Menu Search

7.11. Keystores

A Keystore is required by a Port in order to use SSL for messaging and/or management.

The Broker supports a number of different keystore types. These are described below.

The key material may be held by the Broker itself (held inline within the configuration) or you may use references to files on the server's file system. Whichever mechanism is chosen it is imperative to ensure that private key material remains confidential.

7.11.1. Types

The following keystore types are supported.

  • File Key Store. This type accepts the standard JKS keystore format undertood by Java and Java tools such as keytool.

    If the keystore contains multiple keys, it is possible to indicate which certificate is to be used by specifying an alias. If no alias is specified the first certificate found in the keystore will be used.

  • Non Java Key Store. A Non Java Keystore accepts key material in PEM and DER file formats. With this store type it is necessary to provide the private key, which must not be protected by password, certificate and optionally a file containing intermediate certificates.

  • Auto Generated Self Signed has the ability to generate a self signed certificate and produce a truststore suitable for use by an application using the Apache Qpid JMS and Apache Qpid JMS AMQP 0-x clients.

    The use of self signed certficates is not recommended for production use.

7.11.2. Attributes

  • Name the keystore. Used to identify the keystore.

The following attributes apply to File Key Stores only.

  • Keystore path. File Key Stores only. Path to keystore file

  • Keystore password. Password used to secure the keystore

    Important

    The password of the certificate used by the Broker must match the password of the keystore itself. This is a restriction of the Broker implementation. If using the keytool utility, note that this means the argument to the -keypass option must match the -storepass option.

  • Certificate Alias. An optional way of specifying which certificate the broker should use if the keystore contains multiple entries.

  • Manager Factory Algorithm.In keystores the have more than one certificate, the alias identifies the certificate to be used.

  • Key Store Type. Type of Keystore.

  • Use SNI host name matching. If selected, SNI server name from an SSL handshake will be used to select the most appropriate certificate by matching an indicated hostname with the certificate hostname specified in subject or subject alternatives as CN or DC.

The following attributes apply to Non Java Key Stores only.

  • Private Key. The private key in DER or PEM format. This file must not be password protected.

  • Certificate. The cerificate in DER or PEM format.

  • Intermediates Certificates . Optional. Intermediate cerificates in PEM or DER format.

The following attributes apply to Auto Generated Self Signed only.

  • Algorithm. Optional. Algorithm used to generate the self-signed certificate.

  • Signature Algorithm . Optional. The name of signature algorithm.

  • Key Length. Optional. Length of the key in bits.

  • Duration. Optional. Validility period in months.

7.11.3. Children

None

7.11.4. Lifecycle

Not supported