You need to get a certificate signed by a CA, trusted by your client. If you require client authentication, the clients certificate needs to be signed by a CA trusted by the broker. Setting up the certificates for testing. For testing purposes you could use the to setup your certificates. In summary you need to create a root CA and import it to the brokers certificate data base. Create a certificate for the broker, sign it using the root CA and then import it into the brokers certificate data base. Load the acl module using --load-module or if loading more than one module, copy ssl.so to the location pointed by --module-dir Ex if running from source. ./qpidd --load-module /libs/ssl.so Specify the password file (a plain text file with the password), certificate database and the brokers certificate name using the following options Ex ./qpidd ... --ssl-cert-password-file ~/pfile --ssl-cert-db ~/server_db/ --ssl-cert-name localhost.localdomain If you require client authentication you need to add --ssl-require-client-authentication as a command line argument. Please note that the default port for SSL connections is 5671, unless specified by --ssl-port Here is an example of a broker instance that requires SSL client side authenticaiton ./qpidd ./qpidd --load-module /libs/ssl.so --ssl-cert-password-file ~/pfile --ssl-cert-db ~/server_db/ --ssl-cert-name localhost.localdomain --ssl-require-client-authentication

This guide is for connecting with the Qpid c++ broker. Setting up the certificates for testing. In summary, You need to import the trusted CA in your trust store and keystore Generate keys for the certificate in your key store Create a certificate request using the generated keys Create a certficate using the request, signed by the trusted CA. Import the signed certificate into your keystore. Pass the following JVM arguments to your client. -Djavax.net.ssl.keyStore=/home/bob/ssl_test/keystore.jks -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=/home/bob/ssl_test/certstore.jks -Djavax.net.ssl.trustStorePassword=password

If the Qpid broker requires client authentication then you need to get a certificate signed by a CA, trusted by your client. Use the connectSSL instead of the standard connect method of the client interface. connectSSL signature is as follows: public void connectSSL(String host, int port, String virtualHost, String username, String password, String serverName, String certPath, bool rejectUntrusted) Where host: Host name on which a Qpid broker is deployed port: Qpid broker port virtualHost: Qpid virtual host name username: User Name password: Password serverName: Name of the SSL server certPath: Path to the X509 certificate to be used when the broker requires client authentication rejectUntrusted: If true connection will not be established if the broker is not trusted (the server certificate must be added in your truststore)

Simply use amqps:// in the URL string as defined above