Problem statement
I am trying to configure ActiveMQ Artemis embedded in WildFly to work with a secured connection between the client and Kubernetes Ingress.
I have a Java client that connects to a Kubernetes backend with multiple deployments and an Ingress controller. The client communicates using:
- REST (HTTP)
- remote+http (JBoss protocol)
- messaging-activemq over HTTP
Everything works correctly without TLS, including JMS. Ingress is currently redirecting traffic on port 8080.
Now, I need to secure the connection between the client and Ingress. I added the following TLS configuration to my Ingress resources:
tls:
- hosts:
- mydomain.com
secretName: mysecret
I updated the client configuration:
- Changed http → https in URLs.
- Changed remote+http → remote+https.
- Changed port 80 → port 443.
After these changes:
REST and remote+https work correctly. JMS does not work. The client retrieves the JMS connection factory from the WildFly server dynamically.
Client Code
final TopicConnectionFactory connectionFactory =
(TopicConnectionFactory)context.lookup(aName);
connectionFactory.createTopicConnection();
Current WildFly Configuration
Standalone.xml:
<subsystem xmlns="urn:jboss:domain:messaging-activemq:16.0">
<server name="default">
<security enabled="false"/>
<http-connector name="http-connector" socket-binding="http-remote-jms" endpoint="http-acceptor"/>
<http-acceptor name="http-acceptor" http-listener="default"/>
<connection-factory name="RemoteConnectionFactory"
entries="java:jboss/exported/jms/RemoteConnectionFactory"
connectors="http-connector"/>
</server>
</subsystem>
Previously, http-remote-jms socket-binding was set to port 80, and it worked before switching to TLS. After switching to TLS, it stopped working, so I changed the port to 443 because client has to use port 443 to connect to ingress.
I debugged the client application, and the host in TransportConfiguration is correct. As I understand, the http-connector is responsible for providing connection configuration to the client. Since socket-binding only defines host and port, both should now be correct.
I also tried modifying http-acceptor, changing it to https-acceptor, but it didn't work. I do not want to secure connection between ingress and Wildfly. My goal is to pass only the connection parameters to the client, without modifying the server-side setup. I have tried multiple approaches to achieve this but none of them have worked so far. I think that https-acceptor do not work because of ingress configuration.
Ingress Configuration
rules:
- host: mydomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: sample-backend
port:
number: 8080
I cannot change port 8080 to 443, because other services (REST, remote+jms) rely on it. My WildFly server does not have a TLS certificate, and I want to secure only the connection between the client and Ingress. The connection between Ingress and WildFly should remain unencrypted.
Possible Solutions
- Keep WildFly using an unsecured connection but inform the client to use HTTPS. The client should use a secure connection to Ingress while WildFly remains unencrypted. However, it seems the client still attempts to use HTTP even when port 443 is set.
- Configure WildFly to use HTTPS for JMS. This requires a certificate on WildFly. The problem is how to redirect traffic properly in Ingress, as Ingress only redirects to port 8080. Does messaging-activemq use a specific URL pattern that could be matched in Ingress rules? (e.g., if messaging-activemq used schema://host:port/jms, I could match /jms in Ingress.)
- Manually configure the client to connect over HTTPS instead of relying on WildFly's connection factory. This would allow independent client-side configuration. WildFly would still use HTTP internally, but the client-Ingress connection would be secure. How can I configure ServerLocator to use HTTPS?
Any advice on how to make this work?
UPDATE
I configured client manually. Following code works:
TransportConfiguration transportConfiguration = new TransportConfiguration(
"org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnectorFactory",
new HashMap<String, Object>() {{
put("host", "mydomain");
put( "port", 443 );
put( "httpUpgradeEndpoint", "http-acceptor" );
put( "activemqServerName", "default" );
put( "httpUpgradeEnabled", "true" );
put( "localAddress", "0.0.0.0" );
put("sslEnabled", true);
}}
);
ServerLocator locator = ActiveMQClient.createServerLocatorWithoutHA(transportConfiguration);
ActiveMQConnectionFactory connectionFactory = new ActiveMQConnectionFactory(locator);
I debugged solution where connection factory is taken from context and the only difference is sslEnabled param. It is not set when connection factory is taken from context. The solution comes down to setting a parameter sslEnabled in the WildFly server. How to do it? Is it possible to set it in http-connector?
