How to Connect Apache Artemis with WSO2 EI over SSL
Hi folks.
It’s a great time to discuss how to secure a connection between the Artemis broker and the Wso2 EI. The weather is clear and sunny.
This is the third post regarding the Artemis broker and each post is interconnected.
The first post explained about Artemis basics and how to make it up and running [1]. The second post was an extension of it and explained how to create an Inbound Endpoint in the EI that listens to a JMS Queue in Artemis [2].
Is the post already confusing? Don’t worry. Just read previous posts.
In previous posts [2], we connected Artemis broker with the EI, but it wasn’t a secured connection that might allow bad guys to do bad things. So let’s secure it now.
Here we are going to discuss enabling:
- One-way SSL and
- Two-way SSL
between the Artemis broker and the EI.
- Enabling One-way SSL
If you are unaware about SSL/TLS secured communication, then it’s better to do a Google search on topics like ‘SSL Handshake’, ‘HTTPS’, and etc. Enabling One-way SSL is based on the same theory as the SSL handshake.
First of all, let’s create a Java Keystore and key pair.
keytool -genkey -alias broker -keystore broker-keystore.jks -storepass activemq -keypass activemq -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
Then let’s export the public certificate from it.
keytool -export -alias broker -keystore broker-keystore.jks -file broker-cert.cer -storepass activemq
Since we are using self-signed certificates, we have to import the Artemis broker’s public certificate to the EI’s client truststore. Otherwise, how the hell EI can trust the Artemis’s certificate.
Use the following command to import the extracted certificate to the EI’s client-truststore.jks which is located at <EI_HOME>/repository/resources/security folder.
keytool -import -alias broker -keystore client-truststore.jks -file broker-cert.cer -storepass wso2carbon -keypass wso2carbon -noprompt
Now the EI have to have to trust the Artemis’s certificate whether it likes or not. Hence the EI can verify the Artemis certificate during the SSL handshake.
Next, we have to do some adjustments to the Artemis broker configurations.
In Artemis, Netty is responsible for all things related to the transport layer, so it handles SSL for us as well. In order to enable SSL, add the following acceptor to the <Artemis_Home>/etc/broker.xml file.
<acceptor name="netty-ssl-acceptor">tcp://localhost:61617?sslEnabled=true;keyStorePath=<path_to_artemis_key_store>/broker-keystore.jks;keyStorePassword=activemq;enabledProtocols=TLSv1,TLSv1.1,TLSv1.2</acceptor>
Please be noted that the Artemis_Home is based on the broker instance created in the first post [1]. So don’t look anywhere else and scold me later. I already told you a few time to read it.
Here we have used the port 61617. So we have to replace the provider URL ports of:
- Inbound Endpoint
- JMS Listener and
- JMS Sender
Hence, the following change to the Inbound Endpoint configurations.
<parameter name="java.naming.provider.url">tcp://localhost:61617?sslEnabled=true</parameter>
Then change ALL ports of previously configured JMS Listener/Sender as follows.
<parameter name="java.naming.provider.url" locked="false">tcp://localhost:61617</parameter>
It’s all done. Now you can:
- Start the Artemis server
- Start the EI server
- Login to the Artemis console and check Queues
You will see the TestQueue has been successfully created.
Now the second part.
2. Enabling Two-way SSL
Let’s start by generating a key pair using the default wso2 Keystore wso2carbon.jks which is located at the same folder as client-truststore.jks.
keytool -genkey -alias ei -keystore wso2carbon.jks -storepass wso2carbon -keypass wso2carbon -dname "CN=EI Server, OU=EI, O=EI, L=EI, S=EI, C=EI" -keyalg RSA
Then let’s export the public cert and import it to the Artemis truststore.
keytool -export -alias ei -keystore wso2carbon.jks -file ei-cert.cer -storepass wso2carbonkeytool -import -alias ei -keystore artemis-truststore.jks -file ei-cert.cer -storepass activemq -keypass activemq -noprompt
Be careful to set file paths correctly.
In the first section (enabling one-way SSL), we told the EI to trust the Artemis certificate. Here we have told the Artemis to trust the EI certificate.
As the next step, we have to tell both Artemis and the EI, where each other's Keystore and truststore resides.
Hence, apply the following changes to the previously created acceptor in the brocker.xml file.
<acceptor name="netty-ssl-acceptor">tcp://localhost:61617?sslEnabled=true;keyStorePath=<path_to_artemis_key_store>/broker-keystore.jks;keyStorePassword=activemq;trustStorePath=<path_to_artemis_trust_store>/artemis-truststore.jks;trustStorePassword=activemq;enabledProtocols=TLSv1,TLSv1.1,TLSv1.2</acceptor>
Secondly, change the Inbound Endpoint’s provider URL as follows.
<parameter name="java.naming.provider.url">tcp://localhost:61617?sslEnabled=true&keyStorePath=<path_to_ei_key_store>/wso2carbon.jks&keyStorePassword=wso2carbon&trustStorePath=<path_to_ei_trust_store>/client-truststore.jks&trustStorePassword=wso2carbon</parameter>
That’s it. Let’s follow the same procedure to verify changes.
- Start the Artemis server
- Start the EI server
- Login to the Artemis console and check Queues
Now you know how to secure the communication between the Artemis and the Wso2 EI using One-way and Two-way SSL. If it’s still unclear, then read the post again. I can’t explain all the things again. :(
That’s it for this post. I hope you all able to follow it successfully.
Please feel free to leave a comment if you have any doubts.
Cheers.
References:
[1] https://medium.com/@nipunadilhara/apache-activemq-artemis-101-4821582c6670
[2] https://medium.com/@nipunadilhara/how-to-connect-apache-artemis-with-wso2-ei-e857f32a822f
[3] https://github.com/apache/activemq-artemis/tree/master/examples/features/standard/ssl-enabled