Downloading and installing JSSE

You can skip this step if you are running JDK 1.4 or higher, as JSSE is included in the JDK.

Download the Java Secure Socket Extensions (JSSE) package, version 1.0.2 or later, from http://java.sun.com/products/jsse/ .

After extracting JSSE, choose one of the following ways to make it available to OpenJMS:

  • Make JSSE an installed extension by copying all three JAR files (jcert.jar, jnet.jar, and jsse.jar) to the $JAVA_HOME/jre/lib/ext directory.
  • Create a new environment variable, JSSE_HOME , that contains the absolute path to the directory where the JSSE binary distribution is installed (see Configuring the OpenJMS environment , below).

Creating the OpenJMS server certificate keystore

To create the OpenJMS server certificate keystore, enter the following:

Windows:

cd %OPENJMS_HOME%\config
%JAVA_HOME%\bin\keytool -genkey -alias openjms -keyalg RSA -keystore openjms.keystore
        

Unix:

cd $OPENJMS_HOME/config
$JAVA_HOME/bin/keytool -genkey -alias openjms -keyalg RSA -keystore openjms.keystore
        

After executing the command, you will first be prompted for the keystore password. The default password used by OpenJMS is "openjms" , although you can enter any password you like. The keystore password needs specified in the OpenJMS environment, described in the following section.

Configuring the OpenJMS environment

To configure the OpenJMS environment on Windows, edit the %OPENJMS_HOME%\bin\setenv.bat batch file, and add the following:

rem The following line is optional, and is only required if JDK 1.2 or JDK 1.3 
rem is being used, and JSSE wasn't installed as an extension
set JSSE_HOME=<insert JSSE directory path here>

rem Configure the keystore
set JAVA_OPTS=-Djavax.net.ssl.trustStore=%OPENJMS_HOME%\config\openjms.keystore
set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStore=%OPENJMS_HOME%\config\openjms.keystore 
set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStorePassword=openjms
        

To configure the OpenJMS environment on Unix, edit the $OPENJMS_HOME/bin/setenv.sh script, and add the following:

# The following line is optional, and is only required if JDK 1.2 or JDK 1.3 
# is being used, and JSSE wasn't installed as an extension
JSSE_HOME=<insert JSSE directory path here>

# Configure the keystore
JAVA_OPTS=-Djavax.net.ssl.trustStore=$OPENJMS_HOME/config/openjms.keystore \
          -Djavax.net.ssl.keyStore=$OPENJMS_HOME/config/openjms.keystore \
          -Djavax.net.ssl.keyStorePassword=openjms
        

Creating OpenJMS client certificate keystores

To create certificate keystores for OpenJMS clients enter the following:

Windows:

%JAVA_HOME%\bin\keytool -genkey -alias client -keyalg RSA -keystore client.keystore
        

Unix:

$JAVA_HOME/bin/keytool -genkey -alias client -keyalg RSA -keystore client.keystore
        

After executing the command, you will first be prompted for the keystore password. You can enter any password you like - this password needs to be specified by clients.

Importing public keys

In order for OpenJMS clients to authenticate themselves with the OpenJMS server, their public keys need to be imported into the OpenJMS server's certificate keystore, and vice versa.

To export a client's public key, and import it into the OpenJMS server's certificate keystore, enter the following:

Windows:

%JAVA_HOME%\bin\keytool -export -rfc -keystore client.keystore \
        -alias client -file client.public-key

%JAVA_HOME%\bin\keytool -import -rfc -keystore openjms.keystore \
        -alias client -file client.public-key
        

Unix:

$JAVA_HOME/bin/keytool -export -rfc -keystore client.keystore \
        -alias client -file client.public-key

$JAVA_HOME/bin/keytool -import -rfc -keystore openjms.keystore \
        -alias client -file client.public-key
        

To export the OpenJMS server's public key, and import it into a client's certificate keystore, enter the following:

Windows:

%JAVA_HOME%\bin\keytool -export -rfc -keystore openjms.keystore \
       -alias openjms -file openjms.public-key

%JAVA_HOME%\bin\keytool -import -rfc -keystore client.keystore \
       -alias openjms -file openjms.public-key
        

Unix:

$JAVA_HOME/bin/keytool -export -rfc -keystore openjms.keystore \
       -alias openjms -file openjms.public-key

$JAVA_HOME/bin/keytool -import -rfc -keystore client.keystore \
       -alias openjms -file openjms.public-key
        

Configuring openjms.xml

In order to activate the TCPS connector, a < Connector > element needs to be added to < Connectors > section of the $OPENJMS_HOME/config/openjms.xml file, with a scheme of type "tcps" . E.g:

  <Connectors>
    <Connector scheme="tcps">
      <ConnectionFactories>
        <QueueConnectionFactory name="TCPSQueueConnectionFactory"/>
        <TopicConnectionFactory name="TCPSTopicConnectionFactory"/>
      </ConnectionFactories>
    </Connector>
  </Connectors>
        
        

TCPS ports

The TCPS connector uses two ports, one for the OpenJMS server, the other for the embedded JNDI provider. These are specified by the < TcpsConfiguration > element. The following represents the default configuration:

  <TcpsConfiguration port="3031" jndiPort="3035"/>
        
        

See Also

The following references provide detailed descriptions of the configuration elements related to the TCPS connector: