Menu Search

10.5. SSL

This section will show how to use SSL to enable secure connections between an AMQP message client and the broker.

10.5.1. Keystore Configuration

The broker configuration file (config.xml) needs to be updated to include the required SSL keystore configuration, an example of which can be found below.

Example 10.6. Configuring an SSL Keystore

<connector>
  ...
  <ssl>
    <enabled>true</enabled>
    <port>5671</port>
    <sslOnly>false</sslOnly>
    <keyStorePath>/path/to/keystore.ks</keyStorePath>
    <keyStorePassword>keystorepass</keyStorePassword>
    <certAlias>alias<certAlias>
  </ssl>
  ...
<connector>

The certAlias element is an optional way of specifying which certificate the broker should use if the keystore contains multiple entries.

The sslOnly element controls whether the broker will only bind the configured SSL port(s) or will also bind the non-SSL port(s). Setting sslOnly to true will disable the non-SSL ports.

10.5.2. Truststore / Client Certificate Authentication

The SSL trustore and related Client Certificate Authentication behaviour can be configured with additional configuration as shown in the example below, in which the broker requires client certificate authentication.

Example 10.7. Configuring an SSL Truststore and client auth

<connector>
  ...
  <ssl>
    ...
    <trustStorePath>/path/to/truststore.ks</trustStorePath>
    <trustStorePassword>truststorepass</trustStorePassword>
    <needClientAuth>true</needClientAuth>
    <wantClientAuth>false</wantClientAuth>
    ...
  </ssl>
  ...
<connector>

The needClientAuth and wantClientAuth elements allow control of whether the client must present an SSL certificate. Only one of these elements is needed but both may be used at the same time. A socket's client authentication setting is one of three states: required (needClientAuth = true), requested (wantClientAuth = true), or none desired (both false, the default). If both elements are set to true, needClientAuth takes precedence.

When using Client Certificate Authentication it may be desirable to use the External Authentication Manager, for details see Section 10.3.4, “External (SSL Client Certificates)”