WSO2 Message Broker provides support to send/receive messages via secured connections using the SSL/TLS protocol. The following instructions describe how to configure the MB server and JMS clients to communicate via encrypted connections using SSL.
Table of Contents | ||||
---|---|---|---|---|
|
Enabling SSL in the broker
To enable SSL inthe server side, change the following entries in the <MB_HOME>/repository/conf/broker.xml
file under the relevant transport (AMQP or MQTT). See Configuring Transports for WSO2 MB for more information on the available transports.
Code Block | ||
---|---|---|
| ||
<sslConnection enabled="true" port=""> <keyStore> <location>repository/resources/security/wso2carbon.jks</location> <password>wso2carbon</password> <certType>SunX509</certType> </keyStore> <trustStore> <location>repository/resources/security/client-truststore.jks</location> <password>wso2carbon</password> <certType>SunX509</certType> </trustStore> </sslConnection> |
The parameters in the above configuration are as follows.
Parameter | Description | ||
---|---|---|---|
SSL Connection | This contains the basic configurations relating to the SSL connection. Setting the
| ||
Location | The location where the keystore/truststore used for securing SSL connections is stored. By defaultthis is the default keystore(
| ||
Password | The password of the keystore/truststore. | ||
Certification Type | The type of SSL certificate used for the keystore/truststore. |
Configuring JMS Clients to use SSL
SSL parameters are configured and sent to the broker as broker options in the TCPConnectionURL
defined by the client. You need to set the 'ssl=true' property in theurl and specify thekeystore and client trust store paths and passwords. Use the connectionurl format shown below to pass the SSL parameters:
Code Block |
---|
String connectionURL = "amqp://<USERNAME>:<PASSWORD>@carbon/carbon?brokerlist='tcp://<IP>:<SSL_POR T>?ssl='true'&ssl_cert_alias='<CERTIFICATE_ALIAS_IN_TRUSTSTORE>'&trust_store=' <PATH_TO_TRUST_STORE>'&trust_store_password='<TRUSTSTORE_PASSWORD>'& key_store='<PATH_TO_KEY_STORE>'&key_store_password='<KEYSTORE_PASSWOR D>''"; |
Setting the 'ssl_cert_alias' property is not mandatory and can be used as an optional way to specify which certificate the broker should use if the trust store contains multiple entries.
Example: Consider that you have WSO2 Enterprise Service Bus (WSO2 ESB) as the JMS client. Shown below is an example connectionurl using the defaultkeystores and trust stores in WSO2 ESB:
...