The HTTPS connector enables OpenJMS clients to connect to the OpenJMS server using secure HTTP.
This is typically used when firewall restrictions prevent the use of the RMI, TCP, and TCPS connectors.
To use the HTTPS connector, the OpenJMS webapp must be deployed on a 2.3 compliant servlet engine. This document assumes that Tomcat 4.1 or higher is being used. In general, the steps are the same for any 2.3 compliant servlet engine.
To configure the HTTPS connector:
In order to configure Tomcat to support SSL, see Tomcat's SSL Configuration HOW-TO. This document is also included in Tomcat's binary distribution.
NOTE: when running the keytool command to prepare Tomcat's keystore, you may need to specify the hostname of your webserver (e.g. foo.bar.org) when prompted for "What is your first and last name?", in order to create a working Certificate.
To deploy the OpenJMS webapp on Tomcat, copy $OPENJMS_HOME/lib/openjms-tunnel-0.7.7-beta-1.war to $CATALINA_HOME/webapps/openjms-tunnel.war.
In the above, the variable name $CATALINA_HOME refers to the directory into which you have installed Tomcat.
For further details on deploying webapps on Tomcat, refer to Deployment
Tomcat's public key must be imported into each OpenJMS clients' certificate keystore, in order for it to be authenticated.
To export Tomcat's public key, and import it into an OpenJMS client's certificate keystore, enter the following:
%JAVA_HOME%\bin\keytool -export -rfc -keystore <path-to-tomcat-keystore> \ -alias tomcat -file tomcat.public-key %JAVA_HOME%\bin\keytool -import -rfc -keystore client.keystore \ -alias tomcat -file tomcat.public-key
$JAVA_HOME/bin/keytool -export -rfc -keystore <path-to-tomcat-keystore> \ -alias tomcat -file tomcat.public-key $JAVA_HOME/bin/keytool -import -rfc -keystore client.keystore \ -alias tomcat -file tomcat.public-key
In the above, the path-to-tomcat-keystore is the path to the keystore created by Configuring Tomcat to support SSL.
In order to activate the HTTPS connector, a <Connector> element needs to be added to <Connectors> section of the $OPENJMS_HOME/config/openjms.xml file, with a scheme of type "https". E.g:
<Connectors> <Connector scheme="https"> <ConnectionFactories> <ConnectionFactory name="HTTPSConnectionFactory"/> </ConnectionFactories> </Connector> </Connectors>
Using the HTTPS connector with Tomcat 4.1.27, Tomcat logs [WARN] messages for each request, e.g:
[WARN] Http11Processor - -Exception getting SSL attributes <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated<javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated ...
This is a bug in 4.1.27 which is reported to be fixed in the 4.1.28 release.