LibraryToggle FramesPrintFeedback

Search for the existing definition of the Connector bean in the conf/jetty.xml file. In the default file, you should see some lines like the following:

<property name="connectors">
        <bean id="Connector" class="org.eclipse.jetty.server.nio.SelectChannelConnector">
            <property name="port" value="8161" />

Replace the preceding lines by the following lines:

<property name="connectors">
        <bean id="Connector" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
            <property name="port"        value="8443" />
            <property name="maxIdleTime" value="30000"/>
            <property name="keystore"    value="${activemq.home}/conf/broker.ks"/>
            <property name="password"    value="testjetty"/>
            <property name="keyPassword" value="testjetty"/>
            <property name="truststore"  value="${activemq.home}/conf/broker.ks"/>

Where the SslSelectChannelConnector properties can be explained as follows:


Specifies the secure IP port number (accessible through HTTPS).


Specifies the connection idle time in units of milliseconds. If there is no activity on a connection for longer than this timeout, the connection will be closed.


Specifies the location of the Jetty server's own X.509 certificate, which is stored in a Java keystore file on the file system. The Jetty server uses this certificate to identify itself to a client, during the SSL handshake.


Specifies the store password, which is needed to unlock the keystore file (see Java Keystores).


Specifies the key password, which is used to decrypt the private key that is stored within the keystore file. Typically, the store password and the key password are identical (some SSL implementations even require this to be the case).


Specifies the location of a Java keystore file that contains a list of one or more trusted certificates, which can be used during the SSL handshake to check that incoming client certificates are correctly signed. In the current example, the truststore is actually irrelevant, because clients are not required to send a certificate to the Jetty server.

When SSL security is configured as shown, you can access the Web console through the HTTPS protocol using the following URL:


The broker.ks certificate used in the preceding example is insecure, because anyone can access its private key. To secure your system properly, you must create new certificates signed by a trusted CA, as described in Managing Certificates.

Comments powered by Disqus
loading table of contents...