Last updated: 2026-02-13

ActiveMQ TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for Apache ActiveMQ to encrypt client-to-broker communication. ActiveMQ uses Java's JSSE for TLS, so certificates are managed through Java keystores.

Prerequisites

• Apache ActiveMQ 5.17 or later
• Java 11 or later (for TLS 1.3 support)
• SSL certificates in Java Keystore (JKS) or PKCS12 format

Certificate Setup

ActiveMQ uses Java keystores for certificate management. You need a keystore (containing the broker's certificate and private key) and a truststore (containing the CA certificate).

Create a Broker Keystore

# Generate a broker keystore with a new key pair
keytool -keystore /etc/activemq/ssl/broker.keystore.jks \
    -alias activemq-broker -keyalg RSA -keysize 2048 \
    -genkey -validity 365 -storepass changeit \
    -dname "CN=activemq.example.com"

# Generate a CSR
keytool -keystore /etc/activemq/ssl/broker.keystore.jks \
    -alias activemq-broker -certreq -file broker.csr -storepass changeit

# Sign with your CA (using openssl)
openssl x509 -req -in broker.csr -CA ca.crt -CAkey ca.key \
    -CAcreateserial -out broker-signed.crt -days 365

# Import the CA certificate into the keystore
keytool -keystore /etc/activemq/ssl/broker.keystore.jks \
    -alias CARoot -importcert -file ca.crt -storepass changeit -noprompt

# Import the signed certificate
keytool -keystore /etc/activemq/ssl/broker.keystore.jks \
    -alias activemq-broker -importcert -file broker-signed.crt -storepass changeit

Create a Truststore

keytool -keystore /etc/activemq/ssl/broker.truststore.jks \
    -alias CARoot -importcert -file ca.crt -storepass changeit -noprompt

Using PKCS12 (Alternative)

Convert PEM files to PKCS12 format:

openssl pkcs12 -export -in broker.crt -inkey broker.key -chain -CAfile ca.crt \
    -out /etc/activemq/ssl/broker.keystore.p12 -name activemq-broker -password pass:changeit

Transport Connector TLS

Configure an SSL transport connector in activemq.xml to accept TLS-encrypted connections on port 61617.

SSL Transport Connector

<transportConnectors>
    <transportConnector name="ssl" uri="ssl://0.0.0.0:61617?needClientAuth=false"/>
</transportConnectors>

SSL Context

Define the keystore, truststore, and TLS protocol settings in the <sslContext> element:

<sslContext>
    <sslContext
        keyStore="/etc/activemq/ssl/broker.keystore.jks"
        keyStorePassword="changeit"
        keyStoreType="JKS"
        trustStore="/etc/activemq/ssl/broker.truststore.jks"
        trustStorePassword="changeit"
        trustStoreType="JKS"/>
</sslContext>

Protocol Versions

Restrict the transport connector to TLS 1.2 and TLS 1.3 by setting JVM system properties in env or the startup wrapper:

ACTIVEMQ_SSL_OPTS="-Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.server.protocols=TLSv1.2,TLSv1.3"

RHEL/CentOS: Add the ACTIVEMQ_SSL_OPTS line to /etc/sysconfig/activemq or /etc/activemq/env.

Debian/Ubuntu: Add the ACTIVEMQ_SSL_OPTS line to /etc/default/activemq.

Cipher Suites

Configure strong cipher suites using the transport connector URI parameter:

<transportConnector name="ssl"
    uri="ssl://0.0.0.0:61617?needClientAuth=false&amp;transport.enabledCipherSuites=TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"/>

Client Certificate Authentication

To require clients to present a TLS certificate (mutual TLS), set needClientAuth=true:

<transportConnector name="ssl"
    uri="ssl://0.0.0.0:61617?needClientAuth=true"/>

STOMP over TLS

To accept STOMP protocol connections over TLS, add a stomp+ssl transport connector:

<transportConnector name="stomp+ssl"
    uri="stomp+ssl://0.0.0.0:61612?needClientAuth=false"/>

The stomp+ssl connector uses the same <sslContext> keystore and truststore as the ssl connector.

Web Console HTTPS

Configure the ActiveMQ web console (Jetty) to use HTTPS. Edit jetty.xml:

<bean id="secureConnector" class="org.eclipse.jetty.server.ServerConnector">
    <constructor-arg ref="Server"/>
    <constructor-arg>
        <bean class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
            <property name="keyStorePath" value="/etc/activemq/ssl/broker.keystore.jks"/>
            <property name="keyStorePassword" value="changeit"/>
            <property name="keyStoreType" value="JKS"/>
            <property name="trustStorePath" value="/etc/activemq/ssl/broker.truststore.jks"/>
            <property name="trustStorePassword" value="changeit"/>
            <property name="trustStoreType" value="JKS"/>
            <property name="includedProtocols" value="TLSv1.2,TLSv1.3"/>
        </bean>
    </constructor-arg>
    <property name="port" value="8161"/>
</bean>

Complete Configuration

A complete activemq.xml excerpt with TLS transport connectors and SSL context:

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans.xsd
       http://activemq.apache.org/schema/core
       http://activemq.apache.org/schema/core/activemq-core.xsd">

    <broker xmlns="http://activemq.apache.org/schema/core" brokerName="localhost">

        <!-- SSL context -->
        <sslContext>
            <sslContext
                keyStore="/etc/activemq/ssl/broker.keystore.jks"
                keyStorePassword="changeit"
                keyStoreType="JKS"
                trustStore="/etc/activemq/ssl/broker.truststore.jks"
                trustStorePassword="changeit"
                trustStoreType="JKS"/>
        </sslContext>

        <!-- Transport connectors -->
        <transportConnectors>
            <transportConnector name="ssl"
                uri="ssl://0.0.0.0:61617?needClientAuth=false&amp;transport.enabledCipherSuites=TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"/>
            <transportConnector name="stomp+ssl"
                uri="stomp+ssl://0.0.0.0:61612?needClientAuth=false"/>
        </transportConnectors>

    </broker>

</beans>

Client Connections

Java JMS

ActiveMQSslConnectionFactory factory = new ActiveMQSslConnectionFactory("ssl://activemq.example.com:61617");
factory.setTrustStore("/path/to/client.truststore.jks");
factory.setTrustStorePassword("changeit");
factory.setKeyStore("/path/to/client.keystore.jks");
factory.setKeyStorePassword("changeit");

Connection connection = factory.createConnection();
connection.start();

STOMP Client

openssl s_client -connect activemq.example.com:61612

Once connected, send the STOMP CONNECT frame:

CONNECT
accept-version:1.2
host:activemq.example.com

^@

Command-Line Testing

Test the SSL transport connector:

activemq producer --brokerUrl ssl://activemq.example.com:61617 \
    --user admin --password admin \
    -Djavax.net.ssl.trustStore=/path/to/client.truststore.jks \
    -Djavax.net.ssl.trustStorePassword=changeit

Verification

Check that the SSL listener is active:

openssl s_client -connect activemq.example.com:61617

Verify the port is listening:

ss -tlnp | grep 61617

Check the web console over HTTPS:

curl -k https://activemq.example.com:8161/admin/

Check the broker logs for TLS handshake information:

grep -i ssl /var/log/activemq/activemq.log