You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Brian Reinhold <br...@lampreynetworks.com> on 2013/11/22 18:11:55 UTC
How to configure embedded SSL broker using just Java code
This question was asked a while ago and the answers involved links and APIs
that no longer exist. I am unable to find any documentation to figure out
what classes correspond to what xml options, and if one is able to guess at
the classes, how to link them to the broker.
In the binary distributions an embedded example is given. It uses the Broker
class and not the BrokerService (as shown in the ActiveMQ FAQ). However, in
the context of an Apollo distribution, using the BrokerService as shown in
the ActiveMQ FAQ fails due to missing administrative classes.
In the example of the distribution, the Broker.setConfig(BrokerDTO) method
is used.
The main method creates the embedded broker as follows:
System.out.println("Starting the Broker.");
broker = new Broker();
broker.setConfig(createBrokerConfig());
broker.start(new Runnable()
{
public void run()
{
System.out.println("The broker has now
started.");
}
});
calling the createBrokerConfig method which creates the BrokerDTO object:
private static BrokerDTO createBrokerConfig()
{
BrokerDTO broker = new BrokerDTO();
// Brokers support multiple virtual hosts.
VirtualHostDTO host = new VirtualHostDTO();
host.id = "localhost";
host.host_names.add("localhost");
host.host_names.add("127.0.0.1");
// The message store is configured on the virtual host.
LevelDBStoreDTO store = new LevelDBStoreDTO();
store.directory = new File("./data");
host.store = store;
broker.virtual_hosts.add(host);
//
// Control which ports and protocols the broker binds and accepts
AcceptingConnectorDTO connector = new AcceptingConnectorDTO();
connector.id = "tcp";
connector.bind = mqttServerUrl;
broker.connectors.add(connector);
//
// Fires up the web admin console on HTTP.
WebAdminDTO webadmin = new WebAdminDTO();
webadmin.bind = "http://127.0.0.1:61680";
broker.web_admins.add(webadmin);
return broker;
}
This simple code does create an unsecure broker.
I cannot for the life of me figure out how to place SSL configuration
information into the broker. I see this class:
// From
http://activemq.apache.org/apollo/documentation/api/apollo-dto/index.html
SslDTO sslDto = new SslDTO();
sslDto.client_auth = "NEED";
sslDto.version = "TLSv1";
but I have no idea how to link it to the BrokerDTO object. What I then
really need to do is to link the javax SslContextFactory to the
configuration info. But I have no idea how to do that.
I see some older posts that used the BrokerService class which used to have
an SslBrokerContext that could use the SslContextFactory but that class no
longer exists.
Though there is oodles of xml configuration information, there is almost no
documentation of information on using code to control/configure the embedded
option. Would really appreciate some help here!
Thanks,
Brian
--
View this message in context: http://activemq.2283324.n4.nabble.com/How-to-configure-embedded-SSL-broker-using-just-Java-code-tp4674768.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: How to configure embedded SSL broker using just Java code
Posted by Brian Reinhold <br...@lampreynetworks.com>.
Okay. Submitted here
APLO-341 - SSL server configuration does not support separate truststore
--
View this message in context: http://activemq.2283324.n4.nabble.com/How-to-configure-embedded-SSL-broker-using-just-Java-code-tp4674768p4674797.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: How to configure embedded SSL broker using just Java code
Posted by Christian Posta <ch...@gmail.com>.
Can you open a JIRA for Apollo for this?
On Fri, Nov 22, 2013 at 5:42 PM, Brian Reinhold
<br...@lampreynetworks.com> wrote:
> It looks like I cannot specify a separate truststore for the server when I
> require client authentication. It appears that I need to put the client
> certificate in the same keystore as the server's private key.
>
> It would be nice to be able to separate the two as the private key is
> typically something one wants to keep locked up tight as a drum whereas the
> truststore one might want to interactively add certificates of clients one
> trusts.
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/How-to-configure-embedded-SSL-broker-using-just-Java-code-tp4674768p4674776.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
--
Christian Posta
http://www.christianposta.com/blog
twitter: @christianposta
Re: How to configure embedded SSL broker using just Java code
Posted by Brian Reinhold <br...@lampreynetworks.com>.
It looks like I cannot specify a separate truststore for the server when I
require client authentication. It appears that I need to put the client
certificate in the same keystore as the server's private key.
It would be nice to be able to separate the two as the private key is
typically something one wants to keep locked up tight as a drum whereas the
truststore one might want to interactively add certificates of clients one
trusts.
--
View this message in context: http://activemq.2283324.n4.nabble.com/How-to-configure-embedded-SSL-broker-using-just-Java-code-tp4674768p4674776.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: How to configure embedded SSL broker using just Java code
Posted by Brian Reinhold <br...@lampreynetworks.com>.
I have something in code which demonstrates how to construct the embedded
broker and it is working. However I am still not sure how to address it
(vm://ip address?). How would I commit this as a demo?
--
View this message in context: http://activemq.2283324.n4.nabble.com/How-to-configure-embedded-SSL-broker-using-just-Java-code-tp4674768p4674962.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: How to configure embedded SSL broker using just Java code
Posted by Christian Posta <ch...@gmail.com>.
Yah, awesome! We love contributions.
On Fri, Nov 22, 2013 at 11:32 AM, Brian Reinhold
<br...@lampreynetworks.com> wrote:
> Okay but I have actually already started down that path (using the *DTO
> classes). I just couldn't see how they were linked to the brokerDTO. But I
> guess many of them are nested and that is why. (Unfortunately I tried the
> SslDTO first which is nested so I didn't see the connection.) So I guess the
> hard part is figuring out the nested links.
>
> After looking at the KeyStorageDTO I see it has a lot of good SSL config
> info in it and it is linked to the BrokerDTO by the 'key_storage' field.
> This one is easy since it is not nested. (Wish I had started with this one
> since the connection to the Broker is obvious!) The SslDTO object must be
> used in one of the fields of the *DTO objects used in BrokerDTO.
>
> So I suppose the way to proceed is to look at all the fields I can set in
> the BrokerDTO object. Then look at all the objects that /these/ fields take
> and within these objects the fields they take etc., and eventually I should
> cover all the *DTO objects and see all possible configurations.
>
> I think I would like to contribute an example explaining that and
> demonstrating it (once I get it working). It's not particularly obvious but
> once you get a nack for the approach, it's pretty easy.
>
> Thanks for the confirmation!
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/How-to-configure-embedded-SSL-broker-using-just-Java-code-tp4674768p4674770.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
--
Christian Posta
http://www.christianposta.com/blog
twitter: @christianposta
Re: How to configure embedded SSL broker using just Java code
Posted by Brian Reinhold <br...@lampreynetworks.com>.
Okay but I have actually already started down that path (using the *DTO
classes). I just couldn't see how they were linked to the brokerDTO. But I
guess many of them are nested and that is why. (Unfortunately I tried the
SslDTO first which is nested so I didn't see the connection.) So I guess the
hard part is figuring out the nested links.
After looking at the KeyStorageDTO I see it has a lot of good SSL config
info in it and it is linked to the BrokerDTO by the 'key_storage' field.
This one is easy since it is not nested. (Wish I had started with this one
since the connection to the Broker is obvious!) The SslDTO object must be
used in one of the fields of the *DTO objects used in BrokerDTO.
So I suppose the way to proceed is to look at all the fields I can set in
the BrokerDTO object. Then look at all the objects that /these/ fields take
and within these objects the fields they take etc., and eventually I should
cover all the *DTO objects and see all possible configurations.
I think I would like to contribute an example explaining that and
demonstrating it (once I get it working). It's not particularly obvious but
once you get a nack for the approach, it's pretty easy.
Thanks for the confirmation!
--
View this message in context: http://activemq.2283324.n4.nabble.com/How-to-configure-embedded-SSL-broker-using-just-Java-code-tp4674768p4674770.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: How to configure embedded SSL broker using just Java code
Posted by Christian Posta <ch...@gmail.com>.
Apollo API != ActiveMQ 5.x API.
To create an embedded broker with ActiveMQ 5.x with SSL take a look at this:
https://github.com/apache/activemq/blob/trunk/activemq-amqp/src/test/java/org/apache/activemq/transport/amqp/AMQ4563Test.java#createBroker(...)
To create an embedded broker with Apollo with SSL use the BrokerDTO
object to set configuration options. Then
do:
val broker = new Broker
broker.config = brokerDto
ServiceControl.start(broker, "apollo-broker")
or could use a specific apollo.xml file and load it up like this:
val broker = BrokerFactory.createBroker("xml:classpath:path/to/apollo.xml")
The DTO objects required for the config allow you to set ssl
keystore/truststore properties.
Take a look at the API:
http://activemq.apache.org/apollo/documentation/api/apollo-dto/index.html
http://activemq.apache.org/apollo/documentation/api/apollo-dto/index.html
also check the apollo docs for ssl config:
http://activemq.apache.org/apollo/documentation/user-manual.html#The_SSL_TLS_Transport
On Fri, Nov 22, 2013 at 10:11 AM, Brian Reinhold
<br...@lampreynetworks.com> wrote:
> This question was asked a while ago and the answers involved links and APIs
> that no longer exist. I am unable to find any documentation to figure out
> what classes correspond to what xml options, and if one is able to guess at
> the classes, how to link them to the broker.
>
> In the binary distributions an embedded example is given. It uses the Broker
> class and not the BrokerService (as shown in the ActiveMQ FAQ). However, in
> the context of an Apollo distribution, using the BrokerService as shown in
> the ActiveMQ FAQ fails due to missing administrative classes.
>
> In the example of the distribution, the Broker.setConfig(BrokerDTO) method
> is used.
>
> The main method creates the embedded broker as follows:
>
> System.out.println("Starting the Broker.");
> broker = new Broker();
> broker.setConfig(createBrokerConfig());
> broker.start(new Runnable()
> {
> public void run()
> {
> System.out.println("The broker has now
> started.");
> }
> });
>
> calling the createBrokerConfig method which creates the BrokerDTO object:
>
> private static BrokerDTO createBrokerConfig()
> {
> BrokerDTO broker = new BrokerDTO();
>
> // Brokers support multiple virtual hosts.
> VirtualHostDTO host = new VirtualHostDTO();
> host.id = "localhost";
> host.host_names.add("localhost");
> host.host_names.add("127.0.0.1");
>
> // The message store is configured on the virtual host.
> LevelDBStoreDTO store = new LevelDBStoreDTO();
> store.directory = new File("./data");
> host.store = store;
>
> broker.virtual_hosts.add(host);
>
> //
> // Control which ports and protocols the broker binds and accepts
> AcceptingConnectorDTO connector = new AcceptingConnectorDTO();
> connector.id = "tcp";
> connector.bind = mqttServerUrl;
>
> broker.connectors.add(connector);
>
> //
> // Fires up the web admin console on HTTP.
> WebAdminDTO webadmin = new WebAdminDTO();
> webadmin.bind = "http://127.0.0.1:61680";
> broker.web_admins.add(webadmin);
>
> return broker;
> }
>
> This simple code does create an unsecure broker.
>
> I cannot for the life of me figure out how to place SSL configuration
> information into the broker. I see this class:
>
> // From
> http://activemq.apache.org/apollo/documentation/api/apollo-dto/index.html
> SslDTO sslDto = new SslDTO();
> sslDto.client_auth = "NEED";
> sslDto.version = "TLSv1";
>
> but I have no idea how to link it to the BrokerDTO object. What I then
> really need to do is to link the javax SslContextFactory to the
> configuration info. But I have no idea how to do that.
>
> I see some older posts that used the BrokerService class which used to have
> an SslBrokerContext that could use the SslContextFactory but that class no
> longer exists.
>
> Though there is oodles of xml configuration information, there is almost no
> documentation of information on using code to control/configure the embedded
> option. Would really appreciate some help here!
>
> Thanks,
>
> Brian
>
>
>
>
>
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/How-to-configure-embedded-SSL-broker-using-just-Java-code-tp4674768.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
--
Christian Posta
http://www.christianposta.com/blog
twitter: @christianposta