This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Skip to end of metadata
  • Created by Former user, last modified by Former user on Nov 03, 2015
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Current »

WSO2 Message Broker provides support to send/receive messages via secured connections using the SSL/TLS protocol. The following instructions describe how to configure the MB server and JMS clients to communicate via encrypted connections using SSL.

Enabling SSL in the broker

To enable SSL in the server side, change the following entries in the <MB_HOME>/repository/conf/broker.xml file under the relevant transport:

<sslConnection enabled="true" port="8672">
    <keyStore>
         <location>repository/resources/security/wso2carbon.jks</location>
         <password>wso2carbon</password>

The parameters in the above configuration are as follows.

ParameterDescription
SSL ConnectionThis contains the basic configurations relating to the SSL connection. Setting the

enabled="true" attribute ensures that SSL is enabled by default when the MB server is started. The

port="8672" attribute sets 8672 as the default SSL listener port for messages/command sent via the relevant transport.

Location

The location where the keystore used for securing SSL connections is stored. By default this is the default keystore (wso2carbon.jks) that is shipped with WSO2 MB.

Note that this should always be a keystore created for the super tenant. Find out more about setting up keystores for your MB server.

PasswordThe password of the keystore.

Configuring JMS Clients to use SSL

SSL parameters are configured and sent to the broker as broker options in the TCPConnectionURL defined by the client. You need to set the 'ssl=true' property in the url and specify the keystore and client trust store paths and passwords. Use the connection url format shown below to pass the SSL parameters:

String connectionURL = "amqp://<USERNAME>:<PASSWORD>@carbon/carbon?brokerlist='tcp://<IP>:<SSL_POR T>?ssl='true'&ssl_cert_alias='<CERTIFICATE_ALIAS_IN_TRUSTSTORE>'&trust_store=' <PATH_TO_TRUST_STORE>'&trust_store_password='<TRUSTSTORE_PASSWORD>'& key_store='<PATH_TO_KEY_STORE>'&key_store_password='<KEYSTORE_PASSWOR D>''";

Setting the 'ssl_cert_alias' property is not mandatory and can be used as an optional way to specify which certificate the broker should use if the truststore contains multiple entries. Shown below is an example connection url using default keystores and trust stores in WSO2 carbon products:

 

String connectionUrl = "amqp://admin:admin@carbon/carbon?brokerlist='tcp://localhost:8672?ssl='true'&ssl_cert_alias='RootCA'&trust_store='{MB_HOME}/repository/resources/security/client-truststore.jks'&trust_store_password='wso2carbon'&key_store='{MB_HOME}/repository/resources/security/wso2carbon.jks'&key_store_password='wso2carbon''";

Before executing the client program, replace {MB_HOME} with the actual path where MB node is located.

Configuring JMS Clients for Failover with SSL

For example, if you have configured a WSO2 Message Broker cluster, you might need to configure failover. If those broker nodes have different certs in place, when configuring a failover connection url at the client side, you can individually specify a client trust store and a keystore for each broker in the broker list. Or else, you can import the certs of all brokers in the cluster to a single trust store with different cert aliases and differentiate the cert to use when failing over by the alias. 

Configure WSO2 ESB to communicate with WSO2 MB with SSL

To configure WSO2 ESB to communicate with MB with SSL, configure the SSL url above in the <ESB_HOME>/repository/conf/jndi.properties file.

  • No labels