Configuring ActiveMQ MPX with secure protocols SSL/TLS

Since ActiveMQ is a separate application, configuring ActiveMQ Broker with secure protocol is optional and separate from configuring Server with TLS.

It is possible to have both StarTeam Server and ActiveMQ broker configured with SSL/TLS, or only one of them.

Version: 17.2 and higher

A. Enable SSL protocol in ActiveMQ broker

ActiveMQ.xml changes

  1. Add an entry for the ssl protocol.

    The following entry should be in the <broker> element xml . This entry tells the broker the location of the keystore and its password.

    By default, broker uses a key store called broker.ks and a trust store named broker.ts, located in folder "conf".

    <sslContext>

    <sslContext keyStore="file:${activemq.conf}/broker.ks"

    keyStorePassword="password" trustStore="file:${activemq.conf}/broker.ts"

    trustStorePassword="password"/>

    </sslContext>

  2. Enable ssl protocol in broker by adding a transport connector for ssl.

    Enable the ssl protocol with a variable ssl_names:

    <transportConnector name="ssl" uri="${ssl_names}?maximumConnections=${max_client_conns}&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/>

ActiveMQMessageBroker.ini changes

Define variable ssl_names:

ssl_names=ssl://0.0.0.0:61617

Back to top

B. Setup CA Certificate for ActiveMQ broker

The broker is pre-configured to use a keystore broker.ks and a truststore called broker.ts , both found in folder conf (C:\Program Files\Micro Focus\ActiveMQ Message Broker\conf).

Broker will fail to start if files are not found.

Logs can be found in folder "data" - for example C:\Program Files\Micro Focus\ActiveMQ Message Broker\data

If you also enabled TLS for StarTeamServer, the recommendation is to use the same certificate for the ActiveMQ broker. This solution will not work when using multiple brokers.

Option 1: Reuse the StarTeam server certificate for ActiveMQ broker

There are two ways to configure broker keystore, depending on the certificate format.

  1. Export .crt certificate and key into .p12 certificate format. You will also need the certificate for the Root CA in a separate pem file:

    openssl pkcs12 -export -in "mycert.crt" -inkey "selfcert.key" -out "mycert.p12" -name stselfCert -caname root -Cafile rootCA.pem -passin pass:"changeit" -passout pass:"changeit"

  2. Import .p12 certificate into ActiveMQ broker keystore:

    ..\jre\bin\keytool.exe -importkeystore -deststorepass password -destkeypass password -destkeystore broker.ks -srckeystore mycert.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias stselfCert

  3. Import Root CA into broker trust store:

    ..\jre\bin\keytool -import -trustcacerts -alias root -file RootCA.pem -keystore broker.ks -storepass password

  1. Import .pfx certificate into ActiveMQ broker keystore:

    keytool -v -importkeystore -srckeystore mycert.pfx -srcstoretype PKCS12 -destkeystore broker.ks –deststoretype JKS -deststorepass password -destkeypass password -srcstorepass password

  2. Import Root CA certificate into broker trust store:

    \jre\bin\keytool -import -trustcacerts -alias root -file RootCA.pem -keystore broker.ks -storepass password

Option 2: Create a new certificate for ActiveMQ broker

  1. Certificate creation:

    ..\jre\bin\keytool -genkey -alias broker -keyalg RSA -keystore broker.ks

  2. Export certificate into PEM format to use for MPX configuration of server, Cache Agent:

    ..\jre\bin\keytool -export -rfc -alias broker -keystore broker.ks -file broker_cert.pem

Back to top

C. Restart ActiveMQ message broker service

net stop MicroFocusActiveMQMessageBroker

net start MicroFocusActiveMQMessageBroker

Back to top

D. Verify the broker certificates are setup correctly

Use this command:

openssl s_client -showcerts -connect BROKER_IP:61617

If you created valid certificates you should see a result: verify return:1

If verify result is not 1, the errors must be fixed before continuing.

Note: For self-signed certificates there will always be an error "verify error:num=18:self signed certificate". This error can be ignored.

Back to top

E. Configure MPX with SSL protocol in StarTeam Server

An example for these settings is provided in the file EventServices/ActiveMQEventTransmitterTemplate.xml under server installation.

  1. Server MPX configuration:

    Server connects to MPX broker using ActiveMQ CMS client and requires the server certificate.

    In Configure Server/Event Handler, create a new "server secure" profile by copying the existing one.

    1. Change the <server_names> entry protocol name to ssl.

    2. Indicate the  ActiveMQ server CA certificate in <server_certificate>. This is the certificate  file of CA certificates created in step B (options 1 or 2), in PEM format. The file can contain several CA certificates.

      Example:

      <server_names>ssl://myipaddress:61617</server_names>

      <server_certificate>C:\Program Files\Micro Focus\StarTeam Server 17\CACertificates\mycert.pem</server_certificate>

  2. Client MPX configuration.

  3. In Configure Server/Event Handler, create a new "server secure" profile by copying the existing one.

    Change the <server_names> entry protocol name to ssl with correct port.

    Example: <server_names>ssl://myipaddress:61617</server_names>

Back to top

F. Test MPX with ActiveMQ in CPC

While connecting to StarTeam Server, before connecting the first time. Go to Project/Open/Server Properties/MPX Profiles and select the new secure client profile created as default for this client

SDK will automatically download the server certificate, no additional setting is needed.

Back to top

Configure MPX with SSL/TLS protocol in Cache Agent

Same entries as Server MPX configuration. See sample configuration files: SampleRootCacheAgentConfig.xml, SampleRemoteCacheAgentConfig.xml

For example, following elements need to be configured for a Root Cache Agent:

<ServerConfigsFile>C:\Program Files\Micro Focus\StarTeam Server 17\starteam-server-configs.xml</ServerConfigsFile>

<ConfigName>StarTeam configuration name</ConfigName>

<MessageBroker>

<Name>ActiveMQ MPX Transmitter</Name>

<server_names>ssl://myipaddress::61617</server_names>

<server_certificate>C:\Program Files\Micro Focus\StarTeam Server 17\CACertificates\mycert.pem</server_certificate>

The same certificate as for the server TLS connections can be used here.

Note: Cache Agent needs to be restarted after configurations.

Back to top