tag:blogger.com,1999:blog-1000597103989045457.post8056753070766857013..comments2022-04-01T00:45:06.103-07:00Comments on Thoughts of Tim Bish: Added SSL support to NMS.ActiveMQ todayTimhttp://www.blogger.com/profile/03370927021680126470noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-1000597103989045457.post-45044956218821477422011-02-28T11:54:49.702-08:002011-02-28T11:54:49.702-08:00Thank you Tim, I will take a look. Hope this will ...Thank you Tim, I will take a look. Hope this will help me.Anonymoushttps://www.blogger.com/profile/06048861318206825665noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-73791148338700748132011-02-26T09:46:05.480-08:002011-02-26T09:46:05.480-08:00Please read this article and see if that answers y...Please read this article and see if that answers your question.<br /><br />http://timbish.blogspot.com/2010/04/ussing-ssl-in-nmsactivemq.htmlTimhttps://www.blogger.com/profile/03370927021680126470noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-72554321667882290882011-02-26T09:37:47.846-08:002011-02-26T09:37:47.846-08:00Hello Tim.
Thank you very much for your post.
I a...Hello Tim.<br /><br />Thank you very much for your post.<br />I am currently trying to connect (from ssl) to the broker, which is configured to use SSL. We have typed the url to connect to like: ssl://localhost:61616. We we get an exception, saying that we have no ssl config available. Can you please help me with this? Will be glad to have some sources of working client (dummy) example on C#, which is using ssl.<br /><br />Best Regards,<br />ArtakAnonymoushttps://www.blogger.com/profile/06048861318206825665noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-5882104951355990702010-03-30T16:02:03.037-07:002010-03-30T16:02:03.037-07:00Been messing around with SSL in NMS.ActiveMQ today...Been messing around with SSL in NMS.ActiveMQ today, client auth still not working for me although I have a few idea. Could use some input from users if anyone wants to help out...Timhttps://www.blogger.com/profile/03370927021680126470noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-50140356667597518562010-03-28T14:18:59.031-07:002010-03-28T14:18:59.031-07:00Getting SSL to work on the client is pretty simple...Getting SSL to work on the client is pretty simple once you have a build of NMS with the SSL support. You need to use the trunk code of both NMS and NMS.ActiveMQ. From there you simply need to specify the ssl transport on the connection URI same as you would for a java client: ssl://127.0.0.1:61617 or something similar depending on your broker configuration. <br /><br />The two way authentication should work fine with the NMS SSL transport if you have properly configured your certificates. One the broker you need a valid certificate for the Broker and you need to add a valid Certificate toe Brokers trust store for the client. I'm assuming you know that already. The client then needs to store its Certificate in the "My Certificates" location for the current user as well as adding the Brokers certificate to the trusted Certificates store on the client.Timhttps://www.blogger.com/profile/03370927021680126470noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-7606753859663080482010-03-28T13:29:51.660-07:002010-03-28T13:29:51.660-07:00Hi Tim,
Thanks a lot for this contribution. We ar...Hi Tim,<br /><br />Thanks a lot for this contribution. We are currently planning on using ActiveMQ in a mixed Java .NET environment. <br /><br />However in our environment it is mandatory that all communication is using SSL (mutual SSL). So also the broker needs to authenticate the client.<br /><br />I understood from one of your comments that this is not (yet) the case. Could you share your view on when this feature could be implemented.<br /><br />Or maybe highlight how this could be realized, so that we could maybe look at it ourselves.<br /><br />Also is there any additional information available on how to get it working. I'm familiar with ActiveMQ for java and the configuration of the broker. What is needed to make use of SSL on the client.<br /><br />Many thanks<br /><br />PatrickUnknownhttps://www.blogger.com/profile/16648752440001201562noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-80965818489184609412010-03-19T05:34:11.093-07:002010-03-19T05:34:11.093-07:00I don't think there is a way to convert the Ke...I don't think there is a way to convert the KeyStore from the broker directly, you need to use a tool to export the certificate that you generated for your broker and then store that in the location that your particular OS uses to store the trusted certificates. <br /><br />Here is a site that talks a little about that: http://www.leastprivilege.com/PermaLink.aspx?guid=f34680fd-a58d-43a7-ba6d-2d813814ee73<br /><br />This page deals with generating a Keystore for your broker and shows a command to export the Broker's Certificate:<br />http://activemq.apache.org/how-do-i-use-ssl.html<br /><br />Remember that the Certificate that ships with the Broker is a dummy self signed Cert, you should generate your own signed Certificate.Timhttps://www.blogger.com/profile/03370927021680126470noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-19304293186239533242010-03-18T20:04:41.785-07:002010-03-18T20:04:41.785-07:00Thank your response.
Could you detai it?
i know ho...Thank your response.<br />Could you detai it?<br />i know how to set it in broker. But I donot know how to set it in client side with NMS.<br />The key is that i donot know how to convert keystore in ActiveMQ to the cert used NMS.yyhttps://www.blogger.com/profile/12750541997374871148noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-53364249074272580302010-03-18T20:04:41.786-07:002010-03-18T20:04:41.786-07:00This comment has been removed by the author.yyhttps://www.blogger.com/profile/12750541997374871148noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-57464142744061131492010-03-18T03:40:54.536-07:002010-03-18T03:40:54.536-07:00Its as simple as changing the connection URI from ...Its as simple as changing the connection URI from something like tcp://127.0.0.1:61616, to ssl://127.0.0.1:61617. The Broker of course must also be configured to have an SSL transportConnector enabled.Timhttps://www.blogger.com/profile/03370927021680126470noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-40729845500534559672010-03-17T21:33:56.320-07:002010-03-17T21:33:56.320-07:00could you tell me how to use this function?could you tell me how to use this function?yyhttps://www.blogger.com/profile/12750541997374871148noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-63531119904352641002010-03-11T05:42:22.886-08:002010-03-11T05:42:22.886-08:00SSL works both in NMS.ActiveMQ which uses openwire...SSL works both in NMS.ActiveMQ which uses openwire, and in NMS.Stomp (excluding the .NET CF). The latest NMS.ActiveMQ no longer supports Stomp as the NMS.Stomp client provides a better Stomp implementation, so just pick your poison and SSL should work for you.Timhttps://www.blogger.com/profile/03370927021680126470noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-38243895269652461482010-03-11T04:03:23.421-08:002010-03-11T04:03:23.421-08:00Hi,
yes, thanks. In the meanwhile I saw, that you...Hi,<br /><br />yes, thanks. In the meanwhile I saw, that you're one of the Apache NSM developers. Sorry...<br />Will this work only over Stomp, or can I use openwire too?<br /><br />thx<br /><br />Joachimjohttps://www.blogger.com/profile/06958121144678112645noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-44817172908042672982010-03-11T03:17:16.067-08:002010-03-11T03:17:16.067-08:00You need to download the latest source code from t...You need to download the latest source code from the the Apache NMS trunk in SVN. See this page: http://activemq.apache.org/nms/source.htmlTimhttps://www.blogger.com/profile/03370927021680126470noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-44664556953669843312010-03-11T02:01:36.847-08:002010-03-11T02:01:36.847-08:00Hi Timm,
can't find any source code. Maybe it...Hi Timm,<br /><br />can't find any source code. Maybe it's because I'm new here and don't know, how the thinks are working...<br /><br />I just try to connect to Active MQ over SSL from c#, but I'm are facing some problems.<br /><br />Can you post your source?<br /><br />Thanks a lot<br />Joachimjohttps://www.blogger.com/profile/06958121144678112645noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-35977841792133628892010-02-26T10:51:27.575-08:002010-02-26T10:51:27.575-08:00Sorry about the typos, got distracted halfway thro...Sorry about the typos, got distracted halfway through writing that response.Timhttps://www.blogger.com/profile/03370927021680126470noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-44795851670563473842010-02-26T10:49:56.568-08:002010-02-26T10:49:56.568-08:00The broker will send its certificate to the client...The broker will send its certificate to the client using the usual SSL Hello exchange, its up to you to configure the broker with a valid certificate, the one provided in the distribution is a bogus self signed certificate. <br /><br />When the NMS client authenticates with AMQ it will sent receive the certificate from the broker and attempt to validate it, the default one of course fails to validate, which is why I registered a callback with the SslStream to allow us to manually validate a certificate. Right now I just have it allow any Certificate regardless of errors, we should probably have that configurable via the URI to allow for bogus certificates during testing. <br /><br />There's more to do if the AMQ broker were configured to require client certificates but that's not all that common so I didn't mess with that part yet.Timhttps://www.blogger.com/profile/03370927021680126470noreply@blogger.comtag:blogger.com,1999:blog-1000597103989045457.post-80143710024370818152010-02-26T09:33:13.270-08:002010-02-26T09:33:13.270-08:00Awesome, Tim! Is it necessary to have some kind o...Awesome, Tim! Is it necessary to have some kind of certificate registered on the ActiveMQ server, or does the SSL layer automatically work?e.p.s.https://www.blogger.com/profile/02110432681309876801noreply@blogger.com