Secure Communication : Encryption of HornetQ JMS connections
  

Encryption of HornetQ JMS connections

JMS is used to transfer statistical events from Central and Distributed Queue Agents to the Stat server (where the application stat.war is deployed).
The Stat server can be deployed together with Orchestra Central or on a standalone server.
To be able to use SSL for encryption of stat messages, it is necessary to configure matching certificates in a keystore on the stat server and a truststore on the Queue Agent. The process of setting up certificates and using remote upgrade to transfer them to remote Queue Agents is described earlier in this chapter.

Prerequisite

In the example below, tcp port 5446 will be used for encrypted JMS traffic. This port needs to be open in the firewall.

Application Server Configuration - Wildfly 11.0

Add missing dependency for netty module

The version of Wildfly used in Orchestra 7.0 misses a dependency needed to enable JMS sending over SSL.
1. Open the file <Orchestra installation>/app/wildfly-11.0.0.Final/modules/system/layers/base/io/netty/main/module.xml in a text editor.
2. Edit the section <dependencies> and add a dependency to the module javax.api.
The file should look like the below example after editing:
--------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
 
<!--
~ JBoss, Home of Professional Open Source.
~ Copyright 2010, Red Hat, Inc., and individual contributors
~ as indicated by the @author tags. See the copyright.txt file in the
~ distribution for a full listing of individual contributors.
~
~ This is free software; you can redistribute it and/or modify it
~ under the terms of the GNU Lesser General Public License as
~ published by the Free Software Foundation; either version 2.1 of
~ the License, or (at your option) any later version.
~
~ This software is distributed in the hope that it will be useful,
~ but WITHOUT ANY WARRANTY; without even the implied warranty of
~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
~ Lesser General Public License for more details.
~
~ You should have received a copy of the GNU Lesser General Public
~ License along with this software; if not, write to the Free
~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-->
 
<module xmlns="urn:jboss:module:1.3" name="io.netty">
<resources>
<resource-root path="netty-all-4.0.15.Final.jar"/>
</resources>
 
<dependencies>
<module name="javax.api"/>
</dependencies>
</module>
--------------------------------------
 

Configure Wildfly Application Server to allow encrypted JMS communication

The configuration of JMS transport on the server side is done in the Application Server configuration file, standalone-full.xml, where we need to add a JMS acceptor that will use the certificate in the keystore to handle the encrypted data. In the example below we use the default keystore <installation>/conf/security/keystore.jks, with the default password, to encrypt JMS traffic on port 5446.
1. On the stat server, open the configuration file <installation>/app/wildfly-11.0.0.Final/standalone/configuration/standalone-full.xml in a text editor.
2. In the subsystem labelled <subsystem xmlns="urn:jboss:domain:messaging:2.0">, locate the section <acceptors> and add a new acceptor named netty-ssl with the following properties:
--------------------------------------
<acceptor name="netty-ssl">
<factory-class>org.hornetq.core.remoting.impl.netty.NettyAcceptorFactory</factory-class>
<param key="host" value="0.0.0.0"/>
<param key="port" value="5446"/>
<param key="ssl-enabled" value="true"/>
<param key="key-store-path" value="conf/security/keystore.jks"/>
<param key="key-store-password" value="changeit"/>
</acceptor>
--------------------------------------
 
3. Save the file.
4. Restart the Application Server.

Configure Distributed Queue Agent to use encrypted JMS communication

To enable encrypted JMS communication we need to update the configuration file <agent>/conf/hornetq-configuration.xml on the Queue Agent.
In the example below a valid certificate exists in the default truststore on the Distributed Queue Agent in <agent>/conf/security/truststore.jks, with the default password.
1. Copy the existing Agent Profile to a separate folder, such as tmp.
2. Open the conf/hornetq-communication.xml file and locate the section <connectors>.
3. Change both configured connectors to use encrypted communication to port 5446
--------------------------------------
<connectors>
<connector name="stat-remote-connector">
<factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>
<!-- The host is read from Orchestra system parameters -->
<!-- param key="host" value="localhost"/ -->
<param key="port" value="5446"/>
<param key="ssl-enabled" value="true"/>
<param key="trust-store-path" value="conf/security/truststore.jks"/>
<param key="trust-store-password" value="changeit"/>
</connector>
<connector name="audit-remote-connector">
<factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>
<!-- The host is read from agent.conf -->
<!-- param key="host" value="localhost"/ -->
<param key="port" value="5446"/>
<param key="ssl-enabled" value="true"/>
<param key="trust-store-path" value="conf/security/truststore.jks"/>
<param key="trust-store-password" value="changeit"/>
</connector>
</connectors>
--------------------------------------
 
4. Save the file
5. Prepare, synchronize and publish the new Agent Profile.
 
Configure central agent to use encrypted JMS communication
 
To enable encrypted JMS communication between a central agent and a standalone stat server we need to update configuration file <Orchestra central>/conf/hornetq-configuration.xml.
We also need to add a valid certificate in a truststore on the central Orchestra server that corresponds to the configured keystore on the standalone stat server. In teh example below we use the default truststore <Orchestra central/conf/security/truststore.jks
 
1. Open the file <Orchestra central>/conf/hornetq-communication.xml file and locate the section <connectors>
2. Change both configured connectors to use encrypted communication to port 5446
--------------------------------------
<connectors>
<connector name="stat-remote-connector">
<factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>
<!-- The host is read from Orchestra system parameters -->
<!-- param key="host" value="localhost"/ -->
<param key="port" value="5446"/>
<param key="ssl-enabled" value="true"/>
<param key="trust-store-path" value="conf/security/truststore.jks"/>
<param key="trust-store-password" value="changeit"/>
</connector>
<connector name="audit-remote-connector">
<factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>
<!-- The host is read from agent.conf -->
<!-- param key="host" value="localhost"/ -->
<param key="port" value="5446"/>
<param key="ssl-enabled" value="true"/>
<param key="trust-store-path" value="conf/security/truststore.jks"/>
<param key="trust-store-password" value="changeit"/>
</connector>
</connectors>
--------------------------------------
 
4. Save the file
5. Restart Orchestra