You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by cl...@apache.org on 2020/10/29 19:16:56 UTC
[activemq-artemis] branch master updated: ARTEMIS-2937: use more realistic key/truststore and client+broker setup in SSL example, remove non-SSL acceptors

This is an automated email from the ASF dual-hosted git repository.

clebertsuconic pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git


The following commit(s) were added to refs/heads/master by this push:
     new 1af8be3  ARTEMIS-2937: use more realistic key/truststore and client+broker setup in SSL example, remove non-SSL acceptors
     new 99ac060  This closes #3321
1af8be3 is described below

commit 1af8be353f6072efb317a438d7f3defb93ada46c
Author: Robbie Gemmell <ro...@apache.org>
AuthorDate: Thu Oct 29 15:12:30 2020 -0400

    ARTEMIS-2937: use more realistic key/truststore and client+broker setup in SSL example, remove non-SSL acceptors
---
 .../broker-connection/amqp-sending-overssl/pom.xml |   6 ++--
 .../amqp-sending-overssl/readme.md                 |   4 ++-
 .../jms/example/BrokerConnectionSenderSSL.java     |   4 +--
 .../activemq/server0/activemq.example.keystore     | Bin 2251 -> 4415 bytes
 .../activemq/server0/activemq.example.truststore   | Bin 963 -> 1106 bytes
 .../src/main/resources/activemq/server0/broker.xml |   6 ++--
 .../activemq/server1/activemq.example.keystore     | Bin 2251 -> 4415 bytes
 .../activemq/server1/activemq.example.truststore   | Bin 963 -> 1106 bytes
 .../src/main/resources/activemq/server1/broker.xml |   4 +--
 .../amqp-sending-overssl/store-generation.txt      |  40 +++++++++++++++++++++
 10 files changed, 53 insertions(+), 11 deletions(-)

diff --git a/examples/features/broker-connection/amqp-sending-overssl/pom.xml b/examples/features/broker-connection/amqp-sending-overssl/pom.xml
index 6b0d644..fe74775 100644
--- a/examples/features/broker-connection/amqp-sending-overssl/pom.xml
+++ b/examples/features/broker-connection/amqp-sending-overssl/pom.xml
@@ -86,7 +86,7 @@ under the License.
                      <ignore>${noServer}</ignore>
                      <spawn>true</spawn>
                      <location>${basedir}/target/server1</location>
-                     <testURI>tcp://localhost:5771</testURI>
+                     <testURI>tcp://localhost:5771?sslEnabled=true;trustStorePath=target/server1/etc/activemq.example.truststore;trustStorePassword=activemqexample</testURI>
                      <args>
                         <param>run</param>
                      </args>
@@ -102,7 +102,7 @@ under the License.
                      <spawn>true</spawn>
                      <ignore>${noServer}</ignore>
                      <location>${basedir}/target/server0</location>
-                     <testURI>tcp://localhost:5671</testURI>
+                     <testURI>tcp://localhost:5671?sslEnabled=true;trustStorePath=target/server0/etc/activemq.example.truststore;trustStorePassword=activemqexample</testURI>
                      <args>
                         <param>run</param>
                      </args>
@@ -162,4 +162,4 @@ under the License.
          </plugin>
       </plugins>
    </build>
-</project>
\ No newline at end of file
+</project>
diff --git a/examples/features/broker-connection/amqp-sending-overssl/readme.md b/examples/features/broker-connection/amqp-sending-overssl/readme.md
index 322ccd3..851a3ff 100644
--- a/examples/features/broker-connection/amqp-sending-overssl/readme.md
+++ b/examples/features/broker-connection/amqp-sending-overssl/readme.md
@@ -6,4 +6,6 @@ This example demonstrates how you can create a broker connection from one broker
  
 You basically configured the broker connection on broker.xml and this example will give you two working servers where you send messages in one broker and receive it on another broker.
  
-The Broker connection on this example is configured to use SSL. The client connections here are using regular connections.
+The connection between the two brokers as well as the client connections are all configured to use SSL.
+
+The keystore and trustores used in the example were generated with store-generation.txt
diff --git a/examples/features/broker-connection/amqp-sending-overssl/src/main/java/org/apache/activemq/artemis/jms/example/BrokerConnectionSenderSSL.java b/examples/features/broker-connection/amqp-sending-overssl/src/main/java/org/apache/activemq/artemis/jms/example/BrokerConnectionSenderSSL.java
index f7145ae..841b075 100644
--- a/examples/features/broker-connection/amqp-sending-overssl/src/main/java/org/apache/activemq/artemis/jms/example/BrokerConnectionSenderSSL.java
+++ b/examples/features/broker-connection/amqp-sending-overssl/src/main/java/org/apache/activemq/artemis/jms/example/BrokerConnectionSenderSSL.java
@@ -35,7 +35,7 @@ public class BrokerConnectionSenderSSL {
 
    public static void main(final String[] args) throws Exception {
       Connection connectionOnServer0 = null;
-      ConnectionFactory connectionFactoryServer0 = new JmsConnectionFactory("amqps://localhost:5672?transport.trustStoreLocation=target/server0/etc/activemq.example.truststore&transport.trustStorePassword=activemqexample&transport.verifyHost=false");
+      ConnectionFactory connectionFactoryServer0 = new JmsConnectionFactory("amqps://localhost:5671?transport.trustStoreLocation=target/server0/etc/activemq.example.truststore&transport.trustStorePassword=activemqexample");
 
       // Step 1. Create a connection on server0, and send a few messages
       try {
@@ -58,7 +58,7 @@ public class BrokerConnectionSenderSSL {
       // Step 2. create a connection on server1, and receive a few messages.
       //          the sender on the broker conneciton will take care of the transfer.
       Connection connectionOnServer1 = null;
-      ConnectionFactory connectionFactoryServer1 = new JmsConnectionFactory("amqps://localhost:5772?transport.trustStoreLocation=target/server1/etc/activemq.example.truststore&transport.trustStorePassword=activemqexample&transport.verifyHost=false");
+      ConnectionFactory connectionFactoryServer1 = new JmsConnectionFactory("amqps://localhost:5771?transport.trustStoreLocation=target/server1/etc/activemq.example.truststore&transport.trustStorePassword=activemqexample");
 
       try {
          connectionOnServer1 = connectionFactoryServer1.createConnection();
diff --git a/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server0/activemq.example.keystore b/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server0/activemq.example.keystore
index 4ed2413..291a34a 100644
Binary files a/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server0/activemq.example.keystore and b/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server0/activemq.example.keystore differ
diff --git a/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server0/activemq.example.truststore b/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server0/activemq.example.truststore
index 45ab086..07d359c 100644
Binary files a/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server0/activemq.example.truststore and b/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server0/activemq.example.truststore differ
diff --git a/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server0/broker.xml b/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server0/broker.xml
index 1864291..0274cb3 100644
--- a/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server0/broker.xml
+++ b/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server0/broker.xml
@@ -31,12 +31,12 @@ under the License.
       <!-- Acceptors -->
       <acceptors>
          <!-- keystores will be found automatically if they are on the classpath -->
-         <acceptor name="artemis">tcp://0.0.0.0:5671?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;amqpMinLargeMessageSize=102400;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;amqpDuplicateDetection=true</acceptor>
-         <acceptor name="netty-ssl-acceptor">tcp://localhost:5672?sslEnabled=true;keyStorePath=activemq.example.keystore;keyStorePassword=activemqexample;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE</acceptor>
+         <!-- The CORE protocol only used for artemis-maven-plugin verifying the server is up for example to start -->
+         <acceptor name="netty-ssl-acceptor">tcp://localhost:5671?sslEnabled=true;keyStorePath=activemq.example.keystore;keyStorePassword=activemqexample;protocols=AMQP,CORE</acceptor>
       </acceptors>
 
       <broker-connections>
-         <amqp-connection uri="tcp://localhost:5772?sslEnabled=true;trustStorePath=activemq.example.truststore;trustStorePassword=activemqexample" name="otherSSL" retry-interval="1000">
+         <amqp-connection uri="tcp://localhost:5771?sslEnabled=true;verifyHost=true;trustStorePath=activemq.example.truststore;trustStorePassword=activemqexample" name="otherBrokerSSL" retry-interval="1000">
             <sender address-match="#"/>
          </amqp-connection>
       </broker-connections>
diff --git a/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server1/activemq.example.keystore b/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server1/activemq.example.keystore
index 4ed2413..291a34a 100644
Binary files a/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server1/activemq.example.keystore and b/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server1/activemq.example.keystore differ
diff --git a/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server1/activemq.example.truststore b/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server1/activemq.example.truststore
index 45ab086..07d359c 100644
Binary files a/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server1/activemq.example.truststore and b/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server1/activemq.example.truststore differ
diff --git a/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server1/broker.xml b/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server1/broker.xml
index 6a5611f..8f9fe5f 100644
--- a/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server1/broker.xml
+++ b/examples/features/broker-connection/amqp-sending-overssl/src/main/resources/activemq/server1/broker.xml
@@ -31,8 +31,8 @@ under the License.
       <!-- Acceptors -->
       <acceptors>
          <!-- keystores will be found automatically if they are on the classpath -->
-         <acceptor name="artemis">tcp://0.0.0.0:5771?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;amqpMinLargeMessageSize=102400;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;amqpDuplicateDetection=true</acceptor>
-         <acceptor name="netty-ssl-acceptor">tcp://localhost:5772?sslEnabled=true;keyStorePath=activemq.example.keystore;keyStorePassword=activemqexample;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE</acceptor>
+         <!-- The CORE protocol only used for artemis-maven-plugin verifying the server is up for example to start -->
+         <acceptor name="netty-ssl-acceptor">tcp://localhost:5771?sslEnabled=true;keyStorePath=activemq.example.keystore;keyStorePassword=activemqexample;protocols=AMQP,CORE</acceptor>
       </acceptors>
 
       <!-- Other config -->
diff --git a/examples/features/broker-connection/amqp-sending-overssl/store-generation.txt b/examples/features/broker-connection/amqp-sending-overssl/store-generation.txt
new file mode 100644
index 0000000..2a23958
--- /dev/null
+++ b/examples/features/broker-connection/amqp-sending-overssl/store-generation.txt
@@ -0,0 +1,40 @@
+# The various SSL stores and certificates were created with the following commands:
+# This can be run as a script by sourcing the file, e.g ". store-generation.txt"
+
+
+# Clean up any existing files
+# ---------------------------
+rm -f *.crt *.csr *.keystore *.truststore
+rm -f src/main/resources/activemq/server0/*.keystore src/main/resources/activemq/server0/*.truststore
+rm -f src/main/resources/activemq/server1/*.keystore src/main/resources/activemq/server1/*.truststore
+
+# Create a key and self-signed certificate for the CA, to sign certificate requests and use for trust:
+# ----------------------------------------------------------------------------------------------------
+keytool -storetype pkcs12 -keystore ca-pkcs12.keystore -storepass activemqexample -keypass activemqexample -alias ca -genkey -keyalg "RSA" -keysize 2048 -dname "O=My Trusted Example Inc.,CN=my-example-ca.org" -validity 9999 -ext bc:c=ca:true
+keytool -storetype pkcs12 -keystore ca-pkcs12.keystore -storepass activemqexample -alias ca -exportcert -rfc > ca.crt
+
+# Create a key pair, and sign it with the CA:
+# -------------------------------------------
+keytool -storetype pkcs12 -keystore activemq.example.keystore -storepass activemqexample -keypass activemqexample -alias broker -genkey -keyalg "RSA" -keysize 2048 -dname "O=Server,CN=localhost" -validity 9999 -ext bc=ca:false -ext eku=sA
+
+keytool -storetype pkcs12 -keystore activemq.example.keystore -storepass activemqexample -alias broker -certreq -file broker.csr
+keytool -storetype pkcs12 -keystore ca-pkcs12.keystore -storepass activemqexample -alias ca -gencert -rfc -infile broker.csr -outfile broker.crt -validity 9999 -ext bc=ca:false -ext eku=sA
+
+keytool -storetype pkcs12 -keystore activemq.example.keystore -storepass activemqexample -keypass activemqexample -importcert -alias ca -file ca.crt -noprompt
+keytool -storetype pkcs12 -keystore activemq.example.keystore -storepass activemqexample -keypass activemqexample -importcert -alias broker -file broker.crt
+
+# Create trust store, import the CA cert:
+# -------------------------------------------------------
+keytool -storetype pkcs12 -keystore activemq.example.truststore -storepass activemqexample -keypass activemqexample -importcert -alias ca -file ca.crt -noprompt
+keytool -importkeystore -srckeystore activemq.example.truststore -destkeystore broker-jceks.truststore -srcstoretype pkcs12 -deststoretype jceks -srcstorepass activemqexample -deststorepass activemqexample
+keytool -importkeystore -srckeystore activemq.example.truststore -destkeystore broker-jks.truststore -srcstoretype pkcs12 -deststoretype jks -srcstorepass activemqexample -deststorepass activemqexample
+
+# Copy the stores into place
+cp activemq.example.truststore src/main/resources/activemq/server1/
+cp activemq.example.keystore src/main/resources/activemq/server1/
+
+cp activemq.example.truststore src/main/resources/activemq/server0/
+cp activemq.example.keystore src/main/resources/activemq/server0/
+
+# Clean up tmp files
+rm -f *.crt *.csr *.keystore *.truststore