Enabling SSL Support
The Message Broker profile of WSO2 Enterprise Integrator (WSO2 EI) allows you to send/receive messages via secured connections using the SSL/TLS protocol. The following instructions describe how you can configure the broker profile and JMS clients to communicate via encrypted connections using SSL.
Enabling SSL in the broker
To enable SSL in the server side, change the following entries in the <EI_HOME>/wso2/broker/conf/broker.xml
file under the relevant transport (AMQP or MQTT). See Configuring Transports for WSO2 MB for more information on the available transports.
The parameters in the above configuration are as follows.
Parameter | Description |
---|---|
SSL Connection | This contains the basic configurations relating to the SSL connection. Setting the enabled="true" attribute ensures that SSL is enabled by default when the broker is started. The port="8672" attribute sets 8672 as the default SSL listener port for messages/commands sent via the relevant transport. |
Location | The location where the keystore used for securing SSL connections is stored. By default, this is the default keystore ( Note that this should always be a keystore created for the super tenant. Find out more about setting up keystores for your broker. |
Password | The password of the keystore. |
Certification Type | The type of SSL certificate used for the keystore/truststore. SunX509 is the standard name of the algorithm used by the key managers. This value should be changed accordingly if the system is running on a different JVM. For example, IbmX509 for the IBM JVM. |
SSL-Enabled Protocols | The SSL protocols that are supported. |
Ciphers | Define how the content is encrypted. |
Configuring JMS Clients to use SSL
SSL parameters are configured and sent to the broker as broker options in the TCPConnectionURL
defined by the client. You need to set the 'ssl=true' property in the URL and specify the keystore and client trust store paths and passwords. Use the connectionUrl
format shown below to pass the SSL parameters:
String connectionURL = "amqp://<USERNAME>:<PASSWORD>@carbon/carbon?brokerlist='tcp://<IP>:<SSL_POR T>?ssl='true'&ssl_cert_alias='<CERTIFICATE_ALIAS_IN_TRUSTSTORE>'&trust_store=' <PATH_TO_TRUST_STORE>'&trust_store_password='<TRUSTSTORE_PASSWORD>'& key_store='<PATH_TO_KEY_STORE>'&key_store_password='<KEYSTORE_PASSWOR D>''";
Setting the 'ssl_cert_alias' property is not mandatory and can be used as an optional way to specify which certificate the broker should use if the trust store contains multiple entries.
Example: Consider that you have the Integrator runtime of WSO2 EI as the JMS client. Shown below is an example connectionUrl
using the default keystores and trust stores in the Integrator:
String connectionUrl = "amqp://admin:admin@carbon/carbon?brokerlist='tcp://localhost:8672?ssl='true'&ssl_cert_alias='RootCA'&trust_store='{ESB_HOME}/repository/resources/security/client-truststore.jks'&trust_store_password='wso2carbon'&key_store='{ESB_HOME}/repository/resources/security/wso2carbon.jks'&key_store_password='wso2carbon''";
When you configure the Integrator runtime to communicate with the broker using SSL, the SSL url should be configured in the jndi.properties
file for the Integrator (stored in the <EI_HOME>/conf
directory). Go to this link for detailed instructions on how Integrator runtime works with the Message Broker runtime in WSO2 EI.
Configuring JMS Clients for Failover with SSL
For example, if you have configured an EI Message Broker cluster, you might need to configure failover. If those broker nodes have different certs in place, when configuring a failover connection URL at the client side, you can individually specify a client trust store and a keystore for each broker in the broker list. Or else, you can import the certs of all brokers in the cluster to a single trust store with different cert aliases and differentiate the cert to use when failing over by the alias.