JMS Adapter ActiveMQ (AMQ) with SSL/TLS on PI 7.4
Using SAP PI 7.40, we were able to successfully connect to an Active MQ queue using a JMS adapter over a secure SSL connection by installing the AMQ cert within the Java Keystore (JKS) and then updating the additional parameters (namely setTrustStore and setTrustStorePassword) appropriately.
Furthermore, since SSLv3 is vulnerable to POODLE attacks, we have since then moved to a secure TLS connection. To move from SSL to TSL, you need to update JMS.QueueConnectionFactoryImpl.constructor by specifying the enabled protocols (TLSv1, TLSv1.1, or TLSv1.2).
FYI – TLS is enabled from the broker side (AMQ) by using the following parameter: ssl://localhost:61616?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
Once the AMQ cert is installed in the JKS, and both the broker (AMQ) and client (SAP PI) are configured for either SSL or TLS the channel should connect successfully.
Hope you find this useful!
Thanks Nick for sharing this!
Very useful, but hard to find, piece of info! Keep blogging, Nick!
It has been wonderful information and also useful for all of you.
How can these parameters provided for Weblogic ?
Correct me if i am wrong. I dont think we need this settings anymore for 7.5. Uploadeding certificats into NWA and with ssl connection string, it should work fine wihtout uploading the certs into ca certs.