This section introduces TLS configuration in RocketMQ.
Users can generate certificate files using OpenSSL. It is suggested to generate files in Linux.
openssl req -newkey rsa:2048 -keyout ca_rsa_private.pem -x509 -days 365 -out ca.pem
openssl req -newkey rsa:2048 -keyout server_rsa.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca_rsa_private.pem -CAcreateserial -out server.pem
openssl req -newkey rsa:2048 -keyout client_rsa.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca_rsa_private.pem -CAcreateserial -out client.pem
openssl pkcs8 -topk8 -v1 PBE-SHA1-RC4-128 -in server_rsa.key -out server.key
openssl pkcs8 -topk8 -v1 PBE-SHA1-RC4-128 -in client_rsa.key -out client.key
Create tls.properties, correctly configure the path and password of the generated certificates.
# The flag to determine whether use test mode when initialize TLS context. default is true tls.test.mode.enable=false # Indicates how SSL engine respect to client authentication, default is none tls.server.need.client.auth=require # The store path of server-side private key tls.server.keyPath=/opt/certFiles/server.key # The password of the server-side private key tls.server.keyPassword=123456 # The store path of server-side X.509 certificate chain in PEM format tls.server.certPath=/opt/certFiles/server.pem # To determine whether verify the client endpoint's certificate strictly. default is false tls.server.authClient=false # The store path of trusted certificates for verifying the client endpoint's certificate tls.server.trustCertPath=/opt/certFiles/ca.pem
If you need to authenticate the client connection, you also need to add the following content to the file.
# The store path of client-side private key tls.client.keyPath=/opt/certFiles/client.key # The password of the client-side private key tls.client.keyPassword=123456 # The store path of client-side X.509 certificate chain in PEM format tls.client.certPath=/opt/certFiles/client.pem # To determine whether verify the server endpoint's certificate strictly tls.client.authServer=false # The store path of trusted certificates for verifying the server endpoint's certificate tls.client.trustCertPath=/opt/certFiles/ca.pem
Edit the configuration file under the rocketmq/bin path to make tls.properties configurations take effect.
The value of “tls.config.file” needs to be replaced by the file path created in step 2.
Add following content in JAVA_OPT:
JAVA_OPT="${JAVA_OPT} -Dtls.server.mode=enforcing -Dtls.config.file=/opt/rocketmq-4.9.3/conf/tls.properties"
Add following content in JAVA_OPT:
JAVA_OPT="${JAVA_OPT} -Dorg.apache.rocketmq.remoting.ssl.mode=enforcing -Dtls.config.file=/opt/rocketmq-4.9.3/conf/tls.properties -Dtls.enable=true"
Create tlsclient.properties using by client. Add following content:
# The store path of client-side private key tls.client.keyPath=/opt/certFiles/client.key # The password of the client-side private key tls.client.keyPassword=123456 # The store path of client-side X.509 certificate chain in PEM format tls.client.certPath=/opt/certFiles/client.pem # The store path of trusted certificates for verifying the server endpoint's certificate tls.client.trustCertPath=/opt/certFiles/ca.pem
Add following parameters in JVM. The value of “tls.config.file” needs to be replaced by the file path we created:
-Dtls.client.authServer=true -Dtls.enable=true -Dtls.test.mode.enable=false -Dtls.config.file=/opt/certs/tlsclient.properties
Enable TLS for client like the following:
public class ExampleProducer { public static void main(String[] args) throws Exception { DefaultMQProducer producer = new DefaultMQProducer("please_rename_unique_group_name"); //setUseTLS should be true producer.setUseTLS(true); producer.start(); // Send messages as usual. producer.shutdown(); } }
RocketMQ Proxy uses rmq-proxy.json (not tls.properties) for TLS configuration. The proxy supports TLS for both its gRPC and Remoting protocol endpoints.
Add TLS-related fields to distribution/conf/rmq-proxy.json:
{ "rocketMQClusterName": "DefaultCluster", "tlsTestModeEnable": false, "tlsKeyPath": "/opt/certFiles/server.key", "tlsKeyPassword": "123456", "tlsCertPath": "/opt/certFiles/server.pem" }
| Field | Type | Default | Description |
|---|---|---|---|
tlsTestModeEnable | boolean | true | Use self-signed certificates for testing. Set to false for production. |
tlsKeyPath | string | ${PROXY_HOME}/conf/tls/rocketmq.key | Path to the server private key file (PKCS#8 PEM format). |
tlsKeyPassword | string | "" | Password for the encrypted private key. Leave empty if the key is not encrypted. |
tlsCertPath | string | ${PROXY_HOME}/conf/tls/rocketmq.crt | Path to the server certificate chain file (X.509 PEM format). |
tlsCertWatchIntervalMs | int | 3600000 | Interval in milliseconds to check for certificate file changes. |
Edit runproxy.sh (or the script that launches the proxy) to enable TLS enforcing mode:
JAVA_OPT="${JAVA_OPT} -Dtls.server.mode=enforcing"
The three available TLS modes are:
disabled - TLS is not supported; incoming TLS handshakes are rejected.permissive - TLS is optional; the proxy accepts both TLS and non-TLS connections.enforcing - TLS is required; non-TLS connections are rejected.