Secure Communication : Encryption of Stat JMS connections
  

Encryption of Stat JMS connections

JMS is used to transfer statistical events from Central and Distributed Queue Agents to the Stat server (where the application stat.war is deployed).
The Stat server can be deployed together with Orchestra Central or on a standalone server.
To be able to use SSL for encryption of stat messages, it is necessary to configure matching certificates in a keystore on the stat server and a truststore on the Queue Agent. The process of setting up certificates and using remote upgrade to transfer them to remote Queue Agents is described earlier in this chapter.

Prerequisite

In the example below, tcp5446 will be used for encrypted JMS traffic. This needs to be open in the firewall.

Application Server Configuration - Wildfly 11.0

Add missing dependency for netty module

The version of Wildfly used in Orchestra 7.0 misses a dependency needed to enable JMS sending over SSL.
1. Open the file <Orchestra installation>/app/wildfly-11.0.0.Final/modules/system/layers/base/io/netty/main/module.xml in a text editor.
2. Edit the section <dependencies> and add a dependency to the module javax.api.
The file should look like the below example after editing:
--------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
 
<!--
~ JBoss, Home of Professional Open Source.
~ Copyright 2010, Red Hat, Inc., and individual contributors
~ as indicated by the @author tags. See the copyright.txt file in the
~ distribution for a full listing of individual contributors.
~
~ This is free software; you can redistribute it and/or modify it
~ under the terms of the GNU Lesser General Public License as
~ published by the Free Software Foundation; either version 2.1 of
~ the License, or (at your option) any later version.
~
~ This software is distributed in the hope that it will be useful,
~ but WITHOUT ANY WARRANTY; without even the implied warranty of
~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
~ Lesser General Public License for more details.
~
~ You should have received a copy of the GNU Lesser General Public
~ License along with this software; if not, write to the Free
~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-->
 
<module xmlns="urn:jboss:module:1.3" name="io.netty">
<resources>
<resource-root path="netty-all-4.0.15.Final.jar"/>
</resources>
 
<dependencies>
<module name="javax.api"/>
</dependencies>
</module>
--------------------------------------

Configure Orchestra to use encrypted JMS traffic

This section describes how to manually configure an Orchestra 7.0 system with a standalone stat server to use encryption of all JMS traffic between central and distributed agents and stat, and between central server and stat.
1. Add certificates to keystore and truststore
We need to create a certificate that references both the central and stat server that will need to be added to the keystore on the stat server and to the truststore of both central server and distributed agents. If a self signed certificate is used, the procedure for this is
a) In Orchestra central, navigate to System Administration -> Parameters
b) Select (re)generate certificate
c) Add central server and stat server ip addresses to Subject alternate name
d) Click Save
e) Export the generated certificate from conf/security/keystore.jks
f) Import the certificate in the following locations:
Central server: conf/security/truststore.jks
Central server: media/agentProfiles/<agent profile>/conf/security/truststore.jks for all agent profiles in use. Use remote upgrade to update distributed agents
Stat server: conf/security/keystore.jks
2. Open the file app/wildfly-11.0.0.Final/standalone/configuration/standalone-full.xml on the stat server
Locate the section where the netty connector is defined and add a new ssl-enabled acceptor named netty-ssl on a different port e.g. 5446
<acceptor name="netty" factory-class="org.apache.activemq.artemis.core.remoting.impl.netty.NettyAcceptorFactory">
<param name="host" value="0.0.0.0"/>
<param name="port" value="5445"/>
</acceptor>
<acceptor name="netty-ssl" factory-class="org.apache.activemq.artemis.core.remoting.impl.netty.NettyAcceptorFactory">
<param name="host" value="0.0.0.0"/>
<param name="port" value="5446"/>
<param name="ssl-enabled" value="true"/>
<param name="key-store-path" value="${jboss.home.dir}/../../../system/conf/security/keystore.jks" />
<param name="key-store-password" value="changeit" />
</acceptor>
3. Open the file app/wildfly-11.0.0.Final/standalone/configuration/standalone-full.xml on the central server.
Locate the section <socket-binding-group> and add the following socket-bindings
<outbound-socket-binding name="stat-remote">
<remote-destination host="<stat server IP address>" port="5445"/>
</outbound-socket-binding>
 
<outbound-socket-binding name="stat-remote-ssl">
<remote-destination host="<stat server IP address>" port="5446"/>
</outbound-socket-binding>
 
In the messaging subsystem section, add the following connectors directly after the http-connector:
<remote-connector name="stat-remote-connector" socket-binding="stat-remote">
</remote-connector>
 
<remote-connector name="stat-remote-ssl-connector" socket-binding="stat-remote-ssl">
<param name="ssl-enabled" value="true"/>
<param name="trust-store-path" value="${jboss.home.dir}/../../../system/conf/security/truststore.jks"/>
<param name="trust-store-password" value="changeit"/>
</remote-connector>
 
Locate the entries for the old jms-bridges directly after the </server> end tag and add comments to disable them
<!-- <jms-bridge name="centralAgentEventBridge" quality-of-service="AT_MOST_ONCE" failure-retry-interval="10000" max-retries="-1" max-batch-size="10" max-batch-time="100"> <source connection-factory="ConnectionFactory" destination="queue/centralAgentEventQueue"/> <target connection-factory="jms/RemoteConnectionFactory" destination="queue/statAgentEventQueue"> <target-context> <property name="java.naming.factory.initial" value="org.jboss.naming.remote.client.InitialContextFactory"/> <property name="java.naming.provider.url" value="http-remoting://192.168.5.47:8080"/> <property name="java.naming.security.principal" value="jms"/> <property name="java.naming.security.credentials" value="password"/> </target-context> </target> </jms-bridge> <jms-bridge name="centralJourneyEventBridge" quality-of-service="AT_MOST_ONCE" failure-retry-interval="10000" max-retries="-1" max-batch-size="10" max-batch-time="100"> <source connection-factory="ConnectionFactory" destination="queue/centralJourneyEventQueue"/> <target connection-factory="jms/RemoteConnectionFactory" destination="queue/statCentralJourneyEventQueue"> <target-context> <property name="java.naming.factory.initial" value="org.jboss.naming.remote.client.InitialContextFactory"/> <property name="java.naming.provider.url" value="http-remoting://192.168.5.47:8080"/> <property name="java.naming.security.principal" value="jms"/> <property name="java.naming.security.credentials" value="password"/> </target-context> </target> </jms-bridge> -->
 
Instead add new entries before the </server> end tag
<bridge name="centralAgentEventBridge" queue-name="jms.queue.centralAgentEventQueue" forwarding-address="jms.queue.statAgentEventQueue" retry-interval="60000" reconnect-attempts="-1" static-connectors="stat-remote-ssl-connector"/>
 
<bridge name="centralJourneyEventBridge" queue-name="jms.queue.centralJourneyEventQueue" forwarding-address="jms.queue.statCentralJourneyEventQueue" retry-interval="60000" reconnect-attempts="-1" static-connectors="stat-remote-ssl-connector"/>
 
4. Restart all servers

Configure Distributed Queue Agent to use encrypted JMS communication

To enable encrypted JMS communication we need to update the configuration file <agent>/conf/hornetq-configuration.xml on the Queue Agent.
In the example below a valid certificate exists in the default truststore on the Distributed Queue Agent in <agent>/conf/security/truststore.jks, with the default password.
1. Copy the existing Agent Profile to a separate folder, such as tmp.
2. Open the conf/hornetq-communication.xml file and locate the section <connectors>.
3. Change both configured connectors to use encrypted communication to5446
--------------------------------------
<connectors>
<connector name="stat-remote-connector">
<factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>
<!-- The host is read from Orchestra system parameters -->
<!-- param key="host" value="localhost"/ -->
<param key="port" value="5446"/>
<param key="ssl-enabled" value="true"/>
<param key="trust-store-path" value="conf/security/truststore.jks"/>
<param key="trust-store-password" value="changeit"/>
</connector>
<connector name="audit-remote-connector">
<factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>
<!-- The host is read from agent.conf -->
<!-- param key="host" value="localhost"/ -->
<param key="port" value="5446"/>
<param key="ssl-enabled" value="true"/>
<param key="trust-store-path" value="conf/security/truststore.jks"/>
<param key="trust-store-password" value="changeit"/>
</connector>
</connectors>
--------------------------------------
 
4. Save the file
5. Prepare, synchronize and publish the new Agent Profile.

Configure central agent to use encrypted JMS communication

To enable encrypted JMS communication between a central agent and a standalone stat server, we need to update configuration file <Orchestra central>/conf/hornetq-configuration.xml.
We also need to add a valid certificate in a truststore on the central Orchestra server that corresponds to the configured keystore on the standalone stat server. In the example below, we use the default truststore <Orchestra central/conf/security/truststore.jks
 
1. Open the file <Orchestra central>/conf/hornetq-communication.xml file and locate the section <connectors>
2. Change both configured connectors to use encrypted communication to5446
--------------------------------------
<connectors>
<connector name="stat-remote-connector">
<factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>
<!-- The host is read from Orchestra system parameters -->
<!-- param key="host" value="localhost"/ -->
<param key="port" value="5446"/>
<param key="ssl-enabled" value="true"/>
<param key="trust-store-path" value="conf/security/truststore.jks"/>
<param key="trust-store-password" value="changeit"/>
</connector>
<connector name="audit-remote-connector">
<factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>
<!-- The host is read from agent.conf -->
<!-- param key="host" value="localhost"/ -->
<param key="port" value="5446"/>
<param key="ssl-enabled" value="true"/>
<param key="trust-store-path" value="conf/security/truststore.jks"/>
<param key="trust-store-password" value="changeit"/>
</connector>
</connectors>
--------------------------------------
4. Save the file
5. Restart Orchestra