In order to achieve end to end encryption we use TLS encryption between ActiveMQ, the nodes and the client.
To set this up you need to Java Keystore, the instructions here work for Java 1.6 either Sun or OpenJDK based.
Create a keystore with existing certs
If you have an exiting PKI deployment, you can probably reuse Puppet ones too the main point is that you already have a key and signed cert signed by some CA and you now want to create a Java Keystore follow these steps:
The above steps will create a standard Java keystore in keystore.jks which you should store in your ActiveMQ config directory. It will have a password secret you should change this.
To let ActiveMQ load your keystore you should add the following to the activemq.xml file:
And you should add a SSL stomp listener, you should get port 6164 opened:
The last step is to tell MCollective to use the SSL connection, to do this you need to use the new pool based configuration, even if you just have 1 ActiveMQ in your pool:
You should now verify with tcpdump or wireshark that the connection and traffic really is all encrypted.