Use embedded ActiveMQ with SSL

When you run Minions over an untrusted network it is required to use SSL to ensure integrity and authenticity between the server and client components. To configure ActiveMQ to use SSL with a custom keystore file you have to configure the following parts:

Step 1: Configure an SSL context for ActiveMQ

Edit the configuration file $OPENNMS_HOME/etc/opennms-activemq.xml and add the SSL context here:

 <broker xmlns="http://activemq.apache.org/schema/core" brokerName="localhost" dataDirectory="${activemq.data}">
<plugins ...

</plugins>

<!-- My SSL Context -->
<sslContext>
  <sslContext keyStore="/opt/opennms/etc/my-ssl.jks" keyStorePassword="my-keystore-pass"/>
</sslContext>
...

Step 2: Configure the transport connector to use SSL instead of plain text TCP

Edit the configuration file $OPENNMS_HOME/etc/opennms-activemq.xml and search the transportConnectors section and use the ssl://... in your URI for the connector instead of tcp://.

<transportConnector name="openwire" uri="ssl://0.0.0.0:61616?useJmx=false&amp;maximumConnections=1000&amp;wireformat.maxFrameSize=104857600"/>

Step 3: Restart OpenNMS and test your SSL configuration

systemctl restart opennms

Test if you get the certificate with

echo | openssl s_client -connect my-server.example.org:61616 2>/dev/null | openssl x509 -dates -issuer

You should get the date, issuer and certificate.

notBefore=Sep  3 14:05:44 2020 GMT
notAfter=Dec  2 14:05:44 2020 GMT
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
...

If you get any problems, check our Troubleshoot Java with self-signed certificates wiki post.


:woman_facepalming: You can fix me, I’m a wiki post.