Enabling SSL Support

WSO2 Message Broker provides support to send/receive messages via secured connections using the SSL/TLS protocol. The following instructions describe how to configure the MB server and JMS clients to communicate via encrypted connections using SSL.

With the current Carbon implementation, tenant-wise keystores are not supported for SSL connection creations and even for a child tenant, you have to use super tenant keystores. Tenant keystores are written to the registry and used in WS security etc.

Only the default Carbon keystore can be used to create an SSL connection between the MB server and clients. In addition, keystores uploaded using the Admin console UI (Home > Configure > Keystores) cannot be used to make SSL connections between the server and client.

To change the default Carbon keystore,

1. Replace the wso2carbon.jks file with a new keystore.
2. Change the configuration details in the carbon.xml and andes-config.xml files accordingly.

Enabling SSL in the broker

To enable SSL in the server side, change the following entries in the <MB_HOME>/repository/conf/advanced/andes-config.xml file:

<! To enable SSL edit the keystorePath and keystorePassword and set enabled to true.
To disasble NonSSL port set sslOnly to true >
<ssl>
<enabled>true</enabled>
<sslOnly>false</sslOnly>
<keystorePath>repository/resources/security/wso2carbon.jks</keystorePath>
<keystorePassword>wso2carbon</keystorePassword>
</ssl>

<enabled>: This value is set to 'true' as SSL is enabled by default in WSO2 MB. If you set this to 'false', the broker will start using only the non-ssl port.

<sslOnly>: Determines whether or not to allow connections to be made to the broker only via the secured port. If set to 'true', the non-ssl port is disabled.

<keystorePath>: Add the path to the keystore here.

<keystorePassword>: Specify the password to access the keystore.

Configuring JMS Clients to use SSL

SSL parameters are configured and sent to the broker as broker options in the TCPConnectionURL defined by the client. You need to set the 'ssl=true' property in the url and specify the keystore and client trust store paths and passwords. Use the connection url format shown below to pass the SSL parameters:

String connectionURL = "amqp://<USERNAME>:<PASSWORD>@carbon/carbon?brokerlist='tcp://<IP>:<SSL_POR T>?ssl='true'&ssl_cert_alias='<CERTIFICATE_ALIAS_IN_TRUSTSTORE>'&trust_store=' <PATH_TO_TRUST_STORE>'&trust_store_password='<TRUSTSTORE_PASSWORD>'& key_store='<PATH_TO_KEY_STORE>'&key_store_password='<KEYSTORE_PASSWOR D>''";

Setting the 'ssl_cert_alias' property is not mandatory and can be used as an optional way to specify which certificate the broker should use if the truststore contains multiple entries. Shown below is an example connection url using default keystores and trust stores in WSO2 carbon products:

String conUrl = "amqp://admin:admin@carbon/carbon?brokerlist='tcp://localhost:8672?ssl='true'&ssl_cert_alias ='RootCA'&trust_store='MB_HOME/repository/resources/security/clienttruststore.jks'&trust_sto re_password='wso2carbon'&key_store='MB_HOME/repository/resources/security/wso2carbon.j ks'&key_store_password='wso2carbon''";

Configuring JMS Clients for Failover with SSL

For example, if you have configured a WSO2 Message Broker cluster, you might need to configure failover. If those broker nodes have different certs in place, when configuring a failover connection url at the client side, you can individually specify a client trust store and a keystore for each broker in the broker list. Or else, you can import the certs of all brokers in the cluster to a single trust store with different cert aliases and differentiate the cert to use when failing over by the alias.

Configure WSO2 ESB to communicate with WSO2 MB with SSL

To configure WSO2 ESB to communicate with MB with SSL, configure the SSL url above in the <ESB_HOME>/repository/conf/jndi.properties file.