0

I'm creating a C# program which is sending messages with ActiveMQ like this:

IConnectionFactory factory = new ConnectionFactory("activemq:tcp://localhost:61616");
connection = (Connection)factory.CreateConnection();
connection.Start();
session = connection.CreateSession();
producer = session.CreateProducer(new ActiveMQTopic("topic1"));
ITextMessage msg = producer.CreateTextMessage();
msg.Text = Body;
producer.Send(msg);

How can I send the messages in a secure way using TLS/SSL with port 443? What do I need to do in the client side (also .NET) in order to receive it? Is there also a way to configure the clients to only receive such secured messages, and reject regular messages?

Justin Bertram
  • 29,372
  • 4
  • 21
  • 43
CodeMonkey
  • 11,196
  • 30
  • 112
  • 203
  • 2
    Possible duplicate of [ActiveMQ Exception when trying to work with SSL](https://stackoverflow.com/questions/58201771/activemq-exception-when-trying-to-work-with-ssl) – Tim Bish Oct 02 '19 at 13:09

2 Answers2

0

You need to configure SSL on the broker and then use a properly configured client connection using the SSL transport to connect to the broker. The is an old article here on the .NET client using SSL.

You will need configure the client such that it will trust the certificate from the broker either via a signing authority or by sharing the brokers public certificate with the client.

Tim Bish
  • 17,475
  • 4
  • 32
  • 42
  • Do I need the key and trust store? If I need it for now just for a proof of concept, is there a way to just enable security via code? – CodeMonkey Oct 02 '19 at 13:12
  • I don't have that keytool.. is it a needed step? I tried changing the URL to this one in your article: ssl://localhost:61617?transport.acceptInvalidBrokerCert=true but it didn't help – CodeMonkey Oct 02 '19 at 13:36
  • keytool comes with Java for updating keystores, I don't believe you can use it for you c# client. On the server side you need both private key and certificate, while on the client side you need to trust that same certificate. There are many examples around. – Eugène Adell Oct 02 '19 at 21:15
0

I'll try to mention all the relevant information in one place
For the one way TLS there is almost no client side configuration required, just update connection string activemq:ssl://broker.host:61617. The certification burden is on a server.

To configure your local ActiveMQ broker

First generate self-signed key in server.ts keystore file

<JAVA_HOME>\bin\keytool -genkey -alias broker -keyalg RSA -keystore <AMQ_HOME>\conf\server.ks

Then edit the config file ([AMQ Install Dir]\conf\activemq.xml)
define ssl context

<broker ...>
...
  <sslContext> 
    <sslContext keyStore="file:${activemq.conf}/server.ks"
              keyStorePassword="password" /> 
  </sslContext>

configure ssl transport

<transportConnectors>
    <transportConnector name="ssl" uri="ssl://localhost:61617" />
</transportConnectors>

Finally start/restart ActiveMQ broker

Now you can make a connection using this connection string:
activemq:ssl://localhost:61617?transport.acceptInvalidBrokerCert=true

At this point you should have a working prototype! and should start working on real certificates.

Using self-signed certificate

If you fine with self-signed certificates you can export one from the broker's key store, copy it to a client's bin and mention it in a connection string.

export:
<JAVA_HOME>\bin\keytool -export -alias broker -keystore <AMQ_HOME>\conf\server.ks -file broker_cert

connection string:
activemq:ssl://localhost:61617?transport.BrokerCertFilename=broker_cert

Two-way TLS

to be continued ...

Community
  • 1
  • 1
igorushi
  • 1,855
  • 21
  • 19