Created
January 29, 2017 18:58
-
-
Save monodot/ccffa025b858b2aa3a6690c23958b721 to your computer and use it in GitHub Desktop.
Enforce SSL on an A-MQ standalone broker, with Jasypt-encrypted keystore/truststore passwords
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # FIRST! | |
| # Make sure Jasypt is installed first in the Karaf container before continuing | |
| # features:install jasypt-encryption | |
| # Update these vars as per the environment | |
| MASTER_PASS=masterpass | |
| KEYSTORE_PASS=password | |
| TRUSTSTORE_PASS=password | |
| # ------ | |
| cd $AMQ_HOME | |
| # Use the demo keystore and truststore shipped with ActiveMQ | |
| unzip -j extras/apache-activemq-5.11.0.redhat-630187-bin.zip apache-activemq-5.11.0.redhat-630187/conf/broker.ks apache-activemq-5.11.0.redhat-630187/conf/broker.ts -d etc/ | |
| # Replace openwire with SSL | |
| sed -i -e 's|name="openwire" uri="tcp://0.0.0.0:0?maximumConnections=1000\&wireFormat.maxFrameSize=104857600"|name="ssl" uri="ssl://0.0.0.0:61617?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2\&maximumConnections=1000"|' etc/activemq.xml | |
| # Add sslContext to activemq.xml | |
| sed -i -e 's|</broker>| <sslContext> \ | |
| <sslContext \ | |
| keyStore="${karaf.base}/etc/broker.ks" \ | |
| keyStorePassword="${keystore.password}" \ | |
| trustStore="${karaf.base}/etc/broker.ts" \ | |
| trustStorePassword="${truststore.password}" \ | |
| /> \ | |
| </sslContext> \ | |
| </broker>|' etc/activemq.xml | |
| # Add lovely Jasypt stuff | |
| cat etc/activemq.xml | tr '\n' '\f' | sed -e 's|<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">\f <property name="properties">\f <bean class="io.fabric8.mq.fabric.ConfigurationProperties"/>\f </property>\f </bean>|<bean id="environmentVariablesConfiguration" class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig"> \ | |
| <property name="algorithm" value="PBEWithMD5AndDES" /> \ | |
| <property name="passwordEnvName" value="JASYPT_ENCRYPTION_PASSWORD" /> \ | |
| </bean> \ | |
| <bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor"> \ | |
| <property name="config" ref="environmentVariablesConfiguration" /> \ | |
| </bean> \ | |
| <bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer"> \ | |
| <constructor-arg ref="configurationEncryptor" /> \ | |
| <property name="location" value="file:${karaf.base}/etc/credentials-enc.properties"/> \ | |
| <property name="properties"> \ | |
| <bean class="io.fabric8.mq.fabric.ConfigurationProperties"/> \ | |
| </property> \ | |
| </bean>|' | tr '\f' '\n' > etc/activemq.xml | |
| # Encrypt keystore/truststore pass and add to properties file | |
| KEYSTORE_PASS_ENC=$(./extras/jasypt/bin/encrypt.sh input="$KEYSTORE_PASS" algorithm=PBEWithMD5AndDES password=$MASTER_PASS verbose=false) | |
| TRUSTSTORE_PASS_ENC=$(./extras/jasypt/bin/encrypt.sh input="$TRUSTSTORE_PASS" algorithm=PBEWithMD5AndDES password=$MASTER_PASS verbose=false) | |
| cat << EOF > etc/credentials-enc.properties | |
| keystore.password=ENC($KEYSTORE_PASS_ENC) | |
| truststore.password=ENC($TRUSTSTORE_PASS_ENC) | |
| EOF | |
| export JASYPT_ENCRYPTION_PASSWORD=$MASTER_PASS | |
| ./bin/amq | |
| # (Optional) use openssl to debug the connection | |
| openssl s_client -connect localhost:61617 -no_ssl2 -debug | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment