SSL 用于 AWS EC2 实例上的 Apache ActiveMQ
[英]SSL for Apache ActiveMQ on AWS EC2 instance
问题描述
I have a Java application configured with some self signed certificates that communicates with ActiveMQ version 5.13.0 over SSL/TLS version 1.2.
我有一个 Java 应用程序配置了一些自签名证书,这些证书通过 SSL/TLS 版本 1.2 与 ActiveMQ 版本 5.13.0 通信。 The relevant self signed certificates reside in their respective keystores and truststores.相关的自签名证书驻留在其各自的密钥库和信任库中。 This connection over TLS works just fine on my local Windows machine, clients without the proper certificates are unable to communicate with the broker and clients with the proper certificates can.这种通过 TLS 的连接在我的本地 Windows 机器上运行良好,没有正确证书的客户端无法与代理通信,而具有正确证书的客户端可以。
However, this does not work when the same code and keystores are used on an AWS EC2 instance.但是,当在 AWS EC2 实例上使用相同的代码和密钥库时,这不起作用。 I have the same version of ActiveMQ installed there and am using the very same keystores and truststores on the broker and client side.我在那里安装了相同版本的 ActiveMQ,并且在代理和客户端使用相同的密钥库和信任库。 Clients without any certificates configured are able to connect to the broker and communicate.没有配置任何证书的客户端能够连接到代理并进行通信。
I would like to understand if SSL/TLS for ActiveMQ must be configured differently on a Linux machine or if there is something else that I am missing.我想了解是否必须在 Linux 机器上以不同方式配置 ActiveMQ 的 SSL/TLS,或者是否还有其他我遗漏的东西。
Snippets from the activemq.xml file that enable activemq to use SSL/TLS:来自activemq.xml文件的片段,使 activemq 能够使用 SSL/TLS:
<managementContext>
<managementContext createConnector="false"/>
</managementContext>
<sslContext>
<sslContext keyStore="file:${activemq.base}/conf/broker.ks"
keyStorePassword="changeit" trustStore="file:${activemq.base}/conf/broker.ts"
trustStorePassword="changeit"/>
</sslContext>
<transportConnectors>
<!-- DOS protection, limit concurrent connections to 1000 and frame size to 100MB -->
<transportConnector name="openwire" uri="tcp://0.0.0.0:61616?maximumConnections=1000&wireFormat.maxInactivityDuration=300000&wireFormat.maxFrameSize=104857600&jms.messagePrioritySupported=false"/>
<transportConnector name ="ssl" uri="ssl://0.0.0.0:61714?transport.enabledProtocols=TLSv1.2"/>
<transportConnector name="amqp" uri="amqp://0.0.0.0:5672?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
<transportConnector name="stomp" uri="stomp://0.0.0.0:61613?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
<transportConnector name="mqtt" uri="mqtt://0.0.0.0:1883?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
<transportConnector name="ws" uri="ws://0.0.0.0:61614?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
</transportConnectors>
1 个解决方案
解决方案1
0 2020-06-18 08:03:28
Answering my own query.回答我自己的问题。 I handle the Java client and that client connects to port 61714 that is designated for SSL.我处理 Java 客户端,该客户端连接到为 SSL 指定的端口 61714。 The folks dealing with the IoT device side told me that these devices default to port 1883 for MQTT connections and port 8883 for secure MQTT connections.与物联网设备打交道的人告诉我,这些设备默认使用端口 1883 进行 MQTT 连接,端口 8883 用于安全 MQTT 连接。 This can be configured by adding the below line to the transport connectors:这可以通过将以下行添加到传输连接器来配置:
<transportConnector name="mqtt+ssl" uri="mqtt+ssl://0.0.0.0:8883?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
The device has some constraints due to which it cannot connect to an SSL port and publish MQTT messages.该设备有一些限制,因此无法连接到 SSL 端口并发布 MQTT 消息。 The Java client on the other hand has no issues connecting to the SSL port and publishing and consuming MQTT messages, so adding the above line resolved this.另一方面,Java 客户端连接到 SSL 端口和发布和消费 MQTT 消息没有问题,因此添加上述行解决了这个问题。 If needed, one could comment out the transport connector for port 1883 so that no clients without the needed certificates are able to connect to the MQTT broker.如果需要,可以注释掉端口 1883 的传输连接器,这样没有所需证书的客户端就无法连接到 MQTT 代理。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.