It is entirely valid to attempt to use TLS/SSL to secure JMS communcations across the network. My project has 100+ instances of JBoss AS distributed across the globe which do this with JBoss 4.2.x and JBoss MQ. Our next release will do the same with JBoss 5.1 and JBoss Messaging.
However, I'm struggling to respond to your questionbecause there are a hundred little details that factor into how you will go about accomplishing this. Answer the following questions, then I will attempt to help you.
We install the ESB into an existing AS, rather than using the jbossesb-server.zip package, so my questions probably have a bias toward that configuration.
- Which version of the ESB are you running?
- Which version of JBoss AS are you running?
- Which messaging system (JBoss MQ, JBoss Messaging, etc) are you using to back the ESB? Which version?
- Describe the process which is attempting to send JMS messages to the ESB. Is it a ServiceInvoker outside of the JBoss JVM? Is it an ESB-naive process sending to a gateway queue? On the same server? Remotely located?
- Is there a firewall between the two points of communication? Which ports and protocols are permitted through the firewall?
- You mentioned send AND receive. Is your other receiver simply a similar configuration of JBoss AS/ESB on another machine, or is it a different JMS container entirely?
- Do you intend to use mutual authentication, or are you simply attempting to encrypt the network communications?
That's just the start. Answer those and we'll go from there.
First of all ,it is very kind of you for your reply, thank you very much.
Here is the backguound of The project I'm developing . It is to exchange Large data like log files between ESB servers (i don't know whether it is reasonable because it was designed by my boss :-) .It is only two case in JMS Message Changing that:
1. server A sends JMS messages to server B's queue , B gets messages from its local queue
2. server A sends JMS messages to its local queue , B listens the remote queue from A for getting messages
What i want to do is to implement SSL communication with the two patterns above.
For the next , let me answer the questions you asked.
•Which version of the ESB are you running?
The ESB-Server be installed in my workspace is version-4.7 which named jbossesb-server-4.7.(I guess:)
•Which version of JBoss AS are you running?
I run the server directly in the .\jbossesb-server-4.7\bin\run.bat , I'm afraid of that , I'm using the jbossesb-server.zip package directly which is diffrerent with you.
•Which messaging system (JBoss MQ, JBoss Messaging, etc) are you using to back the ESB? Which version?
I'm sorry , I cann't sure about it , I just configure the services listen the JMS-bus from the JMS-Providers.
•Describe the process which is attempting to send JMS messages to the ESB. Is it a ServiceInvoker outside of the JBoss JVM? Is it an ESB-naive process sending to a gateway queue? On the same server? Remotely located?
I'm using the action named JMS-Router which is inherent in Jboss-esb to send messages to local queues or remote queues.And I user JMS-Provider to get message from local/remote queues.
•Is there a firewall between the two points of communication? Which ports and protocols are permitted through the firewall?
it is no firewall in my Project-Environment of this release,but it is hard to say it won't be firewall configured in the future.If you have advice about it , tell me please.thanks
•You mentioned send AND receive. Is your other receiver simply a similar configuration of JBoss AS/ESB on another machine, or is it a different JMS container entirely?
The machines for JMS-Message-communication which I'm using is same to each other. all be installed with the jbossesb-server-4.7
•Do you intend to use mutual authentication, or are you simply attempting to encrypt the network communications?
In fact , I want both of them above , but It seems hard to use mutual authentication in my project for some objective reasons.So I want to start from ncrypting the network communications. If not mind , would you please give some advice in using mutual authentication either?thanks
At last,thanks again for your kindly reply,and sorry for my poor English :-)
There could be time differernce above 10 hours between Japan and America,so ....have a good night and a good dream.
waiting for you reply
The key here is that you have no firewall to contend with. In that case, you have the freedom to allow JBoss Remoting to open up another socket and do it's own ssl communications. Nearly all of the transports supported by remoting have an SSL-wrapped counterpart.
It looks as if the JBoss ESB server distribution you use contains JBoss AS 4.2.3 and JBoss Messaging 1.4.0. These are relatively old compared to what I am using, so I can't specifically provide you a step-by-step reply, but I can point you in the correct direction.
Download the JBoss Messaging 1.4.0 distribution from here: http://www.jboss.org/jbossmessaging/downloads.html
There is an example in there named secure-socket which demonstrates how to set up a Remoting connector which will accept SSL communications. Add those configuration files to your deployed jbossesb-server-4.7 configuration. That directory also contains a java class, SecureSocketExample, which will demonstrate that the SSL connector you configured is working. The key here is that it looks up the /SecureConnectionFactory in JNDI, rather than your existing remote JMS Connection Factory. Any JMS messages produced or consumed through sessions created from that connection factory will be SSL-encrypted in-transit (cool, isn't it?). Once you get this working, you should see how it is possible to configure JMSRouter to connect to a remote queue via the secured connection factory.
The JBoss Messaging and JBoss Remoting forums are probably going to be more helpful if you have trouble configuring that secure-socket example. The jbossesb-server-4.7 distribution seems to be nothing more than the standard JBoss 4.2.3 with the ESB installer run against it, so all the advice you get for standard JBoss AS installations should be applicable to your JBoss ESB Server installation.
Note: once you get this working, you should replace they certificate in the example keystore with your own. Otherwise, anybody will be able to decrypt your messages because they will have access to the certificate with which they were encrypted.
PS: Don't worry about your English. It's passable, and certainly 100-times better than my Japanese! I've really let it slip since college, for lack of anyone to converse with.
I think it very valuable for the points you told me, and I will have a try on them.
And it is a very good start for me to use the JBOSS-Forum for your kindly reply.
PS:I'm not sure that my Japanese is 100 times well than you because I'm not Japanese either :-),just working in Japan.
And I believe that you can be well than me on Japanese as long as you come to Japan :-)
In folder the
we added the file remoting-sslbisocket-service.xml
you can copy it from
and configure it after you copy it.
This creates the ssl transport. You also need to make a keystore for the server and a truststore for the client. See
especially the part "ssl enabled on the server the common case". It link I give you gives instructions about configuring https but the instructions for creating the keystore and the truststore are still valid. In fact we are using the same keystore that https uses (for the time being).
Finally after you have set up the sslbisocket service you need to configure the connection factory this is done again in
We added a new connection factory for SSL
<mbean code="org.jboss.jms.server.connectionfactory.ConnectionFactory" name="jboss.messaging.connectionfactory:service=SSLConnectionFactory" xmbean-dd="xmdesc/ConnectionFactory-xmbean.xml">
If you want to lookup a queue with ssl you need client code like this
"javax.net.ssl.trustStorePassword", "PASSWORD HERE");
Properties initialContextProperties =
InitialContext iniCtx =
// USE THIS LINE WITHOUT SSL Object tmp = iniCtx.lookup(
// USE NEXT LINE WITH SSL
Object tmp = iniCtx.lookup("SSLConnectionFactory");
QueueConnectionFactory qcf = (QueueConnectionFactory) tmp;
que = (Queue) iniCtx.lookup("queue/QUEUENAME HERE");
conn = qcf.createQueueConnection();
// USE THE FOLLOWING LINE FOR A QUEUE WITH AUTHENTICATION
// conn = qcf.createQueueConnection(USERNAME HERE,CREDENTIALS HERE);
session = conn.createQueueSession(false, QueueSession.AUTO_ACKNOWLEDGE);
As far as firewall ports are concerned. I think you need
1099 TCP JNDI look JMS queue
1098 TCP RMI JNDI port for RMI
4457 TCP JMS JMS no SSL
4459 TCP JMS JMS with SSL
4444 RMIObjectPort. (basically you need to fix the RMI port to a fixed port instead of a random port to make it work with a firewall)
Thank you very much for your detailed explanations . I'v tried a few times in accordance with you guidance and I think it be SSL-Configured for that it seems normal in sending a message on "SSLConnectionFactory", and receiving the message by JMS-Listener, which listening the queue in the bus from the JMS-Provider with "SSLConnectionFactory".
But I have no idea in how to know that the message sending/receiving is under SSL and no idea in if it is been Rightly configured.
I want to describe my configuration for my SSL test here.Sorry for no-sourcecode because of some security reason in my company.
1.I'm used the jbossesb-server-4.7 (using jboss-messaging 1.4 I think :~)
2.I copied the remoting-sslbisocket-service.xml from jboss-5.1.0.GA ,and pasted it ito .\jbossesb-server-4.7\server\default\deploy\jboss-messaging.sar\
3.I added the SSLConnectionFactory into the connection-factories-service.xml ,that the configuration is exactly same as you gave to me.
4.I maked the server.keystore,server.cer and client.truststore
5.I configured the server.keystore in remoting-sslbisocket-service.xml with its location and passwords.
6.I created a esb-service which listening a queue by the bus offered by JMS-Provider in SSLConnectionFactory.
7.I wrote a programm with the code you gave me for sending a message on SSLConnectionFactory
Now the action in the esb-service is well displaying the message after sending a message by my programme.
But how could I know it is rightly SSL-Configured ?
It is very kind of you for giving the detail for SSL-Configuration that I thought it could be the temination in my last reply in 2/24 :-)
thank you very mucch
I guess your only question is
"Now the action in the esb-service is well displaying the message after sending a message by my programme.
But how could I know it is rightly SSL-Configured ?"
I think in jboss-log4j.xml there is an appender which is called AUDIT. This appender definitely prints out the ssl handshaking for https. I am not sure if it also prints out the ssl handshaking for the ssl bidirectional socket.
Another way you could test that would be with a packet sniffer, for example ethereal. Try reading the message when using the normal Connection Factory. Probably you will be able to read something human readable. Then try the SSLConnectionFactory.
I think if you are using the SSLConnectionFactory you have probably set it up right. If you do not set
System.setProperty("javax.net.ssl.trustStorePassword", "PASSWORD HERE");
and still use the SSLConnectionFactory then the handshaking will fail. That's another way to know that you are using SSL.
Thanks for you reply
As what you said , my only question is to proof my SSL-Configuration is right :-) And I will try the mothod above you gave me for knowing whether it is rightly SSL-Configured.
PS:I am using the "System.setProperty(...)" to send message in SSLConnectionFactory and faild without it.So I guess I configued it rightly,but I also make my boss trust it...