%entities; ]>

This section will show how to use SSL to enable secure connections between an AMQP message client and the broker.

The broker configuration file (config.xml) needs to be updated to include the required SSL keystore configuration, an example of which can be found below. ... true 5671 false /path/to/keystore.ks keystorepass alias ... ]]> The certAlias element is an optional way of specifying which certificate the broker should use if the keystore contains multiple entries. The sslOnly element controls whether the broker will only bind the configured SSL port(s) or will also bind the non-SSL port(s). Setting sslOnly to true will disable the non-SSL ports. The password of the certificate used by the Broker must match the password of the keystore itself. This is a restriction of the Qpid Broker implementation. If using the keytool utility, note that this means the argument to the -keypass option must match the -storepass option.

The SSL trustore and related Client Certificate Authentication behaviour can be configured with additional configuration as shown in the example below, in which the broker requires client certificate authentication. ... ... /path/to/truststore.ks truststorepass true false ... ... ]]> The needClientAuth and wantClientAuth elements allow control of whether the client must present an SSL certificate. Only one of these elements is needed but both may be used at the same time. A socket's client authentication setting is one of three states: required (needClientAuth = true), requested (wantClientAuth = true), or none desired (both false, the default). If both elements are set to true, needClientAuth takes precedence. When using Client Certificate Authentication it may be desirable to use the External Authentication Manager, for details see