Home > Blockchain >  ActiveMQ SSL activation
ActiveMQ SSL activation

Time:02-01

I have an MQTT broker with ActiveMQ on an Ubuntu server with Windows clients. Now I want to enable SSL. I found the tutorial, but I have a question.

This step 1: I do on Mqtt broker activemq

Step 1 Create a certificate for the broker with keytool:

keytool -genkey -alias broker -keyalg RSA -keystore broker.ks

Step 2 export the broker's certificate so it can be shared with clients: This action on MQTT broker Server. Certificat will be installed on Windows cleint.

keytool -export -alias broker -keystore broker.ks -file broker_cert

Step 3 see below Create a certificate/keystore for the client: Do I need this step? where to perform this step? On client or Mqtt broker server? but there are windows cleint.

keytool -genkey -alias client -keyalg RSA -keystore client.ks

*Step 4. Do I need this step? where to perform this step? On client or MQTT broker server? but there are windows client.

Create a truststore for the client, and import the broker's certificate. This will ensure that the client "trusts" the broker:*

keytool -import -alias broker -keystore client.ts -file broker_cert

What do I have to do now to make the broker and the windows client use the certificate?

CodePudding user response:

The instructions cover both the broker-side and client-side.

The broker hosts the self-signed SSL certificate to hand out on SSL connections, and the client needs the key in a 'truststore' to allow the key from the broker since it is self-signed and not from one of the public SSL key signers that are already provided by most OS and dev stacks.

Keep in mind-- SSL encrypts the traffic, but also maintains 'who to trust'. Just b/c some server hands out a SSL key, doesn't mean the client should simply encrypt and start passing data to that server.

EDIT: Some config samples

At minimum:

<broker ..
  .. 
  <sslContext>
    <sslContext keyStore="broker1-keystore.ks"
                keyStorePassword="password"/>
  </sslContext>
  ..
</broker>

Advanced ref: https://activemq.apache.org/ssl-transport-reference

CodePudding user response:

@Pavlovich just a quetsion what do you mean with

the client needs the key in a 'truststore'

do i need to import brocker private key to client? So far I have only installed the Brocker certificate on client (windows ca store) Thx

  • Related