4.3 通过网络连接到ActiveMQ
4.3 Connecting to ActiveMQ over the network
4.3 通过网络连接到ActiveMQ
?
The most common usage scenario is to run ActiveMQ as a standalone Java application.
This implies that clients (producer and consumer applications) will use some of the
network protocols to access the broker’s destinations. In this section, we’ll describe
available network protocols you can use to achieve client-to-broker communication.
?
在所有的应用场景中,最常见的是将ActiveMQ作为一个单独的Java应用程序来运行.这就是说,客户端
(消息生产者和消费者)需要使用一些网络协议一般连接到代理目的地.本节中,我们将介绍可用于实现
客户端到代理之间通信的网络协议.
?
We’ll start with default TCP connector, which is most widely used and provides optimal
performance. Next we’ll dig into the NIO connector, which also uses TCP network
protocol underneath, but additionally provides a bit better scalability than TCP connector
since it uses the NIO Java API. The UDP network protocol is often used on the
internet, so UDP connector is next on our list. UDP protocol introduces some performance
advantages, sacrificing reliability compared to the TCP protocol.?
?
TCP连接器是默认的连接器,应用最广泛并且提供最好的性能,我们从讨论TCP连接开始.接下来深入了解NIO连接器,
NIO连接器在底层也是使用TCP协议,但相比TCP协议具有更好的可伸缩性,因为NIO协议使用了NIO的Java API.
UDP协议常用于因特网,所以之后我们接着讨论UDP连接器.UDP协议相比TCP协议,因为牺牲了一些可靠性而获得了一些
性能提升.
?
The same applies to appropriate ActiveMQ connectors, so a UDP connector can offer some performance
advantages over the TCP connector, but it’s still not often used because of
the unreliability it introduces (as explained in more detail later). The SSL connector
can be used to establish a secure connection to the broker, and finally we’ll show you
how to communicate with the broker using HTTP. Of course, in every section we’ll
discuss the pros and cons of every protocol. Therefore, you may want to consider
reading just the subsections that interest you at the moment and then move along to
other chapters. Table 4.1 contains a summarization of the connectors with a brief
description.
?
这些协议的相关特性同样适用于相应的ActiveMQ连接器,因此UDP连接器相比TCP连机器可以提供一些
性能提升,但是UDP协议仍然不常用,因为牺牲了一些可靠性(后面将介绍一些相关细节).SSL连接器可以
建立到代理的安全连接,最后我们将介绍如何使用HTTP协议与代理通信.当然,在每个章节中我们都会
讨论使用不同协议的各种连接器的优缺点.因此,你可以只阅读你感兴趣的章节,然后直接跳到其他章.
表格4.1是各种连接器特性的简要概述.
?
Now, let’s start with the default TCP protocol.
现在让我们从默认的TCP协议开始
?
Table 4.1 Summary of network protocols used for client-broker communication
?
Protocol ? ? ? ? ? ? ? ?Description
协议 ? ? ? ? ? ? ? ? ? ?描述
? TCP ? ? ? ? ? Default network protocol for most use cases.
? TCP协议 ? ? ? 大多数应用场景中使用的默认网络协议
??
? NIO ? ? ? ? ? Consider NIO protocol if you need to provide better scalability for connections from producers
? ? ? ? ? ? ? ? and consumers to the broker.
? NIO协议 ? ? ? 当消息生产者和消费者到代理的连接,需要有更好的可扩展性时可以使用NIO协议.
??
? UDP ? ? ? ? ? Consider UDP protocol when you need to deal with the firewall between clients and the
? ? ? ? ? ? ? ? broker.
? UDP协议 ? ? ? 当客户端和代理之间的连接需要穿越防火墙时,可以使用UDP协议.
??
? SSL ? ? ? ? ? Consider SSL when you want to secure communication between clients and the broker.
? SSL协议 ? ? ? 当客户端和代理之间需要安全连接时,可以使用SSL协议.
? ? ? ? ? ? ? ??
? HTTP(S) ? ? ? Consider HTTP(S) when you need to deal with the firewall between clients and the broker.
? HTTP(S) ? ? ? 当客户端和代理之间的连接需要穿越防火墙时,可以也使用HTTP(S)协议.
? ? ? ? ? ? ? ??
? VM ? ? ? ? ? ?Although not a network protocol per se, consider VM protocol when your broker and clients
? ? ? ? ? ? ? ? communicate with a broker that is embedded in the same Java Virtual Machine (JVM).
? VM协议 ? ? ? ?虽然VM本身不是一个网络协议, 但是当客户端和代理在同一个Java虚拟机(VM)中运行时,他们之间需要通信
? ? ? ? ? ? ? ? 时,可以使用VM协议. ? ? ? ? ? ?
??
4.3.1 Transmission Control Protocol (TCP)
4.3.1 传输控制协议(TCP)
?
Transmission Control Protocol (TCP) is today probably as important to humans as electricity.
As one of the fundamental internet protocols, we use it for almost all of our
online communication. It’s used as an underlying network protocol for a wide range
of internet services such as email and the web, for example.
?
如今,传输控制协议对于人类的重要性堪比电能.作为因特网的一个基础协议,传输控制协议几乎已被用于所有的
在线通讯中.传输控制协议作为底层协议用于在整个因特网服务中,比如email服务和网页服务.
?
Hopefully you are already familiar with the basics of TCP, but let’s start our discussion
of TCP by quoting from the specification, RFC 793 (http://mng.bz/Bns2):
The Transmission Control Protocol (TCP) is intended for use as a highly reliable host-to-host
protocol between hosts in packet-switched computer communication networks, and in
interconnected systems of such networks.
?
很幸运,TCP协议的基础知识,你已经很了解了,所以让我从讨论TCP协议的一段规范(RFC 793 (http://mng.bz/Bns2))开始:
TCP协议是一种主机间的高可用的通信协议,该协议使用数据包交换数据实现主机网络间通信,同时该协议也适用于
于和此类主机网络类似的网络系统通信.
?
Since the broker and client applications are network hosts trying to communicate in a
reliable manner, it’s easy to see why TCP is an ideal network protocol for a JMS implementation.
So it shouldn’t come as a surprise that the TCP transport connector is the
most frequently used ActiveMQ connector.
?
考虑到代理和客户端都是网络主机,它们尝试以一种可靠的方式实现彼此间通信.?
因而,TCP协议自然而然的成为JMS实现中一种理想的通信协议.
这样,TCP传输连接器作为ActiveMQ连接器中最常用的连接器也就不足为怪了.
?
Before exchanging messages over the network, we need to serialize them to a suitable
form. Messages must be serialized in and out of a byte sequence to be sent over
the wire using what’s known as a wire protocol. The default wire protocol used in
ActiveMQ is called OpenWire. The protocol specification can be found on the
ActiveMQ website (http://mng.bz/u2eT). The OpenWire protocol isn’t specific to
the TCP network transport and can be used with other network protocols. Its main
purpose is to be efficient and allow fast exchange of messages over the network.?
Furthermore,a standardized and open protocol such as OpenWire allows native
ActiveMQ clients to be developed for various programming environments. This topic
and a description of other wire level protocols available for ActiveMQ are covered in
chapter 9.
?
通过网络交换消息之前,我们需要将消息序列化成一种合适的格式.ActiveMQ的消息必须被序列化成字节
序列,以便通过线协议发送.ActiveMQ中默认的线协议是OpenWire.可以从(http://mng.bz/u2eT)查看
该线协议规范.OpenWire协议并非用于TCP网络传输,同时也可以用于其他的网络协议中.使用OpenWire协议
的主要目的是提高传输效率以及允许消息在网络中高速交换.并且,类似于OpenWire的这种标准的开放协议
允许在多种编程环境中使用原生的ActiveMQ客户端.第九章中将详细讨论该主题以及ActiveMQ可用的其他"线协议".
?
As we’ve seen in previous sections, a default broker configuration starts the TCP
transport listening for client connections on port 61616. The TCP connector URI uses
the following syntax:
tcp://hostname:port?key=value&key=value
Please note that the bold portion of the URI denotes the required part. Any key/value
pairs to the right of the question mark are optional and separated by an ampersand.
We won’t discuss all transport options for appropriate protocols in this section or
the sections that follow. This kind of material is best presented via the online reference
pages. An up-to-date reference for the TCP connector can be found on the
ActiveMQ website (http://mng.bz/ngU2).
?
在前面章节中,我们已经看到,使用默认的配置,代理将启动TCP传输连接在61616端口监听客户端连接.
TCP连接器的URI语法如下:
tcp://hostname:port?key=value&key=value
请注意tcp://hostname:port部分是必须的,而问号后面的键值对都是可选的,键值对之间通过&符号分割.
在本节以后后面章节中,我们不打算讨论每种连接协议的所有选项,这部分的相关材料在线文档中有
详细说明,ActiveMQ网站中http://mng.bz/ngU2页面是最新的TCP连接器的在线文档.
?
The following configuration snippet provides an example of using the TCP connector
in the ActiveMQ configuration file:
下面的代码片段是ActiveMQ配置文件中使用TCP配置连接器的一个示例:
<transportConnectors>
? <transportConnector name="tcp" uri="tcp://localhost:61616?trace=true"/>
</transportConnectors>
?
Note that the trace option has been added to the transport connector URI. This
option instructs the broker to log all commands sent over this connector and can be
helpful for debugging purposes. We have it here as an example of a transport tuning
feature using a transport option. For more information on using the trace option for
debugging, see chapter 14.
?
注意,上面的URI配置中使用了trace参数.这个参数配置为true,说明代理会为每个发送到代理的命令记录日志,
这样对调试很有用.使用trace参数作为一个例子,说明了如何通过URI参数调整传输连接器的行为.
更多的使用trace参数调试的内容请看第十四章内容.
?
IMPORTANT After changing the configuration file, ActiveMQ must be
restarted for the changes to take effect.
The previous section outlined the use of this protocol in the client applications to
connect to the broker. Just for reference, the following example shows how to run the
consumer using the TCP transport connector:
重要: 在修改了配置文件后,必须重启ActiveMQ以便修改能够生效.
前面章节中说明的客户端如何使用TCP协议连接到代理.下面的命令(仅供参考)说明了如何使用TCP传输连接器
运行consumer类.
$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch4.Consumer -Dexec.args="tcp://localhost:61616 CSCO ORCL"
?
...
ORCL 65.71 65.78 up
ORCL 66.07 66.14 up
ORCL 65.93 65.99 down
CSCO 23.30 23.33 up
...
?
Some of the benefits of the TCP transport connector include the following:
? Efficiency—Since this connector uses the OpenWire protocol to convert messages
to a stream of bytes (and back), it’s very efficient in terms of network
usage and performance.
? Availability—TCP is one of the most widespread network protocols and has been
supported in Java from the early days, so it’s almost certainly supported on your
platform of choice.
? Reliability—The TCP protocol ensures that messages won’t be lost on the network
(due to glitches, for example).
?
下面是TCP传输连接器的一些优点:
? ? 高效性 - 因为TCP连接器使用OpenWire协议将消息转换成字节流(同时也使用OpenWire协议将字节流转换为消息),
所以,网络应用性能十分高效.
? ? 高可用性 - TCP协议是应用最为广泛的网络协议,并且Java刚出现时就支持该协议,所以你选择的平台几乎一定支持
该协议.
? ? 高可靠性 - TCP协议保证网络中传输的消息不会丢失(比如,使用TCP协议,不会因干扰而造成消息丢失).
?
Now let’s explore some alternatives to the TCP transport connector.
?
下面将探讨TCP连接器之外的其他连接器.
?
4.3.2 New I/O API protocol (NIO)
4.3.2 基于新I/O API的协议
?
The New I/O (NIO) API was introduced in Java SE 1.4 to supplement the existing (standard)
I/O API used in Java until then. Despite the prefix new in its name, NIO was never
meant to be a replacement for the traditional Java I/O API. Its purpose was to provide
an alternative approach to network programming and access to some low-level I/O
operations of modern operating systems. The most prominent features of NIO are
selectors and nonblocking I/O programming, allowing developers to use the same
resources to handle more network clients and generally heavier loads on their servers.
?
From a client perspective, the NIO transport connector is practically the same as the
standard TCP connector, in terms of its use of TCP as the underlying network protocol
and OpenWire as the message serialization protocol. The only difference is under the
covers with the implementation of the transport, where the NIO transport connector
is implemented using the NIO API. This makes the NIO transport connector more suitable
in situations where
?
? Java SE 1.4中引入了新I/O API(以下简称NIO),作为之前Java已有的I/O API的补充.尽管被冠以"新"这个前缀,NIO并不是
Java传统I/O API 的替代品.NIO的出现旨在为Java网络编程和现代操作系统底层操作提供一种新方法.
NIO最突出的特性莫过于选择器和非阻塞的I/O编程,
因此允许开发者使用相同的资源服务于更多的网络客户端,并使服务器可以承受更大的负载.
?
? You have a large number of clients you want to connect to the broker—Generally, the
number of clients that can connect to the broker is limited by the number of
threads supported by the operating system. Since the NIO connector
implementation starts fewer threads per client than the TCP connector, you
should consider using NIO in case TCP doesn’t meet your needs.
?
? You have a heavy network traffic to the broker—Again, the NIO connector generally
offers better performance than the TCP connector (in terms of using less
resources on the broker side), so you can consider using it when you find that
the TCP connector doesn’t meet your needs.
?
从客户端的角度来看,使用NIO传输连接器和使用标准的TCP连接器一样,因为NIO传输连接器底层也是使用TCP协议,
同样也是使用OpenWire作为消息序列化协议.NIO传输连接器和TCP连接器的唯一区别是连接器的实现方式,
NIO连接器使用NIO API实现,因此NIO传输连接器适用于下面两种情况:
(1)连接到代理的客户端的数量巨大(当然,能连接到代理的客户端的数量还受到操作系统的支持的最大线程数限制)
NIO连接器为每个客户端连接启动的线程较少,因而你可以考虑使用NIO连接器以防TCP不能满足需求.
(2)连接到代理的网络传输十分拥堵.这种情况下,NIO连接器相对于TCP连接器也可以提供更好的性能(因为在代理端,
NIO连接器使用更少的资源).
?
At this point it’s important to note that performance tuning of ActiveMQ isn’t just
related to choosing the right connector. Many other aspects of ActiveMQ can be
tuned, including the use of a network of brokers topology (see chapter 10) and setting
various options for brokers, producers, and consumers (see chapter 13).
?
这里,有必要说明的是,ActiveMQ性能调优绝不仅限于选择正确的连接器. ActiveMQ还有很多其他
性能相关的参数可以调整,包括代理所在网络的拓扑结构(参见第10章)以及代理,消息生产者和
消息消费者的各种参数(参见第13章).
?
The URI syntax for the NIO connector is practically the same as that of the TCP
connector URI syntax. The only difference is the use of the nio scheme instead of tcp,
as shown:
nio://hostname:port?key=value
Now take a look at the configuration snippet. The NIO part is in bold.
Listing 4.3 Configuring the NIO transport connector
<transportConnectors>
? <transportConnector name="tcp" uri="tcp://localhost:61616?trace=true" />
? <transportConnector name="nio" uri="nio:localhost:61618?trace=true" />
</transportConnectors>
?
NIO连接器的URI语法和TCP连接器的URI语法基本上是相同的,唯一的区别是NIO连接器
使用nio主题替代tcp主题,例如:
nio://hostname:port?key=value
情况下面的配置代码片段:
Listing 4.3 Configuring the NIO transport connector
<transportConnectors>
? <transportConnector name="tcp" uri="tcp://localhost:61616?trace=true" />
? <transportConnector name="nio" uri="nio:localhost:61618?trace=true" />
</transportConnectors>
?
?
Now run the stock portfolio example, but this time you’ll connect the publisher and
consumer using different transport connectors. As figure 4.3 shows, the publisher will
send messages using the NIO transport connector, whereas the consumer will receive
those messages using the TCP transport connector.
?
现在,可以再次运行stock portfolio这个例子,但是这次我们将使用不同的传输连机器,以便连接publisher
和consumer.如图4.3所示,publisher将使用NIO传输连接器发送消息,而consumer接受消息时,使用TCP传输
连接器.
?
To achieve this, the stock portfolio publisher should be run using the following
command:
$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch4.Publisher -Dexec.args="nio://localhost:61618 CSCO ORCL"
...
Sending: {price=65.713356601409, stock=JAVA, offer=65.779069958011, up=true}
on destination: topic://STOCKS.JAVA
Sending: {price=66.071605671946, stock=JAVA, offer=66.137677277617, up=true}
on destination: topic://STOCKS.JAVA
Sending: {price=65.929035001620, stock=JAVA, offer=65.994964036622, up=false}
on destination: topic://STOCKS.JAVA
...
Note that the nio scheme is used in the connection URI to specify the NIO connector.
The consumer should use the TCP connector as shown below:
$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch4.Consumer -Dexec.args="tcp://localhost:61616 CSCO ORCL"
...
ORCL 65.71 65.78 up
ORCL 66.07 66.14 up
ORCL 65.93 65.99 down
CSCO 23.30 23.33 up
...
?
?
After both the consumer and producer are started, you’ll notice that messages are
exchanged between applications as expected. The fact that they are using different
connectors to communicate with the broker plays no role in this exchange.
?
为此,需要使用下面的命令来运行stock portfolio的publisher:
$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch4.Publisher -Dexec.args="nio://localhost:61618 CSCO ORCL"
...
Sending: {price=65.713356601409, stock=JAVA, offer=65.779069958011, up=true} on destination: topic://STOCKS.JAVA
Sending: {price=66.071605671946, stock=JAVA, offer=66.137677277617, up=true} on destination: topic://STOCKS.JAVA
Sending: {price=65.929035001620, stock=JAVA, offer=65.994964036622, up=false} on destination: topic://STOCKS.JAVA
...
?
注意,传输连接器的URI中使用了nio主题,consumer应该使用TCP连接器,命令如下:
$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch4.Consumer -Dexec.args="tcp://localhost:61616 CSCO ORCL"
...
ORCL 65.71 65.78 up
ORCL 66.07 66.14 up
ORCL 65.93 65.99 down
CSCO 23.30 23.33 up
...
?
当consumer和producer都启动以后,应用程序之间会按照预期的那样交换消息.它们使用不同传输连接器
与代理进行通讯,却不会影响消息交换.
?
4.3.3 User Datagram Protocol (UDP)
4.3.3 用户数据报协议
?
User Datagram Protocol (UDP) along with TCP make up the core of internet protocols.
The purpose of these two protocols is identical—to send and receive data packets
(datagrams) over the network. But there are two main differences between them:
? TCP is a stream-oriented protocol, which means that the order of data packets is
guaranteed. There’s no chance for data packets to be duplicated or arrive out
of order. UDP, on the other hand, doesn’t guarantee packet ordering, so a
receiver can expect data packets to be duplicated or arrive out of order.
? TCP also guarantees reliability of packet delivery, meaning that packets won’t be lost
during the transport. This is ensured by maintaining an active connection
between the sender and receiver. On the contrary, UDP is a connectionless protocol,
so it can’t make such guarantees.
?
用户数据报协议和TCP协议都是因特网的核心协议.二者都用于网络中发送和接收消息,但它们之间
也有非常多的区别:
? ? TCP协议是面向流的协议,这个是指TCP协议保证数据包的顺序不会改变.因此,数据包不会重复,
? ? 并且会按顺序到达目标.而UDP协议不保证数据包的顺序,因此接受方可能会受到重复的或次序
? ? 错乱的数据包.
? ? TCP协议还保证消息分发的可靠性,这就意味着消息在传输过程中不会丢失.这样可以保持消息
? ? 发送方和接收方直接的活动连接.与之相反,UDP协议是无连接协议,不能保证消息发送方和接收
? ? 方之间的连接.
?
As a result of these differences, TCP is used in applications that require reliability
(such as email), whereas UDP usually finds it place in applications that require fast
data transfers and can handle occasional packet loss (such as VoIP or online gaming).
You can use the UDP protocol to connect to ActiveMQ by using the UDP transport
connector. The URI syntax of this connector is pretty much the same as for the TCP
connector. The only difference is the use of the udp scheme, as shown in the following
snippet:
udp://hostname:port?key=value
The complete reference of the UDP protocol can be found at the ActiveMQ website
(http://mng.bz/1i4g).
?
鉴于二者之间的差异,TCP协议适用于对可靠性有要求的应用(比如email),而UDP协议适用于对消息快速传输
有要求的应用,UDP协议还可以处理偶然性的消息丢失(比如VoIP或者在线游戏).使用UDP传输连接器就可以采用
UDP协议连接到ActiveMQ.UDP连接器的URI语法基本上和TCP连接器的URI的一样,两者之间唯一的区别是UPD连接器的
URI需要使用upd主题,配置代码片段如下:
udp://hostname:port?key=value
关于UPD协议完整的规范请访问ActiveMQ的站点(http://mng.bz/1i4g).
?
Comparing the TCP and UDP transports.
比较TCP连接器和 UDP连接器
?
When considering the TCP and the UDP transports, questions arise that compare
these two protocols. When should you use the UDP transport instead of the TCP
transport? There are basically two such situations where the UDP transport offers an
advantage:
? The broker is located behind a firewall that you don’t control and you can
access it only over UDP ports.
? You’re using time-sensitive messages and you want to eliminate network transport
delay as much as possible.
?
But there are also a couple of pitfalls regarding the UDP connector:
? Since UDP is unreliable, you can end up losing some of the messages, so your
application should know how to deal with this situation.
? Network packets transmitted between clients and brokers aren’t just messages,
but can also contain so-called control commands. If some of these
control commands are lost due to UDP unreliability, the JMS connection
could be endangered.
?
当比较TCP连接器和 UDP连接器时,问题转换为比较TCP和UDP这两个协议.什么使用应该使用UDP连接器
代替TCP连接器?大体上说,在下面两种情况下,应该使用UDP连接器:
? ? (1)你要连接的代理在一个防火墙内,而你没有这个防火墙的控制器,你只能通过UDP端口连接到代理.
? ? (2)你使用的时效性敏感的消息,你需要尽可能的减少消息在网络传输中的延迟.
考虑到UDP协议是不可靠协议,使用UPD连接器也有一些缺陷:
? ? (1)因为UPD协议是不可靠的,所以有些消息可能会丢失,因而你的应用程序需要能够处理这种消息丢失问题.
? ? (2)客户端和代理之间传输的网络数据包不仅仅是消息,有些数据包还包含了所谓的控制命令.如果这些控制命令
? ? 因为UDP协议的不可靠性而丢失,JMS连接可能会遭到破坏.
? ??
Now let’s configure ActiveMQ to use both TCP and UDP transports on different ports.
现在,让我们配置ActiveMQ,以便在不同的端口使用TCP和UDP传输连接器.
Here’s an example of such a configuration; the UDP part is in bold:
下面是配置UDP连接器的代码片段:
<transportConnectors>
? <transportConnector name="tcp" uri="tcp://localhost:61616?trace=true"/>
? <transportConnector name="udp" uri="udp://localhost:61618?trace=true" />
</transportConnectors>
?
Note that there are two separate transport connectors on different ports.
注意,上面的代码片段在不同的端口各配置了一个连接器.
?
To run a stock portfolio publisher using the UDP protocol, use the following
command:
$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch4.Publisher -Dexec.args="udp://localhost:61618 CSCO ORCL"
...
Sending: {price=65.713356601409, stock=JAVA, offer=65.779069958011, up=true} on destination: topic://STOCKS.JAVA
Sending: {price=66.071605671946, stock=JAVA, offer=66.137677277617, up=true} on destination: topic://STOCKS.JAVA
Sending: {price=65.929035001620, stock=JAVA, offer=65.994964036622, up=false} on destination: topic://STOCKS.JAVA
...
The consumer can be run using the TCP protocol with the following command:
$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch4.Consumer -Dexec.args="tcp://localhost:61616 CSCO ORCL"
...
ORCL 65.71 65.78 up
ORCL 66.07 66.14 up
ORCL 65.93 65.99 down
CSCO 23.30 23.33 up
...
As expected, the behavior of the overall system is the same as it was in the original
example when only the TCP transport connector was used. This is due to the fact
that the reliability of a local network is typically very good and there is generally no
packet loss.
?
使用UDP协议运行stock portfolio的publisher,可使用下面的命令:
$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch4.Publisher -Dexec.args="udp://localhost:61618 CSCO ORCL"
...
Sending: {price=65.713356601409, stock=JAVA, offer=65.779069958011, up=true} on destination: topic://STOCKS.JAVA
Sending: {price=66.071605671946, stock=JAVA, offer=66.137677277617, up=true} on destination: topic://STOCKS.JAVA
Sending: {price=65.929035001620, stock=JAVA, offer=65.994964036622, up=false} on destination: topic://STOCKS.JAVA
...
使用TCP协议运行consumer,可使用下面的命令:
$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch4.Consumer -Dexec.args="tcp://localhost:61616 CSCO ORCL"
...
ORCL 65.71 65.78 up
ORCL 66.07 66.14 up
ORCL 65.93 65.99 down
CSCO 23.30 23.33 up
...
正如预期的那样,实例中整个系统的运行情况跟原来使用TCP传输连接器时一样.这是因为本地网络的可靠行很好,因而使用UDP协议基本上也不会
有数据丢失.
?
4.3.4 Secure Sockets Layer Protocol (SSL)
4.3.4 安全套接层(SSL)
?
Imagine yourself in a situation where you need to expose the broker over an unsecured
network and you need data privacy. The same requirement emerged when the
web outgrew its academic roots and was considered for corporate usage. Sending
plain data over TCP became unacceptable, and a solution had to be found. The solution
for secure data transfers was the Secure Sockets Layer (SSL), a protocol designed to
transmit encrypted data over the TCP network protocol. It uses a pair of keys (one private
and one public) to ensure a secure communication channel. ActiveMQ provides
the SSL transport connector, which adds an SSL layer over the TCP communication channel,
providing encrypted communication between brokers and clients. As always with
SSL, keys and certificates are involved in configuring it, so this section is longer, as
we’ll dig into this configuration in detail.
?
想象一个场景:你的代理(broker)暴露在一个不安全的网络中,但是你的数据传输却需要保密.
类似的需求有:web应用已超过期学术定义的范围,需要考虑企业级的应用.通过TCP协议发送裸数据
不可接受,这个问题需要一个解决方案:使用安全套接字(SSL)协议进行安全数据传输,
设计该协议正式为了进行基于TCP网络的加密数据数据传输.该协议使用一对密钥(一个公钥和一个私钥)
来保证安全的通信通道.ActiveMQ提供SSL传输连接器,该连接器在TCP通信信道之上附加SSL层,为客户端
和代理之间的通信提供加密支持.涉及到SSL的配置,就需要配置密钥和证书,所以这个章节会有点长,因为
我们将深入讨论各种配置细节.
?
The URI syntax for this protocol is
ssl://hostname:port?key=value
Since the SSL transport is based on the TCP transport, configuration options are the
same. More information for using the SSL connector is available on the ActiveMQ website
(http://mng.bz/s8I2).
ActiveMQ uses the Java Secure Socket Extension (JSSE) to implement its SSL functionality.
Since its detailed description is out of the scope of this book, please refer to the
online information for JSSE (http://mng.bz/7TYe) before proceeding to the rest of
this section.
?
使用SSL协议时,连接器的URI的语法为:ssl://hostname:port?key=value.因为SSL传输是基于TCP传输的,所以
两者URI配置中的参数是相同的.有关SSL连接器的更多信息科参阅ActiveMQ网站(http://mng.bz/s8I2).
?
ActiveMQ使用Java安全套接字扩展(Java Secure Socket Extension (JSSE))来实现SSL的功能.考虑到JSSE的
实现细节已经超过本书的范围,JSSE相关信息请参阅以下在线信息(http://mng.bz/7TYe),然后再继续本节
其余的内容.
?
To configure the ActiveMQ broker to use the SSL transport, the first thing to do is
configure the ActiveMQ SSL transport.
Change the <transportConnectors> element in the ${ACTIVEMQ_HOME}/conf/activemq.xml file as shown:
<transportConnectors>
? <transportConnector name="ssl" uri="ssl://localhost:61617?trace=true" />
</transportConnectors>
?
But the SSL transport needs a few more items in order to work properly. Such
required items include SSL certificates for successful SSL communication. Basically,
JSSE defines two types of files for storing keys and certificates. The first are so-called
keystores, which hold your own private certificates with their corresponding private
keys. Trusted certificates of other entities (applications) are stored in truststores. To
actually get the SSL transport working properly, the additional required items are discussed
in detail in the next two sections.
?
?
For more information on configuring SSL, see chapter 6.
?
要使用SSL传输配置ActiveMQ代理,第一步要做的工作是配置ActiveMQ的SSL传输:将${ACTIVEMQ_HOME}/conf/activemq.xml文件中的
<transportConnectors>元素修改成下面的样子:
<transportConnectors>
? <transportConnector name="ssl" uri="ssl://localhost:61617?trace=true" />
</transportConnectors>
除此之外,SSL传输连接器还需要做一些额外配置以便连接器能正常工作.这些额外的排至包括:SSL通信所需的证书.
通常,JSSE定义了两种格式的文件用来存储密钥和证书.第一种是所谓的密钥仓库(keystore),用来保存私有证书及其相应的私钥.
其他实体(应用程序)的可信的证书存储在可信的密钥仓库中(truststore).下面两个小节详细讨论了SSL传输连接器
正常工作所需的其他额外配置.
?
更多关于配置SSL的信息,请看第6章内容.
?
Now that you understand all the necessary elements needed for successful SSL
communication, it’s time to connect to the secured transport. First, you’ll connect to
the broker that’s secured with its default certificate. Next, you’ll walk through the procedure
for creating your own certificates and running a broker and clients with them.
?
既然你已经了解SSL通信所需的所有相关配置,现在是时候连接到安全的传输连接器了.
首先,你会连接到一个使用默认证书以保证连接安全的代理;接下来,你会创建自己的证书,
然后在代理和客户端中使用这个证书.
?
USING SSL
使用SSL
?
First a small experiment to see what happens when you try to connect to a broker
using SSL and without providing any other SSL-related parameters. Connecting the
stock portfolio consumer by changing the transport to use SSL without creating the
proper stores will cause errors. Here’s an example of simply changing the transport:
?
$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch4.Consumer -Dexec.args="ssl://localhost:61617 CSCO ORCL"
?
首先,做一个小实验:如果使用SSL连接到一个代理之前没有提供SSL相关的参数会发生什么.修改传输连接器的URI,使用SSL
连接stock portfolio实例中的consumer,如果在连接之前没有配置相应的密钥仓库(store),这种连接会报错.
下面是一个例子,这里仅仅修改了传输连接器的URI(URI配置成ssl)
?
Without creating and denoting the proper keystore and truststore, you can expect to
see the following exceptions:
?
没有创建和配置相关的keystore和truststore,你将看到下面的异常信息:
?
WARNING: Async exception with no exception listener:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
Also, in the broker’s log you’ll see the following error:
ERROR TransportConnector
- Could not accept connection : Received fatal alert: certificate_unknown
?
These errors mean that the SSL connection couldn’t be established. This is a generic
error all clients will receive when trying to connect to the untrusted broker (without
the proper keystore and truststore).
?
这些错误表示不能创建SSL连接.这是客户端尝试使用SSL连接到不可信代理(没有配置相关的keystore和truststore)
时发生的常规错误.
?
When using JSSE, you must provide some SSL parameters using the appropriate system
properties. In order to successfully connect to the broker via SSL, we must provide
the keystore, the keystore password, and the truststore to be used. This is accomplished
using the following system properties:
? javax.net.ssl.keyStore—Defines which keystore the client should use
? javax.net.ssl.keyStorePassword—Defines an appropriate password for the keystore
? javax.net.ssl.trustStore—Defines an appropriate truststore the client should use
?
使用JSSE之前,一些使用配套的系的属性的SSL参数必须要提供.为了成功的通过SSL连接到代理,
我们必须提供keystore,keystore秒吗以及truststore,可以通过下面的系统属性来提供这些必须的参数:
? ?javax.net.ssl.keyStore—定义客户端使用的key仓库.
? javax.net.ssl.keyStorePassword—定义客户端的key仓库密码
? javax.net.ssl.trustStore—定义客户端使用的受信的key仓库
?
Now take a look at the following example of starting the stock portfolio publisher
using the default client certificate stores distributed with ActiveMQ:
?
现在看看下面这个命令,使用ActiveMQ默认的客户端证书来运行stock portfolio实例中的publisher.
?
$ mvn -Djavax.net.ssl.keyStore=${ACTIVEMQ_HOME}/conf/client.ks -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=${ACTIVEMQ_HOME}/conf/client.ts exec:java -Dexec.mainClass=org.apache.activemq.book.ch4.Publisher -Dexec.args="ssl://localhost:61617 CSCO ORCL"
...
Sending: {price=65.713356601409, stock=JAVA, offer=65.779069958011, up=true} on destination: topic://STOCKS.JAVA
Sending: {price=66.071605671946, stock=JAVA, offer=66.137677277617, up=true} on destination: topic://STOCKS.JAVA
Sending: {price=65.929035001620, stock=JAVA, offer=65.994964036622, up=false} on destination: topic://STOCKS.JAVA
...
?
Note the use of the JSSE system properties in bold. These properties provide the necessary
keystore, keystore password, and truststore. After providing these necessary SSL related
parameters, the publisher will connect successfully to the broker as intended
without error. Of course, if the client isn’t located on the same computer as your broker,
you’ll need to copy these files and adapt the paths appropriately.
?
JSSE用到的系统参数使用粗体字标示.这些系统属性提供了JSSE必须的keystore,keystore密码和
truststore.提供了这些SSL必须的属性后,publisher可以成功的连接到代理.当然,就客户端和代理不在
同一台机器上,你需要从代理所在的机器上拷贝这些文件然后放到客户端所在机器的相应的目录中.
?
Similarly, the consumer can be run using the following command:
类似的,可以使用下面的命令运行consumer:
$ mvn \
-Djavax.net.ssl.keyStore=${ACTIVEMQ_HOME}/conf/client.ks \
-Djavax.net.ssl.keyStorePassword=password \
-Djavax.net.ssl.trustStore=${ACTIVEMQ_HOME}/conf/client.ts \
exec:java -Dexec.mainClass=org.apache.activemq.book.ch4.Consumer \
-Dexec.args="ssl://localhost:61617 CSCO ORCL"
...
ORCL 65.71 65.78 up
ORCL 66.07 66.14 up
ORCL 65.93 65.99 down
CSCO 23.30 23.33 up
...
?
Again, note the use of the JSSE system properties in bold. Now both clients can communicate
with the broker using the encrypted network channels provided by the SSL
transport connector.
?
同样,JSSE所需的系统属性用粗体字显示.现在,两个客户端都可以通过SSL提供的加密信道和代理通信了.
?
Working with the default certificate, keystore, and truststore is okay for development
purposes, but for a production system, it’s highly recommended that you create
and use your own certificates. You can even disable ciphers that you may not be using.
In most cases, you’ll need to purchase an appropriate SSL certificate from the trusted
certificate authority.
?
在开发时使用默认的证书keystore和truststore是可以的,但是对于生产环境来说,强烈建议使用自己的证书.
你甚至可以禁用可能用不到的密码.大多数情况下,你需要从受信的证书机构购买SSL证书.
?
CREATING YOUR OWN SSL RESOURCES
创建你自己的SSL资源
?
For development purposes, you’ll want to create your own self-signed certificates. The
rest of this section will lead you through the process of creating and sharing selfsigned
certificates. For that purpose the keytool will be used—the command-line tool
for managing keystores that’s distributed with Java.
?
开发时,你需要创建自签名的证书.本小节的其他部分将指引你创建和分发自签名的证书.
为此,需要使用随JDK一同发布的命令行工具keytool来管理keystore.
?
First, you must create a keystore and a certificate for the broker. Here’s an example
of this using the keytool that comes with the JDK:
首先,你需要为代理创建一个keystore和certificate.
下面是使用随JDK一同发布的命令行工具keytool创建keystore和证书的命令:
?
$ keytool -genkey -alias broker -keyalg RSA -keystore mybroker.ks
Enter keystore password: test123
What is your first and last name?
[Unknown]: Dejan Bosanac
What is the name of your organizational unit?
[Unknown]: Chapter 4
What is the name of your organization?
[Unknown]: ActiveMQ in Action
What is the name of your City or Locality?
[Unknown]: Belgrade
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: RS
Is CN=Dejan Bosanac, OU=Chapter 3, O=ActiveMQ in Action,
L=Belgrade, ST=Unknown, C=RS correct?
[no]: yes
Enter key password for <broker>
(RETURN if same as keystore password):
?
The keytool application prompts you to enter certificate data and create a keystore
with the certificate in it. In this case we’ve created a keystore file named mybroker.ks
with the password test123.
?
keytool工具提示你输入证书相关的日期然后创建包含证书的keystore.这样,我们完成了创建一个文件名为
mybroker.ks,密码为test123的keystore.
?
The next step is to export this certificate from the keystore, so it can be shared with
the broker’s clients. This is done using the following command:
接下来,需要从keystore中导出证书,以便该证书可以与代理的客户端共享.可以使用下面的命令导出证书:
?
$ keytool -export -alias broker -keystore mybroker.ks -file mybroker_cert
Enter keystore password: test123
Certificate stored in file <mybroker_cert>
?
This step creates a file named mybroker_cert, containing a broker certificate.
Now you must create a client keystore with the appropriate certificate using a command
similar to the one that was used previously to create the broker’s keystore:
?
上面的步骤创建了一个名称为mybroker_cert的证书文件,包含代理中使用的证书.现在你必须使用这个证书创建
一个客户端的keystore,使用类似于前面创建broker的keystore时使用的命令:
?
$ keytool -genkey -alias client -keyalg RSA -keystore myclient.ks
What is your first and last name?
[Unknown]: Dejan Bosanac
What is the name of your organizational unit?
[Unknown]: Chapter 4
What is the name of your organization?
[Unknown]: ActiveMQ in Action
What is the name of your City or Locality?
[Unknown]: Belgrade
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: RS
Is CN=Dejan Bosanac, OU=Chapter 3, O=ActiveMQ in Action,
L=Belgrade, ST=Unknown, C=RS correct?
[no]: yes
Enter key password for <client>
(RETURN if same as keystore password):
?
The result of this command is the myclient.ks file with the appropriate certificate for
the client side. Finally, the client truststore must be created and the broker’s certificate
must be imported into it. Again, keytool is used to achieve this with the following
command:
?
上述命令的执行结果是为客户端创建了包含相应证书的myclient.ks文件.最后,需要创建客户端的受信的密钥仓库(truststore)
然再将代理的证书导入这个受信的密钥仓库(truststore).同样,完成这些需要使用下面的命令:
?
$ keytool -import -alias broker -keystore myclient.ts -file mybroker_cert
Enter keystore password: test123
Owner: CN=Dejan Bosanac, OU=Chapter 3, O=ActiveMQ in Action,L=Belgrade, ST=Unknown, C=RS
Issuer: CN=Dejan Bosanac, OU=Chapter 3, O=ActiveMQ in Action,L=Belgrade, ST=Unknown, C=RS
Serial number: 484fdc8a
Valid from: Wed Jun 11 16:09:14 CEST 2008 until: Tue Sep 09 16:09:14 CEST 2008
Certificate fingerprints:
MD5: 04:66:F2:AA:71:3A:9E:0A:3C:1B:83:C0:23:DC:EC:6F
SHA1: FB:FA:BB:45:DC:05:9D:AE:C3:BE:5D:86:86:0F:76:84:43:C7:36:D3
Trust this certificate? [no]: yes
Certificate was added to keystore
?
?
With this step, all the necessary stores were created and the broker certificate was
imported into the keystore. Now the stock portfolio example can use them.
Remember to start the broker using the newly created certificate. One way to do
this is to replace the default keystore files and the broker cert in the conf directory
with the ones that were just created. For example, if you want to use certificates that
come with the example source code, you’d do something like this:
?
通过上面的步骤,所有的证书仓库都创建好了,而且代理(broker)的证书也导入到keystore中.
接下来可以在stock portfolio实例中使用这些证书和keystore了.记住,需要使用这些新创建的
证书和keystore文件来启动代理.一种方式是使用新创建的证书和keystore文件替代ACTIVEMQ版本
的conf目录下面的相关文件.比如,可以使用下面的命令以便使用本书实例源码中的证书文件和keystore
文件.
?
$ cp src/main/resources/org/apache/activemq/book/ch4/mybroker.ks \
${ACTIVEMQ_HOME}/conf/broker.ks
$ cp src/main/resources/org/apache/activemq/book/ch4/myclient.ks \
${ACTIVEMQ_HOME}/conf/client.ks
$ cp src/main/resources/org/apache/activemq/book/ch4/myclient.ts \
${ACTIVEMQ_HOME}/conf/client.ts
?
Another way is to pass the SSL-related system properties to the command used to start
our broker. For that we need first to copy certificates with their original names (with
prefix my in the name) to the conf/ directory
?
另一种方式是传递SSL相关的系统属性给启动代理的命令.为此,首先我们需要使用下面的命令,
将证书文件和keystore文件(文件名保持不变)拷贝到conf目录下面.
?
$ cp src/main/resources/org/apache/activemq/book/ch4/mybroker.ks \
${ACTIVEMQ_HOME}/conf/
$ cp src/main/resources/org/apache/activemq/book/ch4/myclient.ks \
${ACTIVEMQ_HOME}/conf/
$ cp src/main/resources/org/apache/activemq/book/ch4/myclient.ts \
${ACTIVEMQ_HOME}/conf/
?
So now we can pass the system property and use a keystore other than default one:
现在可以通过传递相关的系统属性,使用我们自己创建的keystore代替默认的keystore,然后启动
代理.
?
${ACTIVEMQ_HOME}/bin/activemq console \
-Djavax.net.ssl.keyStorePassword=test123 \
-Djavax.net.ssl.keyStore=${ACTIVEMQ_HOME}/conf/mybroker.ks
?
Finally, we can achieve the same thing with the <sslContext/> element in the
ActiveMQ configuration file, as shown here:
最后,我们也可以通过修改ActiveMQ配置文件中的<sslContext/>元素来配置SSL,配置代码如下:
<broker xmlns="http://activemq.apache.org/schema/core" brokerName="localhost" dataDirectory="${activemq.base}/data">
<sslContext>
? <sslContext keyStore="file:${activemq.base}/conf/mybroker.ks" keyStorePassword="test123"/>
</sslContext>
<transportConnectors>
? <transportConnector name="ssl" uri="ssl://localhost:61617" />
</transportConnectors>
</broker>
?
and start the broker in the usual manner:
然后,可以使用下面常规的启动代理的的命令来启动代理:
?
${ACTIVEMQ_HOME}/bin/activemq console
xbean:src/main/resources/org/apache/activemq/book/ch4/activemq-ssl.xml
...
Loading message broker from:
xbean:src/main/resources/org/apache/activemq/book/ch4/activemq-ssl.xml
INFO | Using Persistence Adapter:
AMQPersistenceAdapter(/workspace/apache-activemq-5.3.0/data/localhost)
INFO | AMQStore starting using directory:/workspace/apache-activemq-5.3.0/data/localhost
INFO | Kaha Store using data directory/workspace/apache-activemq-5.3.0/data/localhost/kr-store/state
INFO | Active data files: []
INFO | ActiveMQ 5.3.0 JMS Message Broker (localhost) is starting
INFO | For help or more information please see: http://activemq.apache.org/
INFO | Kaha Store using data directory/workspace/apache-activemq-5.3.0/data/localhost/kr-store/data
INFO | JMX consoles can connect to
service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi
INFO | Listening for connections at: ssl://localhost:61617
INFO | Connector ssl Started
INFO | ActiveMQ JMS Message Broker
(localhost, ID:dejan-bosanacs-macbook-pro.local-52935-1265550444721-0:0)
started
...
Now let’s see how to reflect these same changes to the clients. If you try to run the client
applications with the old certificate file, you’ll get the unknown_certificate exception,
just as when the client attempted to access the broker without using any
certificate. So you’ll have to update the command like the following:
?
现在,让我们看看上述关于ssl的配置修改对客户端的影响.如果使用旧的证书文件运行客户端程序,你将
看到一个未知证书(unknown_certificate)异常,就好像客户端在没有使用任何证书时尝试连接到代理一样.
因此,你需要修改运行客户端代码的命令如下所示:
?
$ mvn \
-Djavax.net.ssl.keyStore=${ACTIVEMQ_HOME}/conf/myclient.ks \
-Djavax.net.ssl.keyStorePassword=test123 \
-Djavax.net.ssl.trustStore=${ACTIVEMQ_HOME}/conf/myclient.ts \
exec:java -Dexec.mainClass=org.apache.activemq.book.ch4.Publisher \
-Dexec.args="ssl://localhost:61617 CSCO ORCL"
?
(译注:windows的dos下,输入下面命令(没有换行,实现要建立ACTIVEMQ_HOME环境变量指向ACTIVEMQ的根目录):
?mvn -Djavax.net.ssl.keyStore=%ACTIVEMQ_HOME%/conf/myclient.ks -Djavax.net.ssl.keyStorePassword=123456?
?-Djavax.net.ssl.trustStore=%ACTIVEMQ_HOME%/conf/myclient.ts exec:java?
?-Dexec.mainClass=org.apache.activemq.book.ch4.Publisher?
?-Dexec.args="ssl://localhost:61617 CSCO ORCL")
?
...
Sending: {price=65.713356601409, stock=JAVA, offer=65.779069958011, up=true} on destination: topic://STOCKS.JAVA
Sending: {price=66.071605671946, stock=JAVA, offer=66.137677277617, up=true} on destination: topic://STOCKS.JAVA
Sending: {price=65.929035001620, stock=JAVA, offer=65.994964036622, up=false} on destination: topic://STOCKS.JAVA
...
?
The command instructs the publisher to use the newly created client stores. After
these changes, the stock portfolio application works again.
上面的命令让publisher使用新创建的客户端证书仓库,做了上述修改后,stock portfolio实例
又可以正常运行了.
?
ENABLING AND DISABLING SSL CIPHERS
启用/禁用 SSL加密套件
?
The SSL cipher suites for the ActiveMQ SSL transport are provided by the JVM. For specific
information about these cipher suites, see the documentation on the Sun JSSE
provider (http://mng.bz/7TYe). The Sun JSSE provider supports a long list of cipher
suites, and these are utilized in their default preference order. In some situations,
there can be a need to disable certain ciphers. Examples of such situations include the
discovery of a vulnerability in a particular cipher or a requirement to support only
certain ciphers. To make it easy to enable/disable cipher suites, starting in ActiveMQ
5.4.0, a new option for the SSL transport named transport.enabledCipherSuites is
available. Here’s an example of this new option:
?
ActiveMQ的SSL传输连接器使用的SSL加密套件(SSL cipher suites)由JVM提供.关于加密套件的详细信息
请参考SUN的JSSE文档(http://mng.bz/7TYe).Sun JSSE提供者支持一系列的加密套件,这些套件按照其默认的
有限顺序被使用.有些情况下,需要禁用某些特定的加密套件.比如一些套件被发现具有缺陷或者需求只能支持几种
特殊的加密套件.为了简化 启用/禁用 加密套件,从5.4.0版本的ActiveMQ开始,引入了一个新的关于SSL传输连接器的
配置项:transport.enabledCipherSuites.下面是使用这个配置项的配置代码例子:
?
<transportConnectors>
? <transportConnector name="ssl" uri="ssl://localhost:61617
? ?transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA" />
</transportConnectors>
?
Please note that the uri attribute shown here has been split into two lines for the purpose
of readability. This is only for readability and will cause the configuration to
break if left in this manner. If you use the configuration example, make sure to combine
the two lines that are held within the quotes.
?
请注意,为了更好的可读性,上面例子中的URI属性值被分成两行显示了.这里仅仅是为了是代码具有更好的可读性,
在实际配置文件中RUI属性值不能换行,否则代理不能正常启动.如果你使用上面的示例代码,记得让RUI属性值配置
在一行中.
?
In the preceding example, the SSL_RSA_WITH_RC4_128_SHA cipher suite is the
only one that’s been enabled on the ActiveMQ SSL transport. Additional cipher suites
can be enabled using a comma-separated list. The purpose of this new option is for
added security as it allows only certain cipher suites to be enabled. This can be handy
in environments that consider some cipher suites too weak to leave them enabled,
such as the Payment Card Industry (PCI).
?
前面例子中,配置SSL_RSA_WITH_RC4_128_SHA为ActiveMQ SSL传输连接器唯一使用的加密套件.
也可以配置多个加密套件,每个加密套件之间用逗号分隔.新增这个选项的目的是通过使用特定的加密
套件来增强安全性.在某些情况下,比如支付卡行业中,使用这个参数可以不启用哪些安全性差的加密套件.
?
NOTE?
To test which cipher suites are enabled, a Perl script named ssl-ciphercheck.pl?
is available (http://mng.bz/Ko7k). This script was inspired by the
Payment Card Industry Data Security Standard (PCI DSS) for preventing
credit card fraud (see http://mng.bz/8cYo). The script is easy to use and
makes performing a check for weak ciphers extremely easy.
Not everyone will need to disable SSL cipher suites, but if you do, this new option for
the SSL transport will make the task easy.
注意:
可以使用一个名称为ssl-ciphercheck.pl(从http://mng.bz/Ko7k获得)的Perl脚本来测试哪些加密套件是可用的.
这个脚本来自支付卡行业数据安全标准,用于防止信用卡诈_骗(参见:see http://mng.bz/8cYo).
这个脚本容易使用,能非常轻易的检查出安全性查的加密套件.不是所有人都需要了解SSL加密套件,但是一旦你有相关需求,
使用SSL transport的这个新参数会很容易的完成任务.