SSL for Apache ActiveMQ on AWS EC2 instance

0
votes

I have a Java application configured with some self signed certificates that communicates with ActiveMQ version 5.13.0 over SSL/TLS version 1.2. The relevant self signed certificates reside in their respective keystores and truststores. This connection over TLS works just fine on my local Windows machine, clients without the proper certificates are unable to communicate with the broker and clients with the proper certificates can.

However, this does not work when the same code and keystores are used on an AWS EC2 instance. I have the same version of ActiveMQ installed there and am using the very same keystores and truststores on the broker and client side. Clients without any certificates configured are able to connect to the broker and communicate.

I would like to understand if SSL/TLS for ActiveMQ must be configured differently on a Linux machine or if there is something else that I am missing.

Snippets from the activemq.xml file that enable activemq to use SSL/TLS:

<managementContext>
    <managementContext createConnector="false"/>
</managementContext>

<sslContext> 
    <sslContext keyStore="file:${activemq.base}/conf/broker.ks"
      keyStorePassword="changeit" trustStore="file:${activemq.base}/conf/broker.ts"
      trustStorePassword="changeit"/> 
</sslContext>

<transportConnectors>
    <!-- DOS protection, limit concurrent connections to 1000 and frame size to 100MB -->
    <transportConnector name="openwire" uri="tcp://0.0.0.0:61616?maximumConnections=1000&amp;wireFormat.maxInactivityDuration=300000&amp;wireFormat.maxFrameSize=104857600&amp;jms.messagePrioritySupported=false"/>
    <transportConnector name ="ssl" uri="ssl://0.0.0.0:61714?transport.enabledProtocols=TLSv1.2"/>
    <transportConnector name="amqp" uri="amqp://0.0.0.0:5672?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
    <transportConnector name="stomp" uri="stomp://0.0.0.0:61613?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
    <transportConnector name="mqtt" uri="mqtt://0.0.0.0:1883?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
    <transportConnector name="ws" uri="ws://0.0.0.0:61614?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
</transportConnectors>
1
amazon-web-servicessslactivemq
Are the clients different between the two environments? - Justin Bertram
They're the same, there's one Java client, and one IoT device running C. Figured out what the issue (well, not exactly an issue) is. I'll post the answer for the same. - ShreyasJavahar

1 Answers

0
votes

Answering my own query. I handle the Java client and that client connects to port 61714 that is designated for SSL. The folks dealing with the IoT device side told me that these devices default to port 1883 for MQTT connections and port 8883 for secure MQTT connections. This can be configured by adding the below line to the transport connectors :

<transportConnector name="mqtt+ssl" uri="mqtt+ssl://0.0.0.0:8883?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>

The device has some constraints due to which it cannot connect to an SSL port and publish MQTT messages. The Java client on the other hand has no issues connecting to the SSL port and publishing and consuming MQTT messages, so adding the above line resolved this. If needed, one could comment out the transport connector for port 1883 so that no clients without the needed certificates are able to connect to the MQTT broker.