Versions Compared

Old Version 4

changes.mady.by.user Former user

Saved on

compared with

New Version 5

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

WSO2 Message Broker provides support to send/receive messages via secured connections using the SSL/TLS protocol. The following instructions describe how to configure the MB server and JMS clients to communicate via encrypted connections using SSL.

Table of Contents
maxLevel3
minLevel3

Enabling SSL in the broker

To enable SSL in the inthe server side, change the following entries in the <MB_HOME>/repository/conf/broker.xml file under the relevant transport (AMQP or MQTT). See Configuring Transports for WSO2 MB for more information on the available transports.

Code Block
languagehtml/xml
<sslConnection enabled="true" port="">
    	<keyStore>
        	<location>repository/resources/security/wso2carbon.jks</location>
            <password>wso2carbon</password>
            <certType>SunX509</certType>
    	</keyStore>
        <trustStore>
            <location>repository/resources/security/client-truststore.jks</location>
            <password>wso2carbon</password>
            <certType>SunX509</certType>
        </trustStore>
</sslConnection>

The parameters in the above configuration are as follows.

ParameterDescription
SSL Connection

This contains the basic configurations relating to the SSL connection. Setting the enabled="true" attribute ensures that SSL is enabled by default when the MB server is started. The port="" attribute sets the default SSL listener port for messages/command sent via the relevant transport.

  • The default port for the AMQP transport is 8672.
  • The default port for the MQTT transport is 8883.
Location

The location where the keystore/truststore used for securing SSL connections is stored. By default this defaultthis is the default keystore(wso2carbon.jks) andtruststore (client-truststore.jks) that is shipped with WSO2 MB.

Note

Note that this these (keystore and truststore) should always be a keystore created for the super tenant. Find out more about setting up keystores for your MB server.

PasswordThe password of the keystore/truststore.
Certification Type 

Configuring JMS Clients to use SSL

SSL parameters are configured and sent to the broker as broker options in the TCPConnectionURL defined by the client. You need to set the 'ssl=true' property in the url theurl and specify the keystore thekeystore and client trust store paths and passwords. Use the connection url connectionurl format shown below to pass the SSL parameters:

Code Block
String connectionURL = "amqp://<USERNAME>:<PASSWORD>@carbon/carbon?brokerlist='tcp://<IP>:<SSL_POR T>?ssl='true'&ssl_cert_alias='<CERTIFICATE_ALIAS_IN_TRUSTSTORE>'&trust_store=' <PATH_TO_TRUST_STORE>'&trust_store_password='<TRUSTSTORE_PASSWORD>'& key_store='<PATH_TO_KEY_STORE>'&key_store_password='<KEYSTORE_PASSWOR D>''";

Setting the 'ssl_cert_alias' property is not mandatory and can be used as an optional way to specify which certificate the broker should use if the trust store contains multiple entries.

Example: Consider that you have WSO2 Enterprise Service Bus (WSO2 ESB) as the JMS client. Shown below is an example connection url using connectionurl using the default keystores defaultkeystores and trust stores in WSO2 ESB:

...