Thursday, February 25, 2010

Added SSL support to NMS.ActiveMQ today

I spent the last couple days trying to decipher MS documentation on SSL support and finally figured out enough to get basic SSL support working in NMS.ActiveMQ. No bells and whistles yet in the SSL transport but it seems to work fine with AMQ so I'm happy. Would love it if some users would checkout trunk and give it a spin, let me know what you find and what you think needs fixed / added.

18 comments:

e.semog said...

Awesome, Tim! Is it necessary to have some kind of certificate registered on the ActiveMQ server, or does the SSL layer automatically work?

Tim said...

The broker will send its certificate to the client using the usual SSL Hello exchange, its up to you to configure the broker with a valid certificate, the one provided in the distribution is a bogus self signed certificate.

When the NMS client authenticates with AMQ it will sent receive the certificate from the broker and attempt to validate it, the default one of course fails to validate, which is why I registered a callback with the SslStream to allow us to manually validate a certificate. Right now I just have it allow any Certificate regardless of errors, we should probably have that configurable via the URI to allow for bogus certificates during testing.

There's more to do if the AMQ broker were configured to require client certificates but that's not all that common so I didn't mess with that part yet.

Tim said...

Sorry about the typos, got distracted halfway through writing that response.

jo said...

Hi Timm,

can't find any source code. Maybe it's because I'm new here and don't know, how the thinks are working...

I just try to connect to Active MQ over SSL from c#, but I'm are facing some problems.

Can you post your source?

Thanks a lot
Joachim

Tim said...

You need to download the latest source code from the the Apache NMS trunk in SVN. See this page: http://activemq.apache.org/nms/source.html

jo said...

Hi,

yes, thanks. In the meanwhile I saw, that you're one of the Apache NSM developers. Sorry...
Will this work only over Stomp, or can I use openwire too?

thx

Joachim

Tim said...

SSL works both in NMS.ActiveMQ which uses openwire, and in NMS.Stomp (excluding the .NET CF). The latest NMS.ActiveMQ no longer supports Stomp as the NMS.Stomp client provides a better Stomp implementation, so just pick your poison and SSL should work for you.

yy said...

could you tell me how to use this function?

Tim said...

Its as simple as changing the connection URI from something like tcp://127.0.0.1:61616, to ssl://127.0.0.1:61617. The Broker of course must also be configured to have an SSL transportConnector enabled.

yy said...

Thank your response.
Could you detai it?
i know how to set it in broker. But I donot know how to set it in client side with NMS.
The key is that i donot know how to convert keystore in ActiveMQ to the cert used NMS.

yy said...
This comment has been removed by the author.
Tim said...

I don't think there is a way to convert the KeyStore from the broker directly, you need to use a tool to export the certificate that you generated for your broker and then store that in the location that your particular OS uses to store the trusted certificates.

Here is a site that talks a little about that: http://www.leastprivilege.com/PermaLink.aspx?guid=f34680fd-a58d-43a7-ba6d-2d813814ee73

This page deals with generating a Keystore for your broker and shows a command to export the Broker's Certificate:
http://activemq.apache.org/how-do-i-use-ssl.html

Remember that the Certificate that ships with the Broker is a dummy self signed Cert, you should generate your own signed Certificate.

Patrick said...

Hi Tim,

Thanks a lot for this contribution. We are currently planning on using ActiveMQ in a mixed Java .NET environment.

However in our environment it is mandatory that all communication is using SSL (mutual SSL). So also the broker needs to authenticate the client.

I understood from one of your comments that this is not (yet) the case. Could you share your view on when this feature could be implemented.

Or maybe highlight how this could be realized, so that we could maybe look at it ourselves.

Also is there any additional information available on how to get it working. I'm familiar with ActiveMQ for java and the configuration of the broker. What is needed to make use of SSL on the client.

Many thanks

Patrick

Tim said...

Getting SSL to work on the client is pretty simple once you have a build of NMS with the SSL support. You need to use the trunk code of both NMS and NMS.ActiveMQ. From there you simply need to specify the ssl transport on the connection URI same as you would for a java client: ssl://127.0.0.1:61617 or something similar depending on your broker configuration.

The two way authentication should work fine with the NMS SSL transport if you have properly configured your certificates. One the broker you need a valid certificate for the Broker and you need to add a valid Certificate toe Brokers trust store for the client. I'm assuming you know that already. The client then needs to store its Certificate in the "My Certificates" location for the current user as well as adding the Brokers certificate to the trusted Certificates store on the client.

Tim said...

Been messing around with SSL in NMS.ActiveMQ today, client auth still not working for me although I have a few idea. Could use some input from users if anyone wants to help out...

Artak Mkrtchyan said...

Hello Tim.

Thank you very much for your post.
I am currently trying to connect (from ssl) to the broker, which is configured to use SSL. We have typed the url to connect to like: ssl://localhost:61616. We we get an exception, saying that we have no ssl config available. Can you please help me with this? Will be glad to have some sources of working client (dummy) example on C#, which is using ssl.

Best Regards,
Artak

Tim said...

Please read this article and see if that answers your question.

http://timbish.blogspot.com/2010/04/ussing-ssl-in-nmsactivemq.html

Artak Mkrtchyan said...

Thank you Tim, I will take a look. Hope this will help me.