Connecting WildFly to a remote Artemis MQ broker using SSL

In this article we have covered how to connect WildFly to a remote ArtemisMQ Server with no encryption of data. Let’s see how we can secure the communication between WildFly and Artemis MQ.

Configuring SSL on Artemis MQ

We will configure at first SSL on the broker side. Within the broker.xml configuration file, we need to secure the acceptor used for the communication. We will create a keystore at first and a truststore. The keystore will be used on the broker side, the truststore will be used by the client, which is in our case WildFly:

$ keytool -genkeypair -alias localhost -keyalg RSA -keysize 2048 -validity 365 -keystore server.keystore -dname "cn=Server Administrator,o=Acme,c=GB" -keypass secret -storepass secret

$ keytool -genkeypair -alias client -keyalg RSA -keysize 2048 -validity 365 -keystore client.keystore -dname "CN=client" -keypass secret -storepass secret

$ keytool -exportcert  -keystore server.keystore -alias localhost -keypass secret -storepass secret -file server.crt
 
$ keytool -exportcert  -keystore client.keystore -alias client -keypass secret -storepass secret -file client.crt

$ keytool -importcert -keystore server.truststore -storepass secret -alias client -trustcacerts -file client.crt -noprompt
 
$ keytool -importcert -keystore client.truststore -storepass secret -alias localhost -trustcacerts -file server.crt -noprompt

In our case, we don’t need all the above files but just:

  • server.keystore for ArtemisMQ
  • client.trustore for Wildfly

Let’s add a reference to the path where server.keystore is in our acceptor:

  <acceptor name="artemis">tcp://0.0.0.0:61616?sslEnabled=true;keyStorePath=/home/amq-broker-7.7.0/mybroker/server.keystore;keyStorePassword=secret;enabledProtocols=TLSv1.2;tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;amqpMinLargeMessageSize=102400;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;amqpDuplicateDetection=true</acceptor>

Start Artemis MQ and verify that the broker now uses SSL with a simple openssl command:

$ openssl s_client -connect localhost:61616

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 1281 bytes and written 429 bytes
Verification error: self signed certificate
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: BA7EEBF0A8101B360C2ADF9746E4AB9BF2BD9EA7F43CE64B656900EF05886007
    Session-ID-ctx: 
    Master-Key: 1AB4A17000C324FB72E5F17720717609CB67F10AF7BBC196437A8F3DEEF60A427FC82A5765EE4D2046B18823BC2CBFD8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1624781386
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: yes

Configuring WildFly Remote Connector to use SSL

On the WildFly side, we will start from configuration we have already set up in our first tutorial, which includes a remote-connector:

<subsystem xmlns="urn:jboss:domain:messaging-activemq:8.0">
    <server name="default">
      
      	<remote-connector name="remote-artemis" socket-binding="remote-artemis"/>

      	<pooled-connection-factory name="remote-artemis" entries="java:/RemoteJmsXA java:jboss/RemoteJmsXA" connectors="remote-artemis" ha="false" user="admin" password="admin" min-pool-size="15" max-pool-size="30" statistics-enabled="true">
                    <inbound-config rebalance-connections="true" setup-attempts="-1" setup-interval="5000"/>
     	</pooled-connection-factory>

    </server>
</subsystem>

The remote-connector points to a socket-binding which contains the address and port of the remote AMQ server:

<outbound-socket-binding name="remote-artemis">
    <remote-destination host="127.0.0.1" port="61616"/>
</outbound-socket-binding>

We need to add SSL configuration to the remote-connector element:

    <remote-connector name="remote-artemis" socket-binding="remote-artemis">
        <param name="ssl-enabled" value="true"/>
        <param name="trust-store-password" value="secret"/>
        <param name="trust-store-path" value="/home/wildfly/standalone/configuration/client.truststore"/>
    </remote-connector>

In the above example, we have copied the file client.trustore in the configuration folder of WildFly. Adjust it to the actual location of the file.

To achieve the above configuration, you can execute the following CLI command:

/subsystem=messaging-activemq/remote-connector=remote-artemis:write-attribute(name=params,value={ssl-enabled=true,trust-store-password=secret,trust-store-path=/home/wildfly/standalone/configuration/client.truststore})

Now start Artemis MQ, then start WildFly and start sending messages to check the connectivity.

That’s it! We have just covered how to connect WildFly to a Remtote Artemis MQ server using SSL.

Found the article helpful? if so please follow us on Socials