Skip to main content
Skip table of contents

TLS Enablement for ActiveMQ

Generate Certificates

please run this script to generate certificate files.

CODE 
vi generate-ssl.sh
CODE 
#!/bin/bash

set -e

PASSWORD=password
DAYS=36500
KEYSIZE=2048

# 1) Create a root CA
# -------------------
echo ">> Generating root CA (ca.key + ca.crt)..."
openssl req -new -x509 -days $DAYS -nodes \
  -keyout ca.key -out ca.crt \
  -subj "/CN=MyCA" \
  -sha256

# 2) Broker: Keystore + Truststore with serverAuth EKU
# -----------------------------------------------------
# a) Create OpenSSL config for SAN and serverAuth
cat > broker-openssl.cnf <<EOF
[ v3_req ]
subjectAltName = DNS:activemq.ef-external.svc
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
EOF

echo ">> Generating broker keystore (broker.ks)..."
keytool -genkeypair \
  -alias broker -keyalg RSA -keysize $KEYSIZE \
  -dname "CN=broker" \
  -keypass $PASSWORD -storepass $PASSWORD \
  -keystore broker.ks -validity $DAYS

echo ">> Generating broker CSR (broker.csr)..."
keytool -certreq \
  -alias broker -keystore broker.ks \
  -file broker.csr -storepass $PASSWORD

echo ">> Signing broker CSR with SAN & EKU (broker.crt)..."
openssl x509 -req -in broker.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial \
  -out broker.crt -days $DAYS -sha256 \
  -extfile broker-openssl.cnf -extensions v3_req

echo ">> Importing CA into broker keystore..."
keytool -import -trustcacerts -alias ca \
  -file ca.crt -keystore broker.ks -storepass $PASSWORD -noprompt

echo ">> Importing broker cert into broker keystore..."
keytool -import -alias broker \
  -file broker.crt -keystore broker.ks -storepass $PASSWORD -noprompt

echo ">> Generating broker truststore (broker.ts)..."
keytool -import -trustcacerts -alias ca \
  -file ca.crt -keystore broker.ts -storepass $PASSWORD -noprompt

# 3) Client: PEM cert + key with clientAuth EKU
# ----------------------------------------------
# a) Create OpenSSL config for clientAuth
cat > client-openssl.cnf <<EOF
[ v3_req ]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth
subjectAltName = DNS:client
EOF

echo ">> Generating client private key (client.key)..."
openssl genrsa -out client.key $KEYSIZE

echo ">> Generating client CSR (client.csr)..."
openssl req -new -key client.key \
  -out client.csr -subj "/CN=client" \
  -sha256

echo ">> Signing client CSR with EKU clientAuth (client.crt)..."
openssl x509 -req -in client.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial \
  -out client.crt -days $DAYS -sha256 \
  -extfile client-openssl.cnf -extensions v3_req

# b) Combine key + cert + CA into single client.pem

echo ">> Combining client.key + client.crt + CA into client.pem..."
cat client.key client.crt ca.crt > client.pem

# 4) Cleanup intermediate files
# ------------------------------
echo ">> Cleaning up temporary files..."
rm -f broker.csr client.csr broker-openssl.cnf client-openssl.cnf *.srl

# 5) Summary
# ----------
echo "\n>> Done. Artifacts generated:"
echo "   - broker.ks     (JKS keystore with broker key & cert)"
echo "   - broker.ts     (JKS truststore with CA cert)"
echo "   - client.key    (PEM private key for client)"
echo "   - client.crt    (PEM client certificate)"
echo "   - client.pem    (PEM full chain: key+cert+CA)"
echo "   - ca.crt        (PEM CA certificate)"

run these commands

CODE 
chmod +x generate-ssl.sh
CODE 
./generate-ssl.sh

After that you got files named broker.ks, broker.ts, client.key,client.crt,client.pem,ca.crt.

Inside ActiveMQ

Place the broker.ts and broker.ks files in activemq-k8s/6.0.0-k8s/zulu-alpine/offline/docker/activemq_ssl_certificates directory.

In activemq.xml add the following:

Appended parameter &amp;needClientAuth=true&amp;maximumConnections=${MAX_CONNECTIONS}&amp;wireFormat.maxFrameSize=104857600 at the end of ssl and stomp+nio+ssl tranportConnector in activemq.xml file

CODE 
<transportConnector name="ssl" uri="ssl://0.0.0.0:61617?enabledProtocols=TLSv1.2&amp;needClientAuth=true&amp;maximumConnections=${MAX_CONNECTIONS}&amp;wireFormat.maxFrameSize=104857600"/>
CODE 
<transportConnector name="stomp+ssl" uri="stomp+nio+ssl://0.0.0.0:61615?enabledProtocols=TLSv1.2&amp;needClientAuth=true&amp;maximumConnections=${MAX_CONNECTIONS}&amp;wireFormat.maxFrameSize=104857600"/>

In Solution

Please add these client certificate files client.key,client.crt, ca.crt in secret

CODE 
vi activemq-tls.yaml
CODE 
apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURBVENDQWVtZ0F3SUJBZ0lVVE9ybXgwZmU2RUpvbS9DajV0NGJFdEQzLzM0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0R6RU5NQXNHQTFVRUF3d0VUWGxEUVRBZ0Z3MHlOVEEwTWpJd09ERXlNamRhR0E4eU1USTFNRE15T1RBNApNVEl5TjFvd0R6RU5NQXNHQTFVRUF3d0VUWGxEUVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDCkFRb0NnZ0VCQUxnTDdFTWdVMGgybnJNZ1daMDU3S0ljVElIa3VsbUczRW5kOElpUkpUYXZqQkxlUHVWNHFDTUoKYTBDSW44aUpyV0pEajZ0KzY0c1hLWWNUY1Z1eVZPM3pubXdaOGZXR2xTT25GdzRJSFVSQTl5VW1KSkpEaXA4YQpiTUxrbVFDUU10RjdPL2d1NTBaQ3FRNC8rUGNQTnpsWWpjb0ZSUG9WQkxwZWhsSWFjaGY0MDh1VEpTaXdMVkRvClhqV2tENUFhTHluV0JUOU01WVBudnZKZU9nUlQwL3l1SmtyNXdjTHZjTFFpVmRoaGpLeEpiS1pmNHM0QWo1RXoKWHd0dFRHMXQxSDJkUmlmbFlBRnBlN0xLbjhKQ2RNbXlqU0krT0w1ZXRReUNaTEova2RBYTZNbmFyTThucktvbgpMd2N6ekNSVFIvbEF1bGFObkJuYlIzYXBGUUhmdVZjQ0F3RUFBYU5UTUZFd0hRWURWUjBPQkJZRUZJQW90ZS9TCmJSYkdSL09VN1NjU1FSQ08yYU1UTUI4R0ExVWRJd1FZTUJhQUZJQW90ZS9TYlJiR1IvT1U3U2NTUVJDTzJhTVQKTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUZ0dlh3Q25HTXBIcTVLOQpyYTNuUEhHVVNBdnhMenNSYkhKRjhsODZnOVZIcHBTSmhxaTh5UHE3UXhGTmg4SXFXd25sR2NqNUpEWkhkY3lXCndMdEMvbVpqSDVhRVVvdW1Ua2g3TlVTaHA0SWQvQVhLUmFLcytMUEdEUUwwZmpTbDMvd3oraU1jV1RBR2o2emEKOEZ5TCtGM3o0dDZVMHZDN05QSGpMbGNFMHlZTDdPMDhCN3hsOEU0QjRjeWZSOWR4RXZFS3RLUTdMYkZ6WWtQUgpUNHRzRlRhbHl6ZWtKRWhld25Wc3FzeUZZaUlDaVBSWDRBcllqZEZjMXlzSTFoM2FWM2VHYVdWVllSblk5eTkvCmoxNTY0OWhwMHVRWm0wYTMwbHNOM0NIczRBU0gyNUs1cElpd211OXJvbHR2TEZsTjlMQ1dDNFBoQ013MktMRk8KNVp4bjVJST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVUWE0ME05alI3VUxvV1poUWswYlB6Ykk4alQ4d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0R6RU5NQXNHQTFVRUF3d0VUWGxEUVRBZ0Z3MHlOVEEwTWpJd09ERXlNekJhR0E4eU1USTFNRE15T1RBNApNVEl6TUZvd0VURVBNQTBHQTFVRUF3d0dZMnhwWlc1ME1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBCk1JSUJDZ0tDQVFFQXlzMGpzb3Mvc1g2c2dPT2d5UGN4K25jQUN4RHRDQ1B2cmhxdVlKczcxVDZZYkh1LzNLakEKSEYvdGRIL216SFJiVzhHUFRPV1MvbEVoOTdkb1poMGpXZGJOQ09TNUFJVHZMNDVHVGhOK2h0Zk9mckduUDFSNAprTzlrYjJ1S1U1azg4bzQ4TDJUSXAwS1VObEFmRngxbjZ4RzBrbDJUQ2JFWE1xNWxDZXRnS2VkTVF2TXpzcnVGCk8zV0FGaGh3Ymx4TnZ3bi9PeEN5WkZ1aTVWU1c5Q0svbW1LVVdrcE56L0VkeTMxK1Via1dlRlJRTk5oNk9YTXYKQ3l4aWhabHpwa1NGekczQXN4TklnRDlhdFR2UXRnbHliZU5vajRNRWlJMXdJbVdmUWdEVEREZHZ4UUl1OXpRRQpPM3Y1R2c1dXdacEovQjdSQjRZU0hGRUF3ZlE2YW1JM2RRSURBUUFCbzNjd2RUQUxCZ05WSFE4RUJBTUNCNEF3CkV3WURWUjBsQkF3d0NnWUlLd1lCQlFVSEF3SXdFUVlEVlIwUkJBb3dDSUlHWTJ4cFpXNTBNQjBHQTFVZERnUVcKQkJRVUFjd3lZbm56TnJ3Q1R2b1F3THMwZGltbFhEQWZCZ05WSFNNRUdEQVdnQlNBS0xYdjBtMFd4a2Z6bE8wbgpFa0VRanRtakV6QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFBK2VISmpIMVNHUTJFdlBsdzdHTWhpRzNqdVluCnlTL3l2UG4zN0hNR0dWTDM4ODMxMjdNb21OWVlrOStQcXJwdGd5U3hyRWdFV2h3ME9INFR1UjZ6T0dnTnRTYVEKV2lKYjBoWmNQd3dKbk9Db2dUYkIyeUxaS1pjdEIzVnByOE1sT2RsTFdPUTJKditDRldzeXlqcXNBdzFJaGRBbQpYb3F3aHZvRHRrdmErN09QR0VSN1E2SVFBZU1GYlp2SlhOd2sxRVN2QlNWdTcvTWtia0lGMnRIckJQZ213aGJaCjYrdXNpcXFzYTB1Mnl6dzJtNnRjcEV1SGNGWHlkcFJYTy80aGhSdWs1MUdhakxHYkJtM0gvQ1dnU2NHVnU2Sm4KSXREalp0aGJIT2tiMWlXMmRkT1lOU05IZzZMOXpMYWZ4UHEzZEFhNloyWGNqSDVHOXErMFVuUHhDUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRREt6U095aXoreGZxeUEKNDZESTl6SDZkd0FMRU8wSUkrK3VHcTVnbXp2VlBwaHNlNy9jcU1BY1grMTBmK2JNZEZ0YndZOU01WkwrVVNIMwp0MmhtSFNOWjFzMEk1TGtBaE84dmprWk9FMzZHMTg1K3NhYy9WSGlRNzJSdmE0cFRtVHp5amp3dlpNaW5RcFEyClVCOFhIV2ZyRWJTU1haTUpzUmN5cm1VSjYyQXA1MHhDOHpPeXU0VTdkWUFXR0hCdVhFMi9DZjg3RUxKa1c2TGwKVkpiMElyK2FZcFJhU2szUDhSM0xmWDVSdVJaNFZGQTAySG81Y3k4TExHS0ZtWE9tUklYTWJjQ3pFMGlBUDFxMQpPOUMyQ1hKdDQyaVBnd1NJalhBaVpaOUNBTk1NTjIvRkFpNzNOQVE3ZS9rYURtN0Jta244SHRFSGhoSWNVUURCCjlEcHFZamQxQWdNQkFBRUNnZ0VBTHlHejNTZk5tck9rNWFPQlY1TlRrekVhMm5lSmp1M0RJMFJpS0dPTGFVak4KNWRCd3k1aVFaVWZLQ053OHlHRjJaZ0c3Q3hVRHI0VXRqc09hU0xrVzRTY3hxWkoyaUc5Y28wRytoeUN5dENYdApnTFpLOTBYcmEwdW5uTmx5WVhGb243cDh0RXNJOHc1ZklheEhQWGtCRUxtaHJLNkFvS3oraGpIUG01bVBWTTFZCjlXS2N5U1FTRFVoWE0vZ0hXVS90cFV0Q1ZiM091UTdoT3ZaNFM1STgwR1ZRU1RrMmhCV1pXcmNYUTlmM0QxbjUKYUpLR0g5L2F5VjdWaTI4Q2ZiNGhHNzZ2T2pPanJXRVUzMkExM0JLcHR5WFBTWHFWNHVyd2NaanNzRVBpVXFVVgptMy9TZkNuZFVJdjhTSDlWNmtjRnZSNFNxSlp5ajJFQXBvSGNsamlkMVFLQmdRRCtrTG9xSzl2UWpxUzZXUGZKCk93VThTQ0UwNkpGZnd5SVRHb1lrbHlRc29od0M2RXo1NDdPTUtxWnRxMWVQTXl5WkNJUEZRZDljRFBFYW1VNWMKcDdpVGMwNVBLRlRrZ25ETkV3VUZSa2VtSDBBVS9DYmhzRDhsVVJnUUFnR1p1UC8rZUV0NHJITzh2bDJmeVU3dApoczRuT3ZpeHEweGZFWmtnaXNxUUQ5alArd0tCZ1FETDhicmY4c3lnS2VBK2lBdG5GdnNMeStoNkttelRqRTVICjZHU3J0ZnVnVWtlSUV3UlhVQ0Npblo5UVZmdzZzRGh0TVZjN3NTTGRUeTgyNEJrci9kQkJsUlJ2VTBObzVpVSsKYVNJZCtac2t4UnVIV3c1Sy9ZbkFsTHo1VGQ3Z00zbi9VT1JDOVBtUnNEbmlDZm9LSG41N3U1YTBnSFlXWVFpbgpYT05CZ1VyTFR3S0JnUURubnV1a1gwK2NEWTNZZUFiTXM4VHB1bjlzVW9lamFEcml3dWwyOVlaV2poR0ttNjhlClY0NFFaT1lWTnlkdUJoUDRFZ1ZEUDlKcFFPVkhYR0l1Yi9URFJORGx1VDYwdy9LNnhTbDJTU0g4QnNjWjBPdlgKd2JOUzB0eGdCRk5NZVVXRFZoVGxjWlBGRWpqQm9Ec09aKysvUmlydURYeHBxK3QxN3BLc1RaN3FiUUtCZ1FEQgpMaUp6aTB0azB3WEVkWjFIY3k4dGgyS1loYU03NTRVbSsreVA4ZnQ5YXpLeXBFRFNhK1hkNHl4TExvZVRGK1Q3CkdXZWw5UzR2TDVocmhHNlRpd0kvZlBVMFZreGVDdEp3Z2FsOWR6Z0w1bUVqSDQ4MFhXQ2tlTDlmN3ZFVXNlMzMKZUNvZmVta0VKVWRPNDJCalFXdFJ6T2o5NVVqMS9jZnlzRHZiaXByTVpRS0JnUUQ0eXBqbFovTmM0dUQvS2E5MApBSWdZNkhCaWpSd2VHMDJlOXVERzRUYlZBMnFwaGxIK0F6amV2Z3prUTVwcnBqQjI4eXVTc3VlaUwvY0l6OFhvCmVmNnUxaDhNZ3pKK0trQm5yazRTMWFHaDkwMnlwMGowY0Mxd1ZGKzlqREdFazNaajZ5c0JOeHE0OVU4RE5yOGgKS20rWjIyVWpOSXE4TThaSTc1a29la3RIV1E9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==
kind: Secret
metadata:
  name: activemq-client-crt
  namespace: expertflow
type: kubernetes.io/tls
CODE 
k apply -f activemq-tls.yaml

Add volume and volumeMounts for the component that wants to connect to ActiveMQ.

CODE 
   extraVolumes:
      - name: activemq-client-crt
        secret:
          secretName: activemq-client-crt
   extraVolumeMounts:
      - name: activemq-client-crt
        mountPath: /activemq

Please update these variables in efConnectionVars section

CODE 
    ACTIVEMQ_KEY_STORE_PASSWORD: "Expertflow123"
    ACTIVEMQ_KEY_STORE_PATH: "activemq_keystore.p12"
    ACTIVEMQ_OPEN_WIRE_PORT: "61617"
    ACTIVEMQ_PASSWORD: "RXhwZXJ0ZmxvdzQ2NA"
    ACTIVEMQ_STOMP_PORT: "61615"
    ACTIVEMQ_TRANSPORT: ssl
    ACTIVEMQ_TRUST_STORE_PASSWORD: "Expertflow123"
    ACTIVEMQ_TRUST_STORE_PATH: "activemq_truststore.p12"
    ACTIVEMQ_CLIENT_CERT: /activemq/tls.crt
    ACTIVEMQ_CLIENT_KEY: /activemq/tls.key
    ACTIVEMQ_CA_CERT: /activemq/ca.crt
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close