Connect to an AMQP 1.0 Broker
This topic describes how to configure the gateway to connect to an AMQP 1.0 Broker as a Generic JMS provider (for example, Apache ActiveMQ).
This topic describes how to configure the
Layer7 API Gatewayto connect to an AMQP 1.0 Broker as a Generic JMS provider (for example, Apache ActiveMQ).
- AMQP 1.0 Broker is configured (for the supported versions of Apache ActiveMQ, see Requirements and Compatibility)
- Keystore and trust store files are generated and downloaded
- You have access to the Policy Manager
- You have downloaded and decompressed the Qpid JMS (AMQP 1.0) client tarball file from https://qpid.apache.org/download.htmlThe integration was tested using theapache-qpid-jms-0.20.0-bin.tar.gzfile. Later versions of this file should be compatible, but are untested. Contact CA Support if you encounter issues.The following files are used in the configuration:geronimo-jms_2.0_spec-1.0-alpha-2.jarnetty-buffer-4.1.6.Final.jarnetty-codec-4.1.6.Final.jarnetty-common-4.1.6.Final.jarnetty-handler-4.1.6.Final.jarnetty-transport-4.1.6.Final.jarproton-j-0.16.0.jarqpid-jms-client-0.20.0.jarqpid-jms-discovery-0.20.0.jarslf4j-api-1.7.22.jar
- JMS Templates are not supported for JMS with AMQP 1.0 Broker. Reason: The JNDI URL is left empty in the JMS destination for AMQP 1.0.
- The SSL configuration cannot be applied if you use a Hardware Security Module.Reason:You are not able to export private keys from the Gateway.
Step 1: Set Up the Gateway for AMQP 1.0 Broker
To set up the Gateway for AMQP 1.0 Broker:
- Open a Gateway main menu.
- Stop the Gateway:# service ssg stop
- Copy all the .jar files under "Prerequisites" to the following location on the Gateway:/opt/SecureSpan/Gateway/runtime/lib/ext
- Set permission and ownership:# chmod 444 geronimo-jms_<version>.jar netty-*.jar proton-j-<version>.jar qpid-jms-client-<version>.jar qpid-jms-discovery-<version>.jar slf4j-api-<version>.jar# chown layer7:layer7 geronimo-jms_<version>.jar netty-*.jar proton-<version>.jar qpid-jms-client-<version>.jar qpid-jms-discovery-<version>.jar slf4j-api-<version>.jar
- Restart the Gateway:# service ssg start
Step 4: Register the JMS Destinations
The final step is to use the Policy Manager to register the JMS destinations.
To register a JMS destination:
- Run the Manage JMS Destinations task.
- ClickAddto create a new JMS Destination.
- Complete the JMS Destination Properties as follows:FieldEntry[Basics] TabNameEnter a name for the new JMS destination.DirectionSelect a direction.Provider TypeGeneric JMS[JNDI] TabInitial Context Factory class nameorg.apache.qpid.jms.jndi.JmsInitialContextFactoryJNDI URIEnter a single space character. This field is not used, but an entry is required to save or test the connections.Credentials are required to connect to JNDISet as appropriate.AdditionalPropertiesTo define a Connection Factory:Use the format:- Name:connectionfactory.<MyFactoryName>- Value: <URI>Example 1: Non-SSL URI:amqp://<message_broker>:5672Example 2: SSL URI:amqps://<message_broker>:5671?transport.trustStoreLocation=/opt/SecureSpan/Gateway/runtime/modules/conf/qpid/qpidclient-truststore.jks&transport.trustStorePassword=<password>Example 3: SSL Mutual URI:amqps://<message_broker>:5671?transport.keyStoreLocation=/opt/SecureSpan/Gateway/runtime/modules/conf/qpid/qpidclient-keystore.jks&transport.keyStorePassword=<password>&transport.trustStoreLocation=/opt/SecureSpan/Gateway/runtime/modules/conf/qpid/qpidclient-truststore.jks&transport.trustStorePassword=<password>To define a Queue:Use the format:- Name:queue.<MyQueue> - Value:<queueName>[Destination] TabDestination TypeQueueConnection Factory NameEnter the <MyFactoryName> value that is used to create a connection with the JMS provider. This namemustmatch the Connection Factory name that is entered in the Additional Properties table in the [JNDI] tab.For example, if you enter"myFactoryLookup"here, there must be a corresponding"connectionfactory.myFactoryLookup"entry in the [JNDI] tab.Destination NameEnter the <MyQueue> value of the queue to use in the AMQP broker. This namemustmatch what is entered in the Additional Properties table in the [JNDI] tab.For example, if you enter"myQueueLookup"here, there must be a corresponding"queue.myQueueLookup"entry in the [JNDI] tab.Credentials are required to connect to this DestinationSet as appropriate.[Inbound Options] Tab:Set as appropriate.[Outbound Options] Tab:Set as appropriate.
- Click [Test Settings] to validate your settings. The Gateway attempts to connect to the JMS destination and then displays the results.
- After a successful test, click [Save] to register the JMS destination on the Gateway
Step 3: Configure SSL or Mutual Authentication on the Gateway
To configure SSL or mutual authentication on the Gateway:
- Create the following directory on the Gateway:/opt/SecureSpan/Gateway/runtime/modules/conf/qpid
- Set permission and ownership for the newly created directory:# chown layer7:layer7 /opt/SecureSpan/Gateway/runtime/modules/conf/qpid# chmod 755 /opt/SecureSpan/Gateway/runtime/modules/conf/qpid
- Copy client keystore and trustStore files (*.jks) to the directory created in step 2.Tip:The client keystore is required only for mutual authentication.
- Thekeystoreshould contain the client private key. To import the client private key to the client keystore, use this Javakeytoolcommand:# keytool -v -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -destkeystore qpidclient-keystore.jks -deststoretype JKS
- The trustStore should contain the broker server certificate. To import the broker certificate to the client trustStore, use this Javakeytoolcommand:# keytool -import -trustcacerts -alias "broker" -file broker.cer -keystore qpidclient-truststore.jks -deststoretype JKS
- Set permission and ownership for the copied files:# chown layer7:layer7 /opt/SecureSpan/Gateway/runtime/modules/conf/qpid/*.jks# chmod 644 /opt/SecureSpan/Gateway/runtime/modules/conf/qpid/*.jks
The configuration is now complete. The
Layer7 API Gatewaycan now connect to an AMQP 1.0 Broker as a Generic JMS provider.
The Gateway displays errors similar to the following messages and fails to connect to the AMQP 1.0 Broker:
Failed to create connection to: amqps://<message_broker>:5671?transport.trustStoreLocation=client.ts&transport.trustStorePassword=<password>,caused by General SSLEngine problem, caused by General SSLEngine problem, caused by No name matching <message_broker> foundFailed to create connection to: amqps://<message_broker>:5671?transport.trustStoreLocation=client.ts&transport.trustStorePassword=<password>,caused by General SSLEngine problem, caused by General SSLEngine problem, caused by No subject alternative names present
Solution #1:Disable hostname verification by appending this string to the connection URL:
Solution #2:Ensure that the server certificate 'CN' matches the hostname in the connection URL.