TCPS ConnectorThe TCPS connector enables OpenJMS clients to connect to the OpenJMS server using SSL (Secure Socket Layer). To use the TCPS connector:
Downloading and installing JSSEYou can skip this step if you are running JDK 1.4 or higher, as JSSE is included in the JDK. Download the Java Secure Socket Extensions (JSSE) package, version 1.0.2 or later, from http://java.sun.com/products/jsse/ . After extracting JSSE, choose one of the following ways to make it available to OpenJMS:
Creating the OpenJMS server certificate keystoreTo create the OpenJMS server certificate keystore, enter the following: Windows: cd %OPENJMS_HOME%\config %JAVA_HOME%\bin\keytool -genkey -alias openjms -keyalg RSA -keystore openjms.keystore Unix: cd $OPENJMS_HOME/config $JAVA_HOME/bin/keytool -genkey -alias openjms -keyalg RSA -keystore openjms.keystore After executing the command, you will first be prompted for the keystore password. The default password used by OpenJMS is "openjms" , although you can enter any password you like. The keystore password needs specified in the OpenJMS environment, described in the following section. Configuring the OpenJMS environmentTo configure the OpenJMS environment on Windows, edit the %OPENJMS_HOME%\bin\setenv.bat batch file, and add the following: rem The following line is optional, and is only required if JDK 1.2 or JDK 1.3 rem is being used, and JSSE wasn't installed as an extension set JSSE_HOME=<insert JSSE directory path here> rem Configure the keystore set JAVA_OPTS=-Djavax.net.ssl.trustStore=%OPENJMS_HOME%\config\openjms.keystore set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStore=%OPENJMS_HOME%\config\openjms.keystore set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStorePassword=openjms To configure the OpenJMS environment on Unix, edit the $OPENJMS_HOME/bin/setenv.sh script, and add the following: # The following line is optional, and is only required if JDK 1.2 or JDK 1.3 # is being used, and JSSE wasn't installed as an extension JSSE_HOME=<insert JSSE directory path here> # Configure the keystore JAVA_OPTS=-Djavax.net.ssl.trustStore=$OPENJMS_HOME/config/openjms.keystore \ -Djavax.net.ssl.keyStore=$OPENJMS_HOME/config/openjms.keystore \ -Djavax.net.ssl.keyStorePassword=openjms Creating OpenJMS client certificate keystoresTo create certificate keystores for OpenJMS clients enter the following: Windows: %JAVA_HOME%\bin\keytool -genkey -alias client -keyalg RSA -keystore client.keystore Unix: $JAVA_HOME/bin/keytool -genkey -alias client -keyalg RSA -keystore client.keystore After executing the command, you will first be prompted for the keystore password. You can enter any password you like - this password needs to be specified by clients. Importing public keysIn order for OpenJMS clients to authenticate themselves with the OpenJMS server, their public keys need to be imported into the OpenJMS server's certificate keystore, and vice versa. To export a client's public key, and import it into the OpenJMS server's certificate keystore, enter the following: Windows: %JAVA_HOME%\bin\keytool -export -rfc -keystore client.keystore \ -alias client -file client.public-key %JAVA_HOME%\bin\keytool -import -rfc -keystore openjms.keystore \ -alias client -file client.public-key Unix: $JAVA_HOME/bin/keytool -export -rfc -keystore client.keystore \ -alias client -file client.public-key $JAVA_HOME/bin/keytool -import -rfc -keystore openjms.keystore \ -alias client -file client.public-key To export the OpenJMS server's public key, and import it into a client's certificate keystore, enter the following: Windows: %JAVA_HOME%\bin\keytool -export -rfc -keystore openjms.keystore \ -alias openjms -file openjms.public-key %JAVA_HOME%\bin\keytool -import -rfc -keystore client.keystore \ -alias openjms -file openjms.public-key Unix: $JAVA_HOME/bin/keytool -export -rfc -keystore openjms.keystore \ -alias openjms -file openjms.public-key $JAVA_HOME/bin/keytool -import -rfc -keystore client.keystore \ -alias openjms -file openjms.public-key Configuring openjms.xmlIn order to activate the TCPS connector, a < Connector > element needs to be added to < Connectors > section of the $OPENJMS_HOME/config/openjms.xml file, with a scheme of type "tcps" . E.g: <Connectors> <Connector scheme="tcps"> <ConnectionFactories> <QueueConnectionFactory name="TCPSQueueConnectionFactory"/> <TopicConnectionFactory name="TCPSTopicConnectionFactory"/> </ConnectionFactories> </Connector> </Connectors> TCPS portsThe TCPS connector uses two ports, one for the OpenJMS server, the other for the embedded JNDI provider. These are specified by the < TcpsConfiguration > element. The following represents the default configuration: <TcpsConfiguration port="3031" jndiPort="3035"/> See AlsoThe following references provide detailed descriptions of the configuration elements related to the TCPS connector: |