Fuse ESB - Security Guide - Secure ActiveMQ Connection Factory

Overview

Fuse Mediation Router provides an Fuse Message Broker component for defining Fuse Message Broker endpoints in a route. The Fuse Message Broker endpoints are effectively Java clients of the broker and you can either define a consumer endpoint (typically used at the start of a route to poll for JMS messages) or define a producer endpoint (typically used at the end or in the middle of a route to send JMS messages to a broker).

When the remote broker is secure (SSL security, JAAS security, or both), the Fuse Message Broker component must be configured with the required client security settings.

Programming the security properties

Fuse Message Broker enables you to program SSL security settings (and JAAS security settings) by creating and configuring an instance of the ActiveMQSslConnectionFactory JMS connection factory. Programming the JMS connection factory is the correct approach to use in the context of the containers such as OSGi, J2EE, Tomcat, and so on, because these settings are local to the application using the JMS connection factory instance.

	Note
A standalone broker can configure SSL settings using Java system properties. For clients deployed in a container, however, this is not a practical approach, because the configuration must apply only to individual bundles, not the entire OSGi container. A Camel ActiveMQ endpoint is effectively a kind of Fuse Message Broker Java client, so this restriction applies also to Camel ActiveMQ endpoints.

Note

A standalone broker can configure SSL settings using Java system properties. For clients deployed in a container, however, this is not a practical approach, because the configuration must apply only to individual bundles, not the entire OSGi container. A Camel ActiveMQ endpoint is effectively a kind of Fuse Message Broker Java client, so this restriction applies also to Camel ActiveMQ endpoints.

Defining a secure connection factory

Example 5.1 shows how to create a secure connection factory bean in Spring XML.

Example 5.1. Defining a Secure Connection Factory Bean

<bean id="jmsConnectionFactory"
      class="org.apache.activemq.ActiveMQSslConnectionFactory">
  <property name="brokerURL" value="ssl://localhost:61001" />
  <property name="userName" value="smx"/>
  <property name="password" value="smx"/>
  <property name="trustStore" value="/conf/client.ts"/>
  <property name="trustStorePassword" value="password"/>
</bean>

The following properties are specified on the ActiveMQSslConnectionFactory class:

brokerURL: The URL of the remote broker to connect to.
userName and password: The JAAS login credentials.
trustStore: Location of the Java keystore file containing the certificate trust store for SSL connections. The location is specified as a classpath resource. If a relative path is specified, the resource location is relative to the org/fusesource/example directory on the classpath.
trustStorePassword: The password that unlocks the keystore file containing the trust store.

It is also possible to specify keyStore and keyStorePassword properties, but these would only be needed, if SSL mutual authentication is enabled (where the client presents an X.509 certificate to the broker during the SSL handshake).