Skip to Content
Author's profile photo Former Member

JMS Adapter ActiveMQ (AMQ) with SSL/TLS on PI 7.4

Hi All,

Using SAP PI 7.40, we were able to successfully connect to an Active MQ queue using a JMS adapter over a secure SSL connection by installing the AMQ cert within the Java Keystore (JKS) and then updating the additional parameters (namely setTrustStore and setTrustStorePassword) appropriately. 

Furthermore, since SSLv3 is vulnerable to POODLE attacks, we have since then moved to a secure TLS connection.  To move from SSL to TSL, you need to update JMS.QueueConnectionFactoryImpl.constructor by specifying the enabled protocols (TLSv1, TLSv1.1, or TLSv1.2). 

FYI – TLS is enabled from the broker side (AMQ) by using the following parameter: ssl://localhost:61616?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2

Once the AMQ cert is installed in the JKS, and both the broker (AMQ) and client (SAP PI) are configured for either SSL or TLS the channel should connect successfully.

Hope you find this useful!


Nick Unnerstall

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Thanks Nick for sharing this!

      Author's profile photo Former Member
      Former Member

      Very useful, but hard to find, piece of info! Keep blogging, Nick!

      Author's profile photo Former Member
      Former Member

      It has been wonderful information and also useful for all of you.

      <a href="">Go here</a>
      <a href="">Play Store</a>
      <a href="">Play Game</a>
      <a href="">Cricket Score</a>
      <a href="">Offical website</a>
      <a href="">Time Management</a>
      Author's profile photo Anish Abraham Palakudyil
      Anish Abraham Palakudyil


      How can these parameters provided for Weblogic ?


      Author's profile photo cpi learner
      cpi learner

      Correct me if i am wrong. I dont think we need this settings anymore for 7.5. Uploadeding certificats into NWA and with ssl connection string, it should work fine wihtout uploading the certs into ca certs.