Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

WSO2 The EI Message Broker runtime provides support to send/receive messages via secured connections using the SSL/TLS protocol. The following instructions describe how to configure the MB broker server and JMS clients to communicate via encrypted connections using SSL.

Table of Contents
maxLevel3
minLevel3

Enabling SSL in the broker

To enable SSL inthe server side, change the following entries in the <MBthe <EI_HOME>/wso2/repositorybroker/conf/broker.xml file file under the relevant transport relevant transport (AMQP or MQTT). See Configuring Transports for WSO2 MB for more information on the available transports.

html/xml
Code Block
language
<sslConnection enabled="true" port="">
    	<keyStore>
        	<location>repository/resources/security/wso2carbon.jks</location>
            <password>wso2carbon</password>
            <certType>SunX509</certType>
    	</keyStore>
        <trustStore>
            <location>repository/resources/security/client-truststore.jks</location>
            <password>wso2carbon</password>
            <certType>SunX509</certType>
        </trustStore>
</sslConnection>

The parameters in the above configuration are as follows.

ParameterDescription
SSL ConnectionThis contains the basic configurations relating to the SSL connection. Setting the

enabled="true" attribute ensures that SSL is enabled by default when the

MB server

broker is started. The

port="8672"

attribute sets

attribute sets 8672 as the default SSL listener port for messages/command sent via the relevant

transport.The default port for the AMQP

transport

is 8672

.

  • The default port for the MQTT transport is 8883.
    • Location

    The location where the keystore

    /truststore

    used for securing SSL connections is stored. By

    defaultthis

    default this is the default keystore(wso2carbon

    .jks) andtruststore (client-truststore

    .jks) that is shipped with

    WSO2 MB

    the broker.

    Note

    Note that

    these (keystore and truststore)

    this should always be a keystore created for the super tenant. Find out more about setting up keystores for your

    MB server

    broker.

    PasswordThe password
    of the
    ofthekeystore
    /truststore
    .
    Certification Type

    The type of SSL certificate used for the keystore/truststore. SunX509 is the standard name of the algorithm used by the key managers. This value should be changed accordingly if the system is running on a different JVM. For example, IbmX509 for the IBM JVM.

    Configuring JMS Clients to use SSL

    SSL parameters are configured and sent to the broker as broker options in the the TCPConnectionURL defined defined by the client. You need to set the 'ssl=true' property in theurl the url and specify thekeystore the keystore and client trust store paths and passwords. Use the connectionurl format shown below to pass the SSL parameters:

    Code Block
    String connectionURL = "amqp://<USERNAME>:<PASSWORD>@carbon/carbon?brokerlist='tcp://<IP>:<SSL_POR T>?ssl='true'&ssl_cert_alias='<CERTIFICATE_ALIAS_IN_TRUSTSTORE>'&trust_store=' <PATH_TO_TRUST_STORE>'&trust_store_password='<TRUSTSTORE_PASSWORD>'& key_store='<PATH_TO_KEY_STORE>'&key_store_password='<KEYSTORE_PASSWOR D>''";

    Setting the 'ssl_cert_alias' property is not mandatory and can be used as an optional way to specify which certificate the broker should use if the trust store contains multiple entries.

    Example: Consider Consider that you have WSO2 Enterprise Service Bus (WSO2 ESB) the Integrator runtime of WSO2 EI as the JMS client. Shown below is an example connectionurl using the defaultkeystores default keystores and trust stores in WSO2 ESBthe Integrator: 

    Code Block
    String connectionUrl = "amqp://admin:admin@carbon/carbon?brokerlist='tcp://localhost:8672?ssl='true'&ssl_cert_alias='RootCA'&trust_store='{ESB_HOME}/repository/resources/security/client-truststore.jks'&trust_store_password='wso2carbon'&key_store='{ESB_HOME}/repository/resources/security/wso2carbon.jks'&key_store_password='wso2carbon''";



    Info

    When you configure the Integrator runtime to communicate with the broker using SSL, the SSL url should be configured in the jndi.properties file for the Integrator (stored in the <EI_HOME>/conf directory). Go to this link for detailed instructions on how Integrator runtime works with the Message Broker runtime in WSO2 EI.

    Configuring JMS Clients for Failover with SSL

    For example, if you have configured a WSO2 EI Message Broker cluster, you might need to configure failover. If those broker nodes have different certs in place, when configuring a failover connection url at the client side, you can individually specify a client trust store and a keystore for each broker in the broker list. Or else, you can import the certs of all brokers in the cluster to a single trust store with different cert aliases and differentiate the cert to use when failing over by the alias.