Link
Stellirin's Notes

This site uses Just the Docs, a documentation theme for Jekyll.

Search

Manually configure ActiveMQ

Docker is the prefered way of running ActiveMQ, but if you need to do it manually, here’s how. This was valid at the end of 2019. If you are reading this in the future, it ma no longer be valid.

Table of contents

  1. ActiveMQ Server
  2. ActiveMQ Client
    1. Environment
    2. JNDI Properties

Active MQ is built in Java so it requires keystores and truststores in JKS format.

Documentation to configure ActiveMQ over TLS is quite sparse and not easy to determine what is required. This is mostly because you need to configure a listener URL in ActiveMQ and a connection URL in the client software. These appear similar but do not share configuration options. Sometimes it is not clear which options go in which URL.

Ultimately the configuration is quite simple, as explained below:

ActiveMQ Server

Edit ${AMQ_HOME}/conf/activemq.xml with the additional sslContext and transportConnector options:

<!--
    The sslContext can be used to configure broker-specific SSL properties.
    For more information, see:
    http://activemq.apache.org/how-do-i-use-ssl.html
-->
<sslContext>
    <sslContext
        keyStore="file:/opt/tls/mq/mq.keystore.jks"
        keyStorePassword="stellirin"
        trustStore="file:/opt/tls/mq/mq.truststore.jks"
        trustStorePassword="stellirin"/>
</sslContext>
 
<!--
    The transport connectors expose ActiveMQ over a given protocol to
    clients and other brokers. For more information, see:
    http://activemq.apache.org/configuring-transports.html
-->
<transportConnectors>
    <!-- DOS protection, limit concurrent connections to 1000 and frame size to 100MB -->
    <transportConnector name="openwire" uri="tcp://0.0.0.0:61616?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
    <transportConnector name="ssl" uri="ssl://0.0.0.0:61617?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600&amp;transport.enabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256"/>
</transportConnectors>

ActiveMQ Client

The client software needs a truststore that contains the ActiveMQ public certificate.

Environment

One way to add the truststore to your client software is through Java properties:

-Djavax.net.ssl.trustStore=/path/to/mq.truststore.jks
-Djavax.net.ssl.trustStorePassword=stellirin"

JNDI Properties

Connection to ActiveMQ can be done through JNDI Properties:

java.naming.factory.initial = org.apache.activemq.jndi.ActiveMQSslInitialContextFactory
java.naming.provider.url = tcp://${HOST}:${PORT}?socket.verifyHostName=false
connectionFactoryNames = connectionFactory

Queues can be dynamic such as dynamicQueues/${UUIDv4} or staticly defined in JNDI.