ActiveMQ TLS

ActiveMQ TLS

In order to achieve end to end encryption we use TLS encryption between ActiveMQ, the nodes and the client.

To set this up you need to Java Keystore, the instructions here work for Java 1.6 either Sun or OpenJDK based.

Create a keystore with existing certs

If you have an exiting PKI deployment, you can probably reuse Puppet ones too the main point is that you already have a key and signed cert signed by some CA and you now want to create a Java Keystore follow these steps:

# cat /etc/pki/host.key /etc/pki/ca.pem # /etc/pki/host.cert >cert.pem
# openssl pkcs12 -export -in cert.pem -out activemq.p12 -name `hostname`
# keytool -importkeystore -deststorepass secret -destkeypass secret -destkeystore keystore.jks -srckeystore activemq.p12 -srcstoretype PKCS12 -alias `hostname`

The above steps will create a standard Java keystore in keystore.jks which you should store in your ActiveMQ config directory. It will have a password secret you should change this.

Configure ActiveMQ

To let ActiveMQ load your keystore you should add the following to the activemq.xml file:

   <sslContext keyStore="keystore.jks" keyStorePassword="secret" />

And you should add a SSL stomp listener, you should get port 6164 opened:

    <transportConnector name="openwire" uri="tcp://"/>
    <transportConnector name="stomp" uri="stomp://"/>
    <transportConnector name="stompssl" uri="stomp+ssl://"/>

Configure MCollective

The last step is to tell MCollective to use the SSL connection, to do this you need to use the new pool based configuration, even if you just have 1 ActiveMQ in your pool:

plugin.stomp.pool.size = 1
plugin.stomp.pool.host1 =
plugin.stomp.pool.port1 = 6164
plugin.stomp.pool.user1 = mcollective
plugin.stomp.pool.password1 = secret
plugin.stomp.pool.ssl1 = true

You should now verify with tcpdump or wireshark that the connection and traffic really is all encrypted.

↑ Back to top