HTTPS Connector

The HTTPS connector enables OpenJMS clients to connect to the OpenJMS server using secure HTTP.

This is typically used when firewall restrictions prevent the use of the RMI, TCP, and TCPS connectors.

To use the HTTPS connector, the OpenJMS webapp must be deployed on a 2.3 compliant servlet engine. This document assumes that Tomcat 4.1 or higher is being used. In general, the steps are the same for any 2.3 compliant servlet engine.

To configure the HTTPS connector:

1. Tomcat must be configured to support SSL
2. the OpenJMS webapp must be deployed.
3. Tomcat's public key must be imported into the client keystores.
4. openjms.xml must be modified.

Configuring Tomcat to support SSL

In order to configure Tomcat to support SSL, see Tomcat's SSL Configuration HOW-TO. This document is also included in Tomcat's binary distribution.

NOTE: when running the keytool command to prepare Tomcat's keystore, you may need to specify the hostname of your webserver (e.g. foo.bar.org) when prompted for "What is your first and last name?", in order to create a working Certificate.

Deploying the OpenJMS webapp on Tomcat

To deploy the OpenJMS webapp on Tomcat, copy $OPENJMS_HOME/lib/openjms-tunnel-0.7.7-beta-1.war to $CATALINA_HOME/webapps/openjms-tunnel.war.

In the above, the variable name $CATALINA_HOME refers to the directory into which you have installed Tomcat.

For further details on deploying webapps on Tomcat, refer to Deployment

Importing public keys

Tomcat's public key must be imported into each OpenJMS clients' certificate keystore, in order for it to be authenticated.

To export Tomcat's public key, and import it into an OpenJMS client's certificate keystore, enter the following:

Windows

%JAVA_HOME%\bin\keytool -export -rfc -keystore <path-to-tomcat-keystore> \
        -alias tomcat -file tomcat.public-key

%JAVA_HOME%\bin\keytool -import -rfc -keystore client.keystore \
        -alias tomcat -file tomcat.public-key
        

Unix

$JAVA_HOME/bin/keytool -export -rfc -keystore <path-to-tomcat-keystore> \
        -alias tomcat -file tomcat.public-key

$JAVA_HOME/bin/keytool -import -rfc -keystore client.keystore \
        -alias tomcat -file tomcat.public-key
        

In the above, the path-to-tomcat-keystore is the path to the keystore created by Configuring Tomcat to support SSL.

Configuring openjms.xml

In order to activate the HTTPS connector, a <Connector> element needs to be added to <Connectors> section of the $OPENJMS_HOME/config/openjms.xml file, with a scheme of type "https". E.g:

  <Connectors>
    <Connector scheme="https">
      <ConnectionFactories>
        <ConnectionFactory name="HTTPSConnectionFactory"/>
      </ConnectionFactories>
    </Connector>
  </Connectors>
        
        

Known Issues - Tomcat 4.1.27

Using the HTTPS connector with Tomcat 4.1.27, Tomcat logs [WARN] messages for each request, e.g:

[WARN] Http11Processor - -Exception getting SSL attributes
<javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated<javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
...
        

This is a bug in 4.1.27 which is reported to be fixed in the 4.1.28 release.

See Also

The following references provide detailed descriptions of the configuration elements related to the HTTPS connector:

• Connectors
• ServerConfiguration
• HttpsConfiguration