SSL authentication and security assistance

["Ellis, Tim" <Ti...@emergint.com>]

Emergint has been using ActiveMQ for a number of years now in our health care consulting efforts.  We have been greatly pleased with its stability and performance, particularly version 4.1.2.  We are planning to move some capabilities from a locally-hosted environment to "the cloud" where we need some additional data transport protection beyond what we have currently employed.  We are testing the SSL transport with "needClientAuth=true" and an associated trust store on each end of the allowed connection points; we need to insure that only trusted clients will have access to the queues.  So far, we are unable to break the desired protection scheme - only trusted clients are able to produce or consume messages to the AMQ broker.  We are utilizing the configuration steps specified here, http://activemq.apache.org/how-do-i-use-ssl.html , and we are not using any custom plug-ins in the broker associated with the SSL transport.

We have configured a broker on a public address in our DMZ for additional testing. If anyone is willing and able, please attempt to post messages to any queue or pull the remaining text message (generated by the example producer client) from queue FOO.BAR from the following URL:

    ssl://69.2.201.51:61617

All attempts to produce or consume data should fail; if anyone is able to succeed, please boast accordingly - I will also be monitoring the log file daily.  I will be glad to post testing results or additional configuration items that members may desire in order to assist others who may need this sort of configuration.  Thanks in advance for any assistance.

Timothy W. Ellis, M.S.
Sr Systems Architect / Software Engineering Mgr
emergint®
Louisville , KY 40202

Re: SSL authentication and security assistance

[Dejan Bosanac <de...@nighttale.net>]

Hi Timothy,

I'm really glad that you're pleased with the ActiveMQ. I would love to
read a blog post on your setup and test results.


Regards
-- 
Dejan Bosanac
Senior Software Engineer | FuseSource Corp.
dejanb@fusesource.com | fusesource.com
skype: dejan.bosanac | twitter: @dejanb
blog: http://www.nighttale.net
ActiveMQ in Action: http://www.manning.com/snyder/


On Fri, Aug 10, 2012 at 2:34 PM, Ellis, Tim <Ti...@emergint.com> wrote:
> Emergint has been using ActiveMQ for a number of years now in our health care consulting efforts.  We have been greatly pleased with its stability and performance, particularly version 4.1.2.  We are planning to move some capabilities from a locally-hosted environment to "the cloud" where we need some additional data transport protection beyond what we have currently employed.  We are testing the SSL transport with "needClientAuth=true" and an associated trust store on each end of the allowed connection points; we need to insure that only trusted clients will have access to the queues.  So far, we are unable to break the desired protection scheme - only trusted clients are able to produce or consume messages to the AMQ broker.  We are utilizing the configuration steps specified here, http://activemq.apache.org/how-do-i-use-ssl.html , and we are not using any custom plug-ins in the broker associated with the SSL transport.
>
> We have configured a broker on a public address in our DMZ for additional testing. If anyone is willing and able, please attempt to post messages to any queue or pull the remaining text message (generated by the example producer client) from queue FOO.BAR from the following URL:
>
>     ssl://69.2.201.51:61617
>
> All attempts to produce or consume data should fail; if anyone is able to succeed, please boast accordingly - I will also be monitoring the log file daily.  I will be glad to post testing results or additional configuration items that members may desire in order to assist others who may need this sort of configuration.  Thanks in advance for any assistance.
>
> Timothy W. Ellis, M.S.
> Sr Systems Architect / Software Engineering Mgr
> emergint®
> Louisville , KY 40202
>