input/releases/qpid-jms-amqp-0-x-6.3.1/jms-amqp-0-8-book/JMS-Client-Message-Encryption.html.in - qpid-site - Git at Google

 <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Chapter&#160;9.&#160;Message Encryption</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="JMS-Client-0-8-Binding-URL.html">Prev</a>&#160;</td><th align="center" width="60%">&#160;</th><td align="right" width="20%">&#160;<a accesskey="n" href="JMS-Client-Message-Encryption-Sending.html">Next</a></td></tr></table><hr /></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a id="JMS-Client-Message-Encryption"></a>Chapter&#160;9.&#160;Message Encryption</h1></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="JMS-Client-Message-Encryption.html#JMS-Client-Message-Encryption-Overview">9.1. Overview</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html">9.2. Sending an Encrypted Message</a></span></dt><dd><dl><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html#JMS-Client-Message-Encryption-Sending-Setting-TrustStore">9.2.1. Providing the Trust Store</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html#JMS-Client-Message-Encryption-Sending-Enabling-Encryption">9.2.2. Enabling Encryption</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html#JMS-Client-Message-Encryption-Sending-Choosing-Recipients">9.2.3. Choosing Recipients</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html#JMS-Client-Message-Encryption-Sending-Exposing-Properties">9.2.4. Exposing Properties</a></span></dt></dl></dd><dt><span class="section"><a href="JMS-Client-Message-Encryption-Receiving.html">9.3. Receiving an Encrypted Message</a></span></dt><dd><dl><dt><span class="section"><a href="JMS-Client-Message-Encryption-Receiving.html#JMS-Client-Message-Encryption-Sending-Setting-KeyStore">9.3.1. Providing the Key Store</a></span></dt></dl></dd><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html">9.4. Message Encryption Example</a></span></dt><dd><dl><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Introduction">9.4.1. Introduction</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Prerequisites">9.4.2. Prerequisites</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Broker-Config">9.4.3. Broker Configuration</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Client-Config">9.4.4. Client Configuration</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Application">9.4.5. Application Code</a></span></dt></dl></dd></dl></div><p>
         In some cases it is desirable to ensure no-one but the intended recipient(s) of a message will be able to read
         its contents. Using SSL/TLS to encrypt traffic travelling between client and broker only ensures that those
         snooping the network cannot read messages, however once the message arrives at the broker it is decrypted and
         so anyone with access to the broker can read the message.  For such confidential information it is necessary to
         implement a mechanism of end-to-end encryption such that the sender of the message encrypts the message before
         sending, and the recipient(s), upon receiving the message, decrypt it with some secret known only to them.
     </p><p>
         Neither JMS nor AMQP provide any defined mechanism for message encryption, however it is possible for any
         application to build a message encryption scheme on top of a JMS API. For convenience the Client
         provides a built in mechanism for encryption and decrypting messages. This mechanism is currently only
         implemented in the Client for AMQP 0-8/0-9/0-9-1/0-10. If you use a different client you will be
         unable to read encrypted messages.
     </p><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="JMS-Client-Message-Encryption-Overview"></a>9.1.&#160;Overview</h2></div></div></div><p>
             For each encrypted message which the client sends, a new message-specific secret key is generated. This
             secret key is used encrypt the message contents using symmetric encryption (currently only AES-256 is
             supported, although other algorithms may be added at a later date).  For each intended recipient of the
             message, the client encrypts the secret key using the public key associated with the recipient, and adds
             this as a message header. On receipt of an encrypted message, the client looks to see if it has a private
             key which can decrypt the secret key. If the client is unable to decrypt the message (for instance, because
             they were not one of the intended recipients) then the message will be presented to the application as a
             BytesMessage containing the encrypted data.
         </p><p>
             In order to send an encrypted message it is necessary to know the Certificates of the intended recipients.
             Certificates can be distributed either through out-of-band mechanisms, or the Apache Qpid Broker-J can be used
             to distribute them to clients.
         </p><p>
             In order to receive an encrypted message it is necessary to have a Certificate (which needs to be
             distributed to those who you wish to send messages to you) and to have the private key associated with the
             certificate so that you can decrypt messages sent to you.
         </p><p>
             This feature requires the Java Cryptography Extension (JCE) Unlimited Strength policy files are installed
             in the JVM.
         </p></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="JMS-Client-0-8-Binding-URL.html">Prev</a>&#160;</td><td align="center" width="20%">&#160;</td><td align="right" width="40%">&#160;<a accesskey="n" href="JMS-Client-Message-Encryption-Sending.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">Chapter&#160;8.&#160;Binding URL&#160;</td><td align="center" width="20%"><a accesskey="h" href="JMS-Client-Book.html">Home</a></td><td align="right" valign="top" width="40%">&#160;9.2.&#160;Sending an Encrypted Message</td></tr></table></div></div>
	<div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Chapter 9. Message Encryption</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="JMS-Client-0-8-Binding-URL.html">Prev</a> </td><th align="center" width="60%"> </th><td align="right" width="20%"> <a accesskey="n" href="JMS-Client-Message-Encryption-Sending.html">Next</a></td></tr></table><hr /></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a id="JMS-Client-Message-Encryption"></a>Chapter 9. Message Encryption</h1></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="JMS-Client-Message-Encryption.html#JMS-Client-Message-Encryption-Overview">9.1. Overview</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html">9.2. Sending an Encrypted Message</a></span></dt><dd><dl><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html#JMS-Client-Message-Encryption-Sending-Setting-TrustStore">9.2.1. Providing the Trust Store</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html#JMS-Client-Message-Encryption-Sending-Enabling-Encryption">9.2.2. Enabling Encryption</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html#JMS-Client-Message-Encryption-Sending-Choosing-Recipients">9.2.3. Choosing Recipients</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Sending.html#JMS-Client-Message-Encryption-Sending-Exposing-Properties">9.2.4. Exposing Properties</a></span></dt></dl></dd><dt><span class="section"><a href="JMS-Client-Message-Encryption-Receiving.html">9.3. Receiving an Encrypted Message</a></span></dt><dd><dl><dt><span class="section"><a href="JMS-Client-Message-Encryption-Receiving.html#JMS-Client-Message-Encryption-Sending-Setting-KeyStore">9.3.1. Providing the Key Store</a></span></dt></dl></dd><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html">9.4. Message Encryption Example</a></span></dt><dd><dl><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Introduction">9.4.1. Introduction</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Prerequisites">9.4.2. Prerequisites</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Broker-Config">9.4.3. Broker Configuration</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Client-Config">9.4.4. Client Configuration</a></span></dt><dt><span class="section"><a href="JMS-Client-Message-Encryption-Example.html#JMS-Client-Message-Encryption-Example-Application">9.4.5. Application Code</a></span></dt></dl></dd></dl></div><p>
	In some cases it is desirable to ensure no-one but the intended recipient(s) of a message will be able to read
	its contents. Using SSL/TLS to encrypt traffic travelling between client and broker only ensures that those
	snooping the network cannot read messages, however once the message arrives at the broker it is decrypted and
	so anyone with access to the broker can read the message. For such confidential information it is necessary to
	implement a mechanism of end-to-end encryption such that the sender of the message encrypts the message before
	sending, and the recipient(s), upon receiving the message, decrypt it with some secret known only to them.
	</p><p>
	Neither JMS nor AMQP provide any defined mechanism for message encryption, however it is possible for any
	application to build a message encryption scheme on top of a JMS API. For convenience the Client
	provides a built in mechanism for encryption and decrypting messages. This mechanism is currently only
	implemented in the Client for AMQP 0-8/0-9/0-9-1/0-10. If you use a different client you will be
	unable to read encrypted messages.
	</p><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="JMS-Client-Message-Encryption-Overview"></a>9.1. Overview</h2></div></div></div><p>
	For each encrypted message which the client sends, a new message-specific secret key is generated. This
	secret key is used encrypt the message contents using symmetric encryption (currently only AES-256 is
	supported, although other algorithms may be added at a later date). For each intended recipient of the
	message, the client encrypts the secret key using the public key associated with the recipient, and adds
	this as a message header. On receipt of an encrypted message, the client looks to see if it has a private
	key which can decrypt the secret key. If the client is unable to decrypt the message (for instance, because
	they were not one of the intended recipients) then the message will be presented to the application as a
	BytesMessage containing the encrypted data.
	</p><p>
	In order to send an encrypted message it is necessary to know the Certificates of the intended recipients.
	Certificates can be distributed either through out-of-band mechanisms, or the Apache Qpid Broker-J can be used
	to distribute them to clients.
	</p><p>
	In order to receive an encrypted message it is necessary to have a Certificate (which needs to be
	distributed to those who you wish to send messages to you) and to have the private key associated with the
	certificate so that you can decrypt messages sent to you.
	</p><p>
	This feature requires the Java Cryptography Extension (JCE) Unlimited Strength policy files are installed
	in the JVM.
	</p></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="JMS-Client-0-8-Binding-URL.html">Prev</a> </td><td align="center" width="20%"> </td><td align="right" width="40%"> <a accesskey="n" href="JMS-Client-Message-Encryption-Sending.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">Chapter 8. Binding URL </td><td align="center" width="20%"><a accesskey="h" href="JMS-Client-Book.html">Home</a></td><td align="right" valign="top" width="40%"> 9.2. Sending an Encrypted Message</td></tr></table></div></div>