
sending, and the recipient(s), upon receiving the message, decrypt it with some secret known only to them.
</p><p>
Neither JMS nor AMQP provide any defined mechanism for message encryption, however it is possible for any
application to build a message encryption scheme on top of a JMS API. For convenience the Client
provides a built in mechanism for encryption and decrypting messages. This mechanism is currently only
implemented in the Client for AMQP 0-8/0-9/0-9-1/0-10. If you use a different client you will be
unable to read encrypted messages.
</p><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="JMS-Client-Message-Encryption-Overview"></a>9.1.&#160;Overview</h2></div></div></div><p>
For each encrypted message which the client sends, a new message-specific secret key is generated. This
secret key is used encrypt the message contents using symmetric encryption (currently only AES-256 is
supported, although other algorithms may be added at a later date). For each intended recipient of the
message, the client encrypts the secret key using the public key associated with the recipient, and adds
this as a message header. On receipt of an encrypted message, the client looks to see if it has a private
key which can decrypt the secret key. If the client is unable to decrypt the message (for instance, because
they were not one of the intended recipients) then the message will be presented to the application as a
BytesMessage containing the encrypted data.
</p><p>
In order to send an encrypted message it is necessary to know the Certificates of the intended recipients.
Certificates can be distributed either through out-of-band mechanisms, or the Apache Qpid Broker-J can be used
to distribute them to clients.
</p><p>
In order to receive an encrypted message it is necessary to have a Certificate (which needs to be
distributed to those who you wish to send messages to you) and to have the private key associated with the
certificate so that you can decrypt messages sent to you.
</p><p>
This feature requires the Java Cryptography Extension (JCE) Unlimited Strength policy files are installed
in the JVM.
</p></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="JMS-Client-0-8-Binding-URL.html">Prev</a>&#160;</td><td align="center" width="20%">&#160;</td><td align="right" width="40%">&#160;<a accesskey="n" href="JMS-Client-Message-Encryption-Sending.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">Chapter&#160;8.&#160;Binding URL&#160;</td><td align="center" width="20%"><a accesskey="h" href="JMS-Client-Book.html">Home</a></td><td align="right" valign="top" width="40%">&#160;9.2.&#160;Sending an Encrypted Message</td></tr></table></div></div>
<hr/>
<ul id="-apache-navigation">
<li><a href="http://www.apache.org/">Apache</a></li>
<li><a href="http://www.apache.org/licenses/">License</a></li>
<li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
<li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
<li><a href="/security.html">Security</a></li>
<li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
</ul>
<p id="-legal">
Apache Qpid, Messaging built on AMQP; Copyright &#169; 2015
The Apache Software Foundation; Licensed under
the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
Proton, Apache, the Apache feather logo, and the Apache Qpid
project logo are trademarks of The Apache Software
Foundation; All other marks mentioned may be trademarks or
registered trademarks of their respective owners
</p>
</div>
</div>
</div>
</body>
</html>